Telecoms giant Vodafone has revealed it discovered backdoors in equipment supplied by Chinese vendor Huawei that could have enabled spying.
Acknowledging the discoveries to Bloomberg , Vodafone said the vulnerabilities date back years. The issues have since been patched, but Vodafone claims they remained for some time after Huawei claimed they’d been fixed.
If exploited, the backdoors would have provided Huawei with unauthorised access to Vodafone’s fixed-line network in Italy. As Europe’s largest telco, the revelations from Vodafone are damning.
In a statement, Vodafone said:
“In the telecoms industry it is not uncommon for vulnerabilities in equipment from suppliers to be identified by operators and other third parties.
Vodafone takes security extremely seriously and that is why we independently test the equipment we deploy to detect whether any such vulnerabilities exist. If a vulnerability exists, Vodafone works with that supplier to resolve it quickly.”
The primary concern is with the time it took for Huawei to address the problems, and claiming they’d been rectified when further tests proved they had not been.
Security testing by an independent contractor for Vodafone identified a telnet backdoor which presented the greatest concern as it could provide unauthorised access to Vodafone’s broader Wide Area Network. Huawei is then said to have refused to remove the telnet service as it’s needed to configure device information and conduct tests.
“Unfortunately for Huawei the political background means that this event will make life even more difficult for them in trying to prove themselves an honest vendor,” Vodafone said in an April 2011 document seen by Bloomberg and authored by Bryan Littlefair, Vodafone’s chief information security officer at the time.
“What is of most concern here is that actions of Huawei in agreeing to remove the code, then trying to hide it, and now refusing to remove it as they need it to remain for ‘quality’ purposes,” Littlefair wrote.
Vodafone has a lot to lose if Huawei equipment is banned due to widespread existing use of the company’s gear in previous generation networks. The operator has warned replacing Huawei’s equipment would be costly and delay its rollout of 5G.
Just last week, a secret meeting to decide Huawei’s fate in the UK was leaked and suggested the company would be allowed to provide ‘non-core’ equipment for national 5G networks.
The US has been pressuring its allies not to use Huawei equipment in any part of networks over concerns the company is controlled by Beijing. Robert Strayer, a deputy assistant secretary at the US state department, threatened that a UK decision to allow Huawei in 5G networks would put security cooperation at risk.
Yesterday, China’s ambassador to the UK said that a ‘Global Britain’ should ignore external pressure and make its own decision over Huawei.
A dedicated Huawei Cyber Security Evaluation Centre (HCSEC) has been established in Banbury, UK since 2010. HCSEC only found minor concerns with Huawei’s equipment until last year when it could ‘no longer’ offer assurance that risks could be successfully mitigated.
A follow-up report this year highlighted that Huawei has been slow in addressing the concerns of UK intelligence officials . If Huawei is to ease Western concerns, it needs to be much faster in addressing them.
Interested in hearing industry leaders discuss subjects like this? Attend the co-located IoT Tech Expo , Blockchain Expo , AI & Big Data Expo , and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.