SoylentNews is people
SoylentNews
from the deep-seated-insecurities-and-paranoia dept.
Huawei's equipment poses 'significant' security risks, UK says:
The U.K. government warned on Thursday Huawei's telecommunications equipment raises "significant" security issues, posing a possible setback to the Chinese tech firm as it looks to build out 5G networks.
In 46-page report evaluating Huawei's security risks, British officials stopped short of calling for a ban of Huawei's 5G telecommunications equipment. But the assessment cited "underlying defects" in the company's software engineering and cybersecurity processes, citing "significantly increased risk to U.K. operators."
The findings give weight to warnings from U.S. officials who have argued Huawei's networking equipment could be used for espionage by the Chinese government. Huawei has repeatedly said it does not pose any risk and insists it would not share customer data with Beijing.
In a statement Thursday, Huawei said it takes the U.K. government's findings "very seriously."
"The issues identified in the OB (oversight board) report provide vital input for the ongoing transformation of our software engineering capabilities," a Huawei spokesperson said.
Other links:
Huawei Equipment Has Major Security Flaws, U.K. Says
Huawei's Perception Problem Deepens as U.K. Spies Identify Security Risks
So don't buy Huawei telecom equipment. Buy only US made telecom equipment. Because the NSA would never put bugs in for spying.
(Score: 2, Interesting) by pTamok on Friday March 29 2019, @10:30AM (4 children)
If you want to know more about the Huawei Cyber Security Evaluation Centre, which is located in Banbury in the UK, then you could do worse than read this Guardian article:
The Guardian: The Chinese firm taking threats to UK national security very seriously [theguardian.com]
And the UK Government oversight board reports:
gov.uk: Huawei cyber security review [www.gov.uk]
gov.uk: Huawei Cyber Security Evaluation Centre: Oversight Board annual report 2015 [www.gov.uk]
gov.uk: Huawei cyber security evaluation centre: oversight board annual report 2016 [www.gov.uk]
gov.uk: Huawei cyber security evaluation centre: oversight board annual report 2017 [www.gov.uk]
gov.uk: Huawei cyber security evaluation centre oversight board: annual report 2018 [www.gov.uk]
gov.uk: Huawei cyber security evaluation centre oversight board: annual report 2019 [www.gov.uk]
If that's all tl;dr, then the recent Ars Technica article is briefer: asr Technica: UK cyber security officials report Huawei’s security practices are a mess [arstechnica.com]
It would be interesting to see a similar security evaluation of Cisco, or Nokia, or Alcatel equipment as a comparison. Are Huawei worse, or are their failures more public?
(Score: 2, Interesting) by Anonymous Coward on Friday March 29 2019, @12:17PM
Huawei's are more public I'd say.
I'm subscribed to Cisco's security notifications for their various products, since I maintain a number of them in local government estates here in the UK, and the security notices from Cisco are frequent. The usual privilege escalations, buffer overflows, not checking input correctly etc., spanning across a wide range of products from networking gear to telephony to software-based management platforms. To be fair, a lot of the alerts are due to bugs in upstream open-source products where they re-use code. But there are still massive failures in their own code, such as 2 years ago, their ASA firewall software had a remote exploit which allowed an unauthenticated untrusted attacker to gain the equivalent of root from over the Internet. Not something you want in a firewall product connected directly to the Internet with a public routable IP address. But it's not just Cisco, I'm pretty sure Juniper's also had an equally severe issue in their firewalls as well.
So no, I wouldn't necessarily say Huawei is worse, just the "normal" level of software quality of what we're currently seeing in the market from various big name vendors (I include Microsoft in this list).
Interestingly, we've actually been in discussions with Huawei for various network-related projects recently, and one of the selling points they were touting was that if there's a new missing technical feature we want in their product e.g. some obscure multicast behaviour, they can get the dev resources onto it and have a turn-around of days to implement the feature, if not next day. On one hand this speaks something about their dev resources available; on the other hand, it doesn't paint a good picture of their testing processes or potential code quality behind what they're churning out. I guess the latter agrees with the reports.
(Score: 3, Informative) by hendrikboom on Friday March 29 2019, @04:02PM (1 child)
There' a lot of repetitive administrative verbiage in the 2019 report.
Actual code-level problems are presented starting about halfway through:
* The difficulty in checking that particular source code is actually what is used to produce the executable images -- the builds are not easily reproducible; not is the build system itself.
* There is a lot of copied code; including obsolete and bug-prone versions alongside current ones. For example, copies of SSL code with known vulnerabilities.
* There is a lot of use of dangerous memory and string functions, such as memcpy and strcpy. It's not clear to what extent these specific uses are actually safe for contextual reasons.
* Some of these uses are hidden within ad-hoc macros, making the security analysis more difficult. The report wonders whether this is a deliberate attempt to hide them from analysis.
-- hendrik
(Score: 1) by pTamok on Friday March 29 2019, @06:10PM
There is nothing there that is unusual in the industry, which is sad.
On the other hand, the security evaluation is spot on: Huawei are making big promises about changing their processes, but similar big promises made in the past have not been delivered upon. I see this a possibly a simple plan to get their kit bought, then 5 years later, say "Sorry, we failed in our plan to change our processes" - leaving purchasers with expensive kit that has no security assurance at all, and a huge bill in both time and money to replace it all.
Given that this can be used for 'Critical National Infrastructure', it strikes me that any country that doesn't mandate repeatable builds using up-to-date and carefully enumerated toolchains compiling software that conforms to good security programming practices doesn't take national security very seriously at all. Huawei get away with it because very few people are pushing for it.
I fully expect major markets eventually to ban binary distributions from the vendors for this reason. The process will be that the vendor sends the source to the National Security Centre, which builds using a clean set of tools, and the binaries distributed by the security centre to customers within its jurisdiction. We are not there yet.
(Score: 1) by pTamok on Saturday March 30 2019, @10:24AM
Just to reply to myself as a pointer to others, the comments on the 'The Register' article are worth reading, as usual.
The Register: Huawei savaged by Brit code review board over pisspoor dev practices [theregister.co.uk]
But, to add some balance, there is also this: The Register: Cisco emits 25 security bug fixes for IOS, takes second crack at patching WAN router SNAFUs [theregister.co.uk]
Code quality is an issue generally in IT, as (to use other people's insights here), generally faster-to-market and cheaper offerings beat slower-to-market, higher-quality, more expensive offerings - so there is strong selection pressure for just-good-enough code that works so long as you don't look at it funny. Discussing that would take a whole submission and reams of comments. Just barely adequate code wins most of the time.