Security Market Segment LS
Sunday, 30 June 2019 16:27

Huawei IoT devices show poor coding, security practices: claim Featured

Huawei IoT devices show poor coding, security practices: claim Pixabay

A report on the security of Internet-of-Things devices made by Chinese telecommunications equipment vendor Huawei Technologies, published by the hitherto unheard of company Finite State, claims that analysis of 9936 firmware images in 558 different products shows that these devices are less secure than those from other vendors like Juniper and Arista.

The company listed 142 devices — routers, switches, UPS units and the like — the firmware of which it said it had analysed in a matter of hours using its proprietary platform. Many of the devices listed are different versions of the same model. The report is titled "Finite State Supply Chain Assessment: Huawei Technologies Co Ltd." It referred to the Finite State 9-dimensional Risk Matrix as being the standard against which its study was done, but there is no sign of what this matrix is on its website.

In a 55-page report, Finite State said there were hundreds of cases of potential backdoor vulnerabilities in the form of improper default configurations that could allow covert access.

The report was leaked to The Wall Street Journal which ran a story about it last Tuesday (25 June). Finite State put the report on its website on 26 June and appears to be adding back-dated blog posts on other subjects over the last two days. Though the firm is claimed to have been founded in 2017, the website appears to have come into existence six months ago. Its domain was registered in October 2017.

Some of the issues found by Finite State were the presence of default usernames and passwords — a common issue with many products — configurations that allowed root access for SSH, pre-computed hard-coded authorised-keys allowing the private key holder access, and hard-coded SSH keys which could allow man-in-the-middle traffic interception.

Finite State referred to the fact that Huawei, when found to have similar issues by the UK, had pledged to spend US$2 billion to improve the security of its products and said that "despite these investments our research uncovered a substantial lack of secure development practices resulting in significant number of vulnerabilities". It did not mention that the pledge was only made in March this year.

But in another part of the report, Finite State contradicted its own conclusions by stating: "Recently, Huawei pledged to invest 2 billion dollars to develop a comprehensive solution to improving the cyber security of their products. With commitments like that, it is reasonable to expect to see the cyber security risk of their products decreasing over time."

The report also said it appeared that Huawei's security practices were not improving over time, an issue already identified by the UK National Cyber Security Centre in its report in March 2019 for the Huawei Cyber Security Evaluation Centre Oversight Board.

Staff from the NCSC work alongside Huawei staff at the Centre which has been set up by the company.

Finite State said the firmware analysed was in many cases using older, vulnerable versions of key libraries with one case being the use of as many as 79 versions of OpenSSL. Coders also disguised the use of unsafe functions like memcpy by creating wrappers with the name memcpy_s - a safe version - with none of the safety checks.

There were also calls to unsafe functions from 356 firmware images and each binary analysed by Finite State was claimed to have 12 possible buffer overflows. Such overflows are common in many products.

Huawei has been the subject of numerous claims over many years that it can conduct espionage on behalf of China. The Finite State report made reference to this claim to bolster its theme of poor, but quoted the Australian Strategic Policy Institute to buttress what it claimed. ASPI is a lobby group for big defence companies and was caught out making false claims about Huawei recently.

Contacted for comment, a Huawei spokesperson said the company was aware of the report and was analysing it, but was not in a position to comment on its objectivity and integrity at the moment.

"Huawei welcomes any fact-based and well-intentioned suggestions that help ensure network stability," the spokesperson added.

"The more people who oversee and check Huawei's products, the more likely we are to accurately identify potential issues, making our products more secure. Huawei takes cyber security very seriously, and has made it our top priority. We have not, and will never, implant backdoors. In addition, we will never allow anyone to do so in our equipment.

"Cyber security is a technical issue that should be addressed through technical means. We will carefully analyse the report, and proactively and openly engage with the relevant parties regarding it. We welcome in-depth communication between Finite State and Huawei's in-house security experts."

iTWire contacted the NCSC for comment because the agency's chief executive Ciaran Martin had said in February that the UK was able to manage any potential security risks posed by using equipment from Huawei. This was a month before the HCSEC Oversight Board report referred to earlier was issued.

In May, the UK was reported to have given the green light for Huawei gear to be used in non-core parts of its 5G networks. One telco, EE, has rolled out the first implementations of its 5G networks on this basis. Vodafone is set to follow suit on 3 July.

An NCSC spokesperson told iTWire: "Huawei's presence in the UK is subject to detailed, formal oversight. This provides us with a unique understanding of the company's software engineering and cyber security processes.

"We can and have been managing the security risk and have set out the improvements we expect the company to make. We will not compromise on the progress we need to see: sustained evidence of better software engineering and cyber security, verified by HCSEC.

"This report illustrates above all the need for improved cyber security in the UK telco networks which is being addressed more widely by the Digital Secretary's review."

Finite State was also contacted and asked why the report was not released publicly right away, instead of selectively leaking it to the WSJ, resulting in a somewhat amateurish story. iTWire also asked who had paid for the study and how many of the devices whose firmware was tested were being used by Huawei in its 5G rollouts.

The company was also asked about the use of quotes from ASPI as this did not add to the reputation of the report. A final question was why the NSA was apparently objecting to the use of Huawei equipment in the US; going by the material leaked by whistleblower Edward Snowden, the agency is known to favour hardware to which it can gain access and, according to what Finite State reported, such access should be easy.

iTWire commented on the WSJ report, but could not contact Finite State at the time as there was no email address or phone number on the company's website, only a Web form for making business inquiries. After Finite State placed the study on its site, a single email address was added to the site and iTWire's queries have been directed thither.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments