Huawei's equipment poses 'significant' security risks, UK says:
The U.K. government warned on Thursday Huawei's telecommunications equipment raises "significant" security issues, posing a possible setback to the Chinese tech firm as it looks to build out 5G networks.
In 46-page report evaluating Huawei's security risks, British officials stopped short of calling for a ban of Huawei's 5G telecommunications equipment. But the assessment cited "underlying defects" in the company's software engineering and cybersecurity processes, citing "significantly increased risk to U.K. operators."
The findings give weight to warnings from U.S. officials who have argued Huawei's networking equipment could be used for espionage by the Chinese government. Huawei has repeatedly said it does not pose any risk and insists it would not share customer data with Beijing.
In a statement Thursday, Huawei said it takes the U.K. government's findings "very seriously."
"The issues identified in the OB (oversight board) report provide vital input for the ongoing transformation of our software engineering capabilities," a Huawei spokesperson said.
Other links:
Huawei Equipment Has Major Security Flaws, U.K. Says
Huawei's Perception Problem Deepens as U.K. Spies Identify Security Risks
So don't buy Huawei telecom equipment. Buy only US made telecom equipment. Because the NSA would never put bugs in for spying.
(Score: 3, Informative) by hendrikboom on Friday March 29 2019, @04:02PM (1 child)
There' a lot of repetitive administrative verbiage in the 2019 report.
Actual code-level problems are presented starting about halfway through:
* The difficulty in checking that particular source code is actually what is used to produce the executable images -- the builds are not easily reproducible; not is the build system itself.
* There is a lot of copied code; including obsolete and bug-prone versions alongside current ones. For example, copies of SSL code with known vulnerabilities.
* There is a lot of use of dangerous memory and string functions, such as memcpy and strcpy. It's not clear to what extent these specific uses are actually safe for contextual reasons.
* Some of these uses are hidden within ad-hoc macros, making the security analysis more difficult. The report wonders whether this is a deliberate attempt to hide them from analysis.
-- hendrik
(Score: 1) by pTamok on Friday March 29 2019, @06:10PM
There is nothing there that is unusual in the industry, which is sad.
On the other hand, the security evaluation is spot on: Huawei are making big promises about changing their processes, but similar big promises made in the past have not been delivered upon. I see this a possibly a simple plan to get their kit bought, then 5 years later, say "Sorry, we failed in our plan to change our processes" - leaving purchasers with expensive kit that has no security assurance at all, and a huge bill in both time and money to replace it all.
Given that this can be used for 'Critical National Infrastructure', it strikes me that any country that doesn't mandate repeatable builds using up-to-date and carefully enumerated toolchains compiling software that conforms to good security programming practices doesn't take national security very seriously at all. Huawei get away with it because very few people are pushing for it.
I fully expect major markets eventually to ban binary distributions from the vendors for this reason. The process will be that the vendor sends the source to the National Security Centre, which builds using a clean set of tools, and the binaries distributed by the security centre to customers within its jurisdiction. We are not there yet.