Generally when a software or hardware vulnerability is discovered the firm responsible for the solution is notified so that a fix can be implemented.
But today we’ve heard something that we haven’t heard before
The Huawei Cyber Security Evaluation Centre (HCSEC) in the UK reportedly discovered a vulnerability so severe it required Huawei to rewrite its code and architect its security from scratch.
“During 2019, HCSEC identified critical, user-facing vulnerabilities in fixed access products. The vulnerabilities were caused by particularly poor code quality in user facing protocol handlers and the use of an old operating system. The vulnerabilities were a serious example of the issues that are more likely to occur given the deficiencies in Huawei’s engineering practices, and during 2019 UK operators needed to take extraordinary action to mitigate the risk,” HSEC wrote in an oversight report published this week.
While the issue has since been fixed, upon fixing that vulnerability, another one appeared.
So is Huawei intentionally putting holes in its security? HCSEC says no but the answer is not great.
“Sustained evidence of poor coding practices was found, including evidence that Huawei continues to fail to follow its own internal secure coding guidelines,” HCSEC said.
In fact, in the report the UK’s National Cyber Security Centre explicitly states that it “does not believe that the defects identified are a result of Chinese state interference”.
Worse still, HCSEC says that the number of issues it has discovered within its small team is particularly concerning when you consider the weight of these vulnerabilities.
“If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of a UK network, in some cases causing it to cease operating correctly,” HCSEC wrote.
This is not good news for Huawei which has already been banned from the UK’s 5G networks.
With even more questions now being raised about the security of Huawei products we’re curious to see how other governments respond to this news.[Source – UK Government]