Huawei security came under fire from multiple sides recently, and while experts downplayed some of the risks, Huawei’s network technology is a growing part of global wireless networks.
The latest security troubles for Huawei began with a vulnerability in a Windows driver that could have led to privilege escalation attacks. In describing the process of finding the flaw, Microsoft mentioned DoublePulsar, a kernel backdoor created by the NSA and used as part of the WannaCry ransomware, but the company stopped short of comparing the Huawei issue to a backdoor.
“While the original alert turned out to be benign, in the sense that it didn’t detect an actual kernel threat like DoublePulsar, it did trigger an investigation that eventually led us to finding vulnerabilities,” wrote Microsoft’s Defender Research Team in its analysis. “The two vulnerabilities we discovered in the driver prove the importance of designing software and products with security in mind. Security boundaries must be honored. Attack surface should be minimized as much as possible.”
Despite expert views that the issue seemed benign, news reports of the Huawei security vulnerability likened the flaw to the NSA’s backdoor and cast suspicion on Huawei.
“It was a pretty standard software vulnerability. Thousands of similar vulnerabilities are found every year,” said Peter Firstbrook, research vice president at Gartner.
Jake Williams, founder and president of Rendition Infosec, based in Augusta, Ga., said the issue shows that Huawei lacks a secure development lifecycle.
“I definitely wouldn’t call it a backdoor. If anything it’s a bugdoor — a backdoor that is disguised as a bug. It’s hard to look at any vulnerability and conclusively say ‘this is a backdoor,'” Williams said. “Huawei clearly doesn’t use a secure development lifecycle and this is clearly to their detriment.”
Huawei’s security troubles continued with two scathing reports from the U.K. The Huawei Cyber Security Evaluation Centre Oversight Board, part of the U.K.’s National Cyber Security Centre (NCSC), also expressed concern over the company’s software development and said the company could “provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the U.K.”
In an interview with the BBC, Dr. Ian Levy, technical director at the NCSC, added color to the report by calling Huawei security “very, very shoddy” and implying the British government should ban Huawei equipment.
In early March, Huawei began a proactive campaign to defend the company’s security by opening a Cyber Security Transparency Centre in Brussels. During the opening ceremony for that facility, Ken Hu, Huawei’s deputy chairman said, “Trust needs to be based on facts, facts must be verifiable, and verification must be based on common standards. We believe that this is an effective model to build trust for the digital era.”
“We welcome all regulators, standards organizations, and customers to fully use this platform to collaborate more closely on security standards, verification mechanisms, and security technology innovation,” Hu said. “Together, we can improve security across the entire value chain and help build trust through verification.”
Huawei security and 5G networks
On Tuesday, the U.S. once again urged European allies to ban Huawei networking products. Rob Strayer, deputy assistant for cyber policy in the State Department, said in an interview with Bloomberg that some countries in Europe are moving closer to banning products from 5G networks and said Huawei’s connections to the Chinese government circumvent the rule of law.
After the National Defense Authorization Act for Fiscal Year 2019 — which banned Huawei and ZTE equipment from being used by the Department of Defense, U.S. military and Department of Energy — went into effect, Huawei sued the U.S. government and called the ban unconstitutional.
In a filing for that lawsuit, Huawei wrote, “Other countries that adopt a holistic approach to cybersecurity have far less concern, if any, about suppliers such as Huawei — and, resultantly, can reap the benefits of Huawei’s sophisticated technology, dedication to innovation, international presence, and ability to facilitate 5G deployment.”
The concerns over Huawei security have led to many countries around the world considering or implementing bans on the company’s networking hardware, but even so, Huawei is a major force in the market.
According to research from the Dell’Oro Group, Huawei’s share of the global telecom equipment revenue market rose to nearly 30% in 2018, up eight percentage points since 2013. ZTE, another Chinese manufacturer under scrutiny, held about 8% of the market and approximately 75% of the market was made up by Huawei, Nokia, Ericsson, Cisco and ZTE.
In the U.S., the use of Huawei equipment may be even more prevalent in rural wireless networks, where cost is more of a concern. In a 2018 filing by the Rural Wireless Association, it was claimed as many as 25% of rural carriers use Huawei equipment.