The company listed 142 devices — routers, switches, UPS units and the like — the firmware of which it said it had analysed in a matter of hours using its proprietary platform. Many of the devices listed are different versions of the same model. The report is titled "Finite State Supply Chain Assessment: Huawei Technologies Co Ltd." It referred to the Finite State 9-dimensional Risk Matrix as being the standard against which its study was done, but there is no sign of what this matrix is on its website.
The report was leaked to The Wall Street Journal which ran a story about it last Tuesday (25 June). Finite State put the report on its website on 26 June and appears to be adding back-dated blog posts on other subjects over the last two days. Though the firm is claimed to have been founded in 2017, the website appears to have come into existence six months ago. Its domain was registered in October 2017.
Finite State referred to the fact that Huawei, when found to have similar issues by the UK, had pledged to spend US$2 billion to improve the security of its products and said that "despite these investments our research uncovered a substantial lack of secure development practices resulting in significant number of vulnerabilities". It did not mention that the pledge was only made in March this year.
But in another part of the report, Finite State contradicted its own conclusions by stating: "Recently, Huawei pledged to invest 2 billion dollars to develop a comprehensive solution to improving the cyber security of their products. With commitments like that, it is reasonable to expect to see the cyber security risk of their products decreasing over time."
The report also said it appeared that Huawei's security practices were not improving over time, an issue already identified by the UK National Cyber Security Centre in its report in March 2019 for the Huawei Cyber Security Evaluation Centre Oversight Board.
Staff from the NCSC work alongside Huawei staff at the Centre which has been set up by the company.
Finite State said the firmware analysed was in many cases using older, vulnerable versions of key libraries with one case being the use of as many as 79 versions of OpenSSL. Coders also disguised the use of unsafe functions like memcpy by creating wrappers with the name memcpy_s - a safe version - with none of the safety checks.
There were also calls to unsafe functions from 356 firmware images and each binary analysed by Finite State was claimed to have 12 possible buffer overflows. Such overflows are common in many products.
Huawei has been the subject of numerous claims over many years that it can conduct espionage on behalf of China. The Finite State report made reference to this claim to bolster its theme of poor, but quoted the Australian Strategic Policy Institute to buttress what it claimed. ASPI is a lobby group for big defence companies and was caught out making false claims about Huawei recently.
Contacted for comment, a Huawei spokesperson said the company was aware of the report and was analysing it, but was not in a position to comment on its objectivity and integrity at the moment.
"Huawei welcomes any fact-based and well-intentioned suggestions that help ensure network stability," the spokesperson added.
"The more people who oversee and check Huawei's products, the more likely we are to accurately identify potential issues, making our products more secure. Huawei takes cyber security very seriously, and has made it our top priority. We have not, and will never, implant backdoors. In addition, we will never allow anyone to do so in our equipment.
"Cyber security is a technical issue that should be addressed through technical means. We will carefully analyse the report, and proactively and openly engage with the relevant parties regarding it. We welcome in-depth communication between Finite State and Huawei's in-house security experts."
iTWire contacted the NCSC for comment because the agency's chief executive Ciaran Martin had said in February that the UK was able to manage any potential security risks posed by using equipment from Huawei. This was a month before the HCSEC Oversight Board report referred to earlier was issued.
In May, the UK was reported to have given the green light for Huawei gear to be used in non-core parts of its 5G networks. One telco, EE, has rolled out the first implementations of its 5G networks on this basis. Vodafone is set to follow suit on 3 July.
An NCSC spokesperson told iTWire: "Huawei's presence in the UK is subject to detailed, formal oversight. This provides us with a unique understanding of the company's software engineering and cyber security processes.
"We can and have been managing the security risk and have set out the improvements we expect the company to make. We will not compromise on the progress we need to see: sustained evidence of better software engineering and cyber security, verified by HCSEC.
"This report illustrates above all the need for improved cyber security in the UK telco networks which is being addressed more widely by the Digital Secretary's review."
Finite State was also contacted and asked why the report was not released publicly right away, instead of selectively leaking it to the WSJ, resulting in a somewhat amateurish story. iTWire also asked who had paid for the study and how many of the devices whose firmware was tested were being used by Huawei in its 5G rollouts.
The company was also asked about the use of quotes from ASPI as this did not add to the reputation of the report. A final question was why the NSA was apparently objecting to the use of Huawei equipment in the US; going by the material leaked by whistleblower Edward Snowden, the agency is known to favour hardware to which it can gain access and, according to what Finite State reported, such access should be easy.
iTWire commented on the WSJ report, but could not contact Finite State at the time as there was no email address or phone number on the company's website, only a Web form for making business inquiries. After Finite State placed the study on its site, a single email address was added to the site and iTWire's queries have been directed thither.