Vodafone reports security flaws in Huawei equipment
Vodafone has confirmed it found vulnerabilities in network equipment supplied by Huawei as the debate continues over the presence of the Chinese firm in communications networks.
First reported by Bloomberg, the UK telecoms firm is said to have discovered the flaws between 2009 and 2012 in internet routers and other equipment used by its Italian business.
The “hidden back doors” could have allowed Huawei to access users’ home internet networks, the report claimed.
Vodafone confirmed the issues but disputed aspects of the report, claiming the flaws were diagnostic tools used to monitor the state of a network that had failed to be removed and could not be used to access a user’s network.
“The issues in Italy identified in the Bloomberg story were all resolved and date back to 2011 and 2012,” a Vodafone spokesman said.
“The ‘back door’ that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet.
“Bloomberg is incorrect in saying that this ‘could have given Huawei unauthorised access to the carrier’s fixed-line network in Italy’.
“In addition, we have no evidence of any unauthorised access. This was nothing more than a failure to remove a diagnostic function after development.
“The issues were identified by independent security testing, initiated by Vodafone as part of our routine security measures, and fixed at the time by Huawei.”
The Chinese firm is at the centre of a debate about the company’s trustworthiness and whether it should be used at the centre of communications network infrastructure, having reportedly been given the green light by Prime Minister Theresa May to be used in non-essential parts of the UK’s upcoming 5G network.
Huawei has been the subject of concern for some years because of allegations of close ties to the country’s government.
Under Chinese law, firms are compelled to “support, co-operate with and collaborate in national intelligence work”.
A deputy assistant secretary at the US State Department, Robert Strayer, said on Monday that Huawei “was not a trusted vendor” and any use of its technology in 5G networks was a risk.
And his position was backed by a Conservative member of the Commons Foreign Affairs Committee, Bob Seely, who said: “Huawei cannot, by definition, be a trusted vendor. It is required by law to co-operate with Chinese secret services. It is close to, if not part of, the Chinese state.
“China has achieved great things, and we need to respect it and develop good deep relations with it, but it also has a reputation for wholesale intellectual property theft and state hacking.
“Its military theory sees warfare as a battle between systems, including communications systems. It takes a very different approach to human rights and human freedoms.
“It goes without saying that to allow Huawei into our network is a risk – the question is how much.”
Some critics have expressed concerns that Beijing could require the firm to install technological “backdoors” to enable it to spy on or disable Britain’s communications network.
Huawei has always denied having ties to the state and says it abides by the laws of the countries in which it operates.
Founder Ren Zhengfei said earlier this year that Huawei had never been asked to share “improper information” about its partners by the government.
“I personally would never harm the interest of my customers and me and my company would not answer to such requests,” he said.
“No law in China requires any company to install mandatory back doors.”
The US has already banned the use of some Huawei equipment on security grounds and is pressuring its allies – including the UK – to take a similar approach, warning the firm poses an “unacceptable risk”.
In a statement on the Vodafone report, Huawei said: “We were made aware of historical vulnerabilities in 2011 and 2012 and they were addressed at the time.
“Software vulnerabilities are an industry-wide challenge. Like every ICT vendor we have a well-established public notification and patching process, and when a vulnerability is identified we work closely with our partners to take the appropriate corrective action.”