Huaweis network equipment contains more errors that hackers can exploit than competitors’ hardware. This is the decision of the American IoT security specialist Finite State after an extensive investigation.

Finite State analyzed more than 1.5 million files from 9,936 firmware images for 558 products from Huaweis network portfolio. The dataset covers firmware from the past fourteen years, up to and including April 2019.

We have concluded that Huawei devices have a weaker security attitude than other brands, and there are significant security risks associated with using these devices, says Matt Wyckhouse, CEO of Finite State, in a video presenting the findings.

Sun 55 percent of Huawei products would contain at least one serious or critical vulnerability, which could be exploited by an attacker. Although Finite State talks about possible backdoors in its report, which involves intentional sabotage, the company stresses that it does not pronounce itself on this. It states that a backdoor can be both intentional and nonintentional.

The Register notes that it mainly relates to login data that are hardcoded and leaks that enable remote code execution, in order to take control of the hardware. However, vulnerabilities that merely disclose information but do not allow access may also be included in the census.

Opensource

The vulnerabilities are mainly found in code from open source projects and external parties, which Huawei uses but does not update sufficiently. This is how Finite State discovered the use of 79 different OpenSSL versions, the oldest of which dates from 1999. The security specialist says that it found no evidence that Huawei is backporting its security patches to older binaries.

Each firmware image examined contained an average of 102 known vulnerabilities, of which 27 percent are labeled as serious to very serious. In extreme cases, Finite State even discovered more than 1,400 vulnerabilities in an image.

It should be noted at this point that no firmware is 100 percent secure. Other manufacturers also put on the market products that are not completely waterproof. Ask Cisco. It is questionable how the firmware of other suppliers would score on similar thorough and automated tests. However, the Finite State report claims that the number of identified vulnerabilities in Huawei is high by each standard.

Unsafe coding

Finite State also found that too little use is made of secure encryption mechanisms. About 35 percent of the binaries had address space layout randomization (ASLR) enabled, about 12 percent had relocation read only (RELRO) implemented, 74 percent had data execution prevention (DEP) enabled, and sun 27 percent used StackGuard to protect against stack-buffer overflows.

The company also searched for secure features that protect against memory corruption, but found them in only 17 percent of the features present in the firmware. Based on the ubiquity of these safe coding vulnerabilities in enterprise and consumer equipment produced by Huawei, we can definitely conclude that Huawei, as an organization, does not apply safe coding principles, concludes the report.

Huawei under a magnifying glass

The reality is that Huawei’s equipment is now being magnified more than any other manufacturer, due to suspicions of espionage from the United States. So far no concrete evidence has been put on the table, but it has led to Huawei being banned from national 5G networks in a number of countries, while other countries have set up Huawei specific verification centres to examine the Chinese company’s hardware.

Last March, the British Huawei Cyber Security Evaluation Centre (HCSEC) gave the manufacturer another scolding because serious vulnerabilities were still present in its equipment a year after its discovery.

Huawei itself has stated on several occasions that it will do everything in its power to address security concerns surrounding its 5G hardware and has announced a $2 billion investment in the development of security competencies. In its own country, Huawei has opened a Brussels hub for cyber security and transparency. It invites operators, companies and technical experts to come and test its hardware.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.