Huawei's UK code reviewers say Chinese mega-corp is still totally crap at basic software security. Bad crypto, buffer overflows, logic errors...

UK.gov security researchers examining Huawei source code have so far verified just eight firmware binaries out of more than 60 used across Britain's mobile phone networks, according to the GCHQ-backed agency's annual report.

The Huawei Cyber Security Evaluation Centre (HCSEC) – mostly run by GCHQ offshoot the National Cyber Security Centre (NCSC), though it is also staffed by some Huawei personnel – sighed that the Chinese company has made "limited" progress on last year's recommendations to toughen up its act.

Code reviewers found "evidence that Huawei continues to fail to follow its own internal secure coding guidelines. This is despite some minor improvements over previous years." In addition, "The Cell" said it had found more vulnerabilities during 2019 than it had in previous years – though Huawei was keen to paint this finding as "proof the review system is working", something NCSC guardedly agreed with.

"NCSC does not view the increase in vulnerabilities as an indicator of a further decline in Huawei's product quality, but it certainly does not indicate any marked improvement or transformation," said the agency in its report.

There was nothing in the report suggesting the Chinese state had planted intentional backdoors in code – though there was plenty to suggest that Huawei simply isn't taking the task of building robust and secure software and firmware with requisite seriousness.

Vulns uncovered by HCSEC researchers poring over the source code of Huawei's mobile network equipment firmware included "unprotected stack overflows in publicly accessible protocols, protocol robustness errors leading to denial of service, logic errors, cryptographic weaknesses, default credentials" as well as "many other basic vulnerability types".

Is this a backdoor?

Binary equivalence is the dark art of checking that a firmware binary supplied to HCSEC for evaluation is the same as the firmware deployed in production across Britain's mobile phone networks. While HCSEC verified during 2019 that eight builds examined in the lab were the equivalent of their production counterparts, The Register understands there are around 60 Huawei firmware builds in total lurking around Blighty's mobe networks.

"Huawei have committed to delivery of binary equivalence across officially released versions of all carrier products sold into UK from Dec 2020," said the report, which then warned that Huawei sees providing binary equivalence assurance as a "bespoke" task for each firmware version instead of an ongoing process: "Consequently, the NCSC does not have confidence that binary equivalence will be sustainable."

Even more concerning was what happened when serious vulnerabilities were found, with the report warning of "high CVSS scores" which The Register understands were generally in the region of 7-9 with the occasional 10. Scoring methods and what they mean are explained by the US National Vulnerability Database here.

"During 2019, HCSEC identified critical, user-facing vulnerabilities in fixed access products," said the report. "The vulnerabilities were caused by particularly poor code quality in user-facing protocol handlers and the use of an old operating system. The vulnerabilities were a serious example of the issues that are more likely to occur given the deficiencies in Huawei's engineering practices, and during 2019 UK operators needed to take extraordinary action to mitigate the risk."

Part of that risk rests on the Huawei Real Time Operating System (RTOS), based on "an externally maintained Linux distribution" to replace a legacy RTOS that used open-source code from the west. This presents a problem: "NCSC investigated Huawei's plans to manage and maintain Huawei RTOS during 2019 and found that the plans for RTOS were not practically sustainable."

Nothing to see here, all routine... cough cough

A Huawei spokesman told The Register: "This latest report highlights our commitment to a process that guarantees openness and transparency, and demonstrates HCSEC has been an effective way to mitigate cyber security risks in the UK. The report again concludes that the NCSC 'does not believe that the defects identified are a result of Chinese state interference'."

He added: "Huawei has faced the highest level of scrutiny for almost 10 years. This rigorous review sets a precedent for cyber security collaboration between the public and private sectors, and has provided valuable insights for the telecoms sector. We believe this mechanism can benefit the entire industry and Huawei calls for all vendors to be evaluated against an equally robust benchmark, to improve security standards for everyone."

Huawei has previously made calls for other vendors such as Cisco and Nokia to be subject to the same public HCSEC-style scrutiny as it must undergo, even launching a sort-of equivalent in Brussels last year to try and lead the way.

Former NCSC chief Ciaran Martin, under whose watch today's HCSEC report was compiled, told Parliament's Science and Technology Committee yesterday: "There are ongoing concerns about the quality of Huawei's security performance at a technical level, rather than concerns [about] hard evidence of Chinese state interference. That's an ongoing process of remediation. The US sanctions are very tightly defined, they do impact new deployments so that's why there's a bar on new deployments and as part of the package announced in July, contingency plans were made to ensure the existing stuff could be serviced."

The report's detailed findings will be eagerly lapped up by the Anglosphere's Five Eyes spying alliance, whose pre-eminent member, the USA, has made no secret that it wants Huawei completely gone from the western world's communications infrastructure. ®

Bootnote

One line of the HCSEC report assured the world: "There were no failures in the DV process this year." DV stands for Developed Vetting, one of the most in-depth forms of security clearance used by the British state. El Reg was unable to verify what happened with HCSEC staffers' DV clearances in previous years.