John Hemmings made some interesting and critical points about the “security” (my metaphoric quotes) of Huawei equipment. In doing so, he cited a study by Finite State, a cyber-security organization that looks deeply into the Internet of Things and resulting vulnerabilities—an IoT of which Huawei is aiming to be a central part (as well as a central part of national communications and defense systems and of governments). Finite State’s analysis investigated “more than 1.5 million files embedded in 9,936 firmware images supporting 558 different products within [Huawei’s] enterprise networking product lines.”
Hemmings’ points center on these:
- In virtually all categories we studied, we found Huawei devices to be less secure than comparable devices from other vendors.
- On average, Huawei devices had 102 known vulnerabilities inside their firmware, primarily due to the use of vulnerable open-source and third-party components.
- Out of all the firmware images analyzed, 55% had at least one potential backdoor.
- On dozens of occasions, Huawei engineers disguised known unsafe functions (such as memcpy) as the “safe” version (memcpy_s) by creating wrapper functions with the “safe” name but none of the safety checks.
- Across 356 firmware images, there are several million calls into unsafe functions. Huawei engineers choose the “safe” option of these functions less than 17% of the time, despite the fact that these functions improve security and have existed for over a decade.
- Huawei devices had…2-8x more potential 0-day vulnerabilities than the other devices.
- Vulnerabilities in both the routers and the fixed access network remained beyond 2012 and were also present in Vodafone’s businesses in the U.K., Germany, Spain and Portugal.
Those vulnerabilities? Given how enthusiastically Huawei’s representatives tout the superiority of their equipment, and given that fourth bullet, I suggest that those vulnerabilities also are known to Huawei’s men and put there deliberately.
And that last bullet: Vodafone had identified those “vulnerabilities” to Huawei in 2011 and received assurances from Huawei that they’d be removed. Those security holes remained far past 2012. And still remain as far as I can tell.
This is why Huawei has no legitimate place in any organization outside of the People’s Republic of China, nor should it have access to any technology of any nation or business outside of the PRC.
But Huawei’s CEO, Ren Zhengfei, and CFO, Meng Wanzhou, and men of the PRC’s government, like President Xi Jinping, deny all of this. And Ren is an honorable man; So are they all, all honorable men.