Huawei security issue far less threatening than first thought

Huawei building

An alleged security vulnerability in telecoms infrastructure belonging to Chinese technology giant Huawei was found to have been little more than undocumented services provided by a legitimate third-party, according to an updated report.

The report was conducted by Vodafone, according to Bloomberg which first shed light on the report (see below), and supposedly discovered backdoors in Huawei infrastructure in Italy. But Vodafone then clarified that the discovery wasn't a backdoor, instead the explanation lies in a hard-coded and undocumented Telnet service.

However, the Telnet service is far from a state-sponsored espionage backdoor and is rather a commonly deployed network tool.

Telnet is a method of connecting remote devices so they can be easily managed and with proper security protocols in place, the service can be useful.

While it isn't the most innocent thing in the world to omit the hardcoded Telnet from official documentation, Huawei hasn't done anything nearly as nefarious as what the original report was led to believe.

The Telnet was a declared security risk, there's no getting around that and it had to be removed following some pressure placed on Huawei. But the Telnet wasn't able to be accessed by the internet so Bloomberg was incorrect when it said that the vulnerability could have been used to access the data of millions of Vodafone's customers in Italy.

It didn't take long for the infosec community to clock-on to the fact that Bloomberg has seemingly got the wrong end of the stick, and tweets were flying thick and fast yesterday evening.

The reference to Cisco's vulnerabilities pertains to the fact that mainstream media has turned a blind eye to the seven genuine backdoors found in Cisco equipment just in 2019.

In March it was revealed that a remote-code execution hole was found in some Cisco small business routers which could be exploited if discovered by an attacker who could grant themselves admin privileges and execute code on the affected routers.

It highlights that many devices, even from the industry's giants, are shipped with vulnerabilities like insecure remote access but it shouldn't be confused with the far more threatening backdoor vulnerability.

30/04/2019: Backdoors allegedly found in old Huawei tech as US berates UK 5G plans

Vodafone has claimed that following an investigation into old Huawei infrastructure in Italy, backdoors were implanted in the Chinese firm's equipment and could have been used to gain access to the carrier's fixed-line network and millions of their customers.

Vodafone reportedly told Bloomberg that the confirmed cases are isolated to 2009 and 2011, and it's not certain whether these backdoors were ever exploited, but it still shows how Huawei has an alleged history in nefarious conduct.

Vodafone asked Huawei to remedy the situation in 2011 after it discovered the company found backdoors in home routers but follow-up testing revealed the vulnerabilities remained even after Huawei assured Vodafone that they would be removed, according to people involved in the situation.

In a statement issued by Vodafone, it said that there was no evidence of data being compromised with the home routers or with the network infrastructure in Italy, which was fixed in the same year it was found. It also confirmed that vulnerabilities in Vodafone's own optical nodes were found in Italy but security issues didn't extend beyond the country.

"In the telecoms industry, it's not uncommon for vulnerabilities in equipment from suppliers to be identified by the operators and other third parties," said Vodafone. "Vodafone takes security extremely seriously and that is why independently test the equipment we deploy to detect whether any such vulnerabilities exist."

Vodafone started buying routers from Huawei in 2008 for their Italian business and then later for the UK, Germany, Spain and Portugal.

"We were made aware of historical vulnerabilities in 2011 and 2012 and they were addressed at the time," said a Huawei spokesperon. "Software vulnerabilities are an industry-wide challenge. Like every ICT vendor we have a well-established public notification and patching process, and when a vulnerability is identified we work closely with our partners to take the appropriate corrective action."

The company's CEO Nick Reade had previously called upon the world's governments to share whatever evidence they had on Huawei in order to substantiate the fierce allegations made across the globe.

The news also flies in the face of comments made by rotating chairman Guo Ping at Mobile World Congress in February where, during the company's keynote, Ping said: "Huawei has not and will never plant backdoors and we will never allow anyone else to do so in our equipment."

It's worth noting that Ping said this in 2019, so some years after the backdoors were discovered by Vodafone. So his comments could be extolling the virtues of a seemingly reformed Huawei, especially as over the recent years the company has gone from a mostly China-centric frim into a world-wide name.

"[The latest news] further undermines the growing importance of ensuring that all networks (fixed and mobile) are secure end-to-end," said telecoms analyst Paolo Pescatore. "This should not only be limited to networks but extend towards devices for all network and consumer electronics providers."

The news follows the statement made yesterday by Rob Strayer, US deputy assistant secretary at the US state department warning that US-UK intelligence sharing could be under threat as a result of the UK's decision to allow Huawei partial access to its non-core 5G network infrastructure.

"It is the United States' position that putting Huawei or any other untrustworthy vendor in any part of the 5G telecommunications network is a risk," said Strayer. "If other countries insert and allow untrusted vendors to build out and become the vendors for their 5G networks we will have to reassess the ability for us to share information and be connected with them in the ways that we are today."

The statement echoes the one made by US secretary of state Mike Pompeo back in February, saying that the US will refuse to share intelligence with any nation that implements Huawei equipment in its infrastructure.

The latest statement comes after the details of a top-secret meeting held involving the UK's National Security Council was leaked last Tuesday. Theresa May reportedly made the decision to allow Huawei equipment into the UK's infrastructure before a thorough review was issued to her by the National Cyber Security Agency.

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.