GCHQ

GCHQ report says Huawei failed to tackle UK security flaws

Cyber security analysts tasked with investigating Huawei equipment used in the UK's telecommunications networks discovered a "nationally significant" vulnerability last year.

Investigators at the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) say that Huawei has failed to adequately tackle security flaws in equipment used in the UK’s telecoms networks, according to an oversight report published on Thursday.

Vulnerabilities are usually software design failures which could allow hostile actors (in particular the Chinese state when it comes to Huawei) to conduct a cyber attack. They are not necessarily intentional and can’t be seen as an indication of any hostile intent on the part of the developers themselves.

There is a hypothetical concern that Beijing could purposefully design some kind of deniable flaw in Huawei’s equipment which it would know how to exploit – or that it could have been alerted to a potential attack vector once the issue was reported to Huawei.

The report explicitly states that the UK’s National Cyber Security Centre (NCSC) – a part of GCHQ – “does not believe that the defects identified are as a result of Chinese state interference”, and adds that there is no evidence the vulnerabilities were exploited.

Instead, the agency reported that “poor software engineering and cyber security processes lead to security and quality issues, including vulnerabilities” – and that “the increasing number and severity of vulnerabilities discovered” is of particular concern.

“If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of a UK network, in some cases causing it to cease operating correctly,” the report warns.

“Other impacts could include being able to access user traffic or reconfiguration of the network elements.”

After the major vulnerability was assessed by the UK’s security services then it was reported to Huawei, in line with the HCSEC’s normal vulnerability disclosure process.

The report adds that HCSEC “continues to reveal serious and systematic defects in Huawei’s software engineering and cyber security competence” – and warns that despite fixing specific issues when directed to do so, the agency has “no confidence that Huawei will effectively maintain components within its products”.

A spokesperson for Huawei said the report highlighted the company’s “commitment to a process that guarantees openness and transparency, and demonstrates HCSEC has been an effective way to mitigate cyber security risks in the UK”.

They stressed the NCSC’s conclusion that the defects were not believed to be a result of malicious interference from the Chinese state, and that the UK’s networks are not more vulnerable than last year.

“As innovators, we continue significant investment to improve our products. The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities,” said the spokesperson.

“Huawei has faced the highest level of scrutiny for almost 10 years. This rigorous review sets a precedent for cyber security collaboration between the public and private sectors, and has provided valuable insights for the telecoms sector.”

Although similar vulnerabilities for rival companies which provide networking equipment – whether radio antennas or core switches and gateways – are often discovered, the company argues they do not get the same attention.

“We believe this mechanism can benefit the entire industry and Huawei calls for all vendors to be evaluated against an equally robust benchmark, to improve security standards for everyone,” the spokesperson added.

Rapid Mobile

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.

 

By continuing to use our site or clicking I Accept, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.

 

You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.

 

Privacy Settings saved!
Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies.Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site.

We track anonymized user information to improve our website.
  • _ga
  • _gid
  • _gat

Decline all Services
Accept all Services