back to article Huawei's UK code reviewers say Chinese mega-corp is still totally crap at basic software security. Bad crypto, buffer overflows, logic errors...

UK.gov security researchers examining Huawei source code have so far verified just eight firmware binaries out of more than 60 used across Britain's mobile phone networks, according to the GCHQ-backed agency's annual report. The Huawei Cyber Security Evaluation Centre (HCSEC) – mostly run by GCHQ offshoot the National Cyber …

  1. ComputerSays_noAbsolutelyNo Silver badge
    Coat

    Can we do this for all manufacturers

    While the increased scrutiny directed at Huawei was sort of collateral damage of the trade bickering between the Beloved Leader of the Alternative Western World and China, ...

    could we do this with every manufacturer of critical infrastructure?

    Imagine a world, in which we can proof that our power distribution systems can not be hacked by some script kiddies from Elbonia.

    Ok, I'll show myself out.

    1. alain williams Silver badge

      Re: Can we do this for all manufacturers

      Just provide the source code and be done with it. Huawei makes its money selling hardware, by opening its code (even if that is just to its large telco customers) it would increase trust that it does not have back doors.

      I doubt that their algorithms are vastly better than the competition.

      If it does not want to do that then publish the complete hardware specs and customers could install their own firmware ... OK: something would need to be obtained, but once done, and shared with telcos world wide, we could have something robust.

      The same should apply for Nokia, Cisco, etc.

      1. JetSetJim

        Re: Can we do this for all manufacturers

        > Huawei makes its money selling hardware

        No it doesn't. Hardware is (was?) almost given away to get the footprint in the networks - certainly in the access networks. S/w licensing is then their revenue model, as each year 3GPP helpfully come up with new features, bells & whistles (and Gs) that Huawei can charge through the nose to implement in their software and deploy into the networks.

        In terms of their development practise - it's "sell it, build it asap, chuck it through the door with minimal testing, let the field engineering/support teams debug it". It's designed and built by very talented people, but it's rushed, and as the old adage goes: "fast, good & cheap - pick any two".

      2. Charlie Clark Silver badge

        Re: Can we do this for all manufacturers

        I'm not sure how that would help. Just having the code does not automatically solve the problem. I'm all for open source but seeing as the source is provided in this instance it doesn't help.

        Also, it's worth noting that static code analysis only goes so far in flagging up bugs.

    2. Charlie Clark Silver badge

      Re: Can we do this for all manufacturers

      could we do this with every manufacturer of critical infrastructure?

      should ve could we do this with every manufacturer publisher of critical infrastructure software? FTFY

      Otherwise you have to define which infrastructure is critical and there is no reason why the manufacturers of consumer electronics, cars or anything else should be able to get away with their current practice to seeing if anyone notices when things break.

      1. Anonymous Coward
        Anonymous Coward

        Re: Can we do this for all manufacturers

        Some good points but surly the big headline is that no backdoors were found so in all likelihood Huawei is no better or worse then other companies, apart from Cisco which appears to have been caught installing back doors... or did I misread that?

        1. LDS Silver badge
          Devil

          Re: Can we do this for all manufacturers

          It looks that code does not need backdoors.... "cryptographic weaknesses, default credentials" - what do you need more?

          1. JetSetJim

            Re: Can we do this for all manufacturers

            Jim not sure I've ever worked for a company that didn't have default credentials on their kit installed in customer premises. The critical issue is how to gain access to the kit to be able to enter credentials. The Huawei kit, in particular the core network infrastructure, will be a server farm with rigourously policed network interfaces. The default is usually to shut everything down except for the explicit ports and routes needed for the kit to provide service. I've had cause to ask an operator to open a route between 2 IPs and it took weeks to authorise and even then they went by the letter of the (possibly clumsily specified) request and only opened it in one direction, necessitating another delay to get the reverse link opened.

    3. Captain Scarlet Silver badge
      Coat

      Re: Can we do this for all manufacturers

      Just make sure its not gone anywhere near Wally!

  2. Chris the bean counter

    Lets hope

    We exploited a few of the vulnerabilities in the Chinese network

    1. Woodnag

      Re: Lets hope

      Every country tries to exploit vulnerabilities in every other countries' networks. It's not good guys vs bad guys, it's sigint and everyone does it.

    2. Yet Another Anonymous coward Silver badge

      Re: Lets hope

      >We exploited a few of the vulnerabilities in the Chinese network

      The bits of it that are in English at least

  3. John Smith 19 Gold badge
    Unhappy

    Huawei's attitude seems very odd

    They submit (even fund) this fairly public process where there vulnerabilities are revealed in public.

    But seem to make little (any?) effort to improve their processes to cut down issues and improve quality.

    Is this the price they feel they have to pay to get into the UK market?

    The European market?

    Of course no one can check what's really happening inside those chips.....

    So this could be the illusion of security, rather than the real thing.

    1. Richocet

      Re: Huawei's attitude seems very odd

      For me this is an eye-opening insight into the culture of the company. How they build things, and what they care and don't care about.

      If this culture is common, it explains the river of terrible quality products flowing out of China.

      1. IGotOut Silver badge

        Re: Huawei's attitude seems very odd

        "it explains the river of terrible quality products flowing out of China."

        That's because we, the consumer, want it cheap.

        Look this widget cost X...but look this similar looking widget is 1/10 the price....I'll take that.

        And to be fair I've bought Chinese stuff that's been better than the far more expensive rival.

      2. Anonymous Coward
        Anonymous Coward

        Re: Huawei's attitude seems very odd

        I’ve heard it said that once Huawei did a deal, they’d hit a nearby office, ship over developers on tourist visas who would be there to resolve issues super fast as the kit was deployed, only the devs would get rotated fast because of the visa issue, so no continuity. Lots of custom fixes for a customer, divergence of the code base making upgrades difficult/impossible.

  4. Commswonk

    Not sure about this...

    Quite apart from the fact that Huawei kit is currently off the UK's Christmas present wish list why are we doing their work for them in drawing the equipment's vulnerabilities to their attention? OK; if the NCSC says to Huawei there are n* vunerabilities that we have found without providing any specifics then all well and good, but as things stand we seem to be risking handing information about our specialists' abilities to find those vulnerabilities to a foreign entity whose intentions are not always necessarily benign, or might not be in the future. Just seems a bit wrong to me...

    * Where n is an integer!

    1. doublelayer Silver badge

      Re: Not sure about this...

      They're reviewing it anyway, so why not point out the problems? If they're hiding them from the public, that would be a problem, but they're not. They point out that there are many problems, and from the sound of it, the problems they have identified aren't exactly hidden. Even a very malicious version of Huawei can't get much out of that report other than that NCSC will read code sent to them and has some technical people in it. Meanwhile, if they actually changed some of this, it would mean that networks in the U.K. using Huawei infrastructure would be more secure.

      1. Yet Another Anonymous coward Silver badge

        Re: Not sure about this...

        > so why not point out the problems?

        Because Huawei are the official enemy of the people (at the moment)

        It would be like the rebels finding the unsheilded exhaust port and telling the Empire so they coudl fix it

    2. Anonymous Coward
      Anonymous Coward

      Re: Not sure about this...

      >why are we doing their work for them in drawing the equipment's vulnerabilities to their attention?

      Because the department that does this is entirely paid for by Huawei.

    3. NonSSL-Login

      Re: Not sure about this...

      We are probably still doing the checking as there is hope that Trump loses the election and we can then go back to installing the better Huawei kit we want to install. Even though a Nokia deal has been talked about im sure we are just biding our time in the hope of the sanctions being dropped if Biden wins.

      Biden is anti-chinese too and akin to the devil in disguise so it might be a false hope.

      Bottom line is we want the cheaper + better Hauwei kit.

    4. IGotOut Silver badge

      Re: Not sure about this...

      why are we doing their work for them in drawing "the equipment's vulnerabilities to their attention?"

      Because as of yet, we haven't decided to rip up that agreement.

  5. Blackjack Silver badge

    Looks at the USA

    So... who are most the companies having all those big leaks in recent years? Americans you say?

    Pot calling kettle.

  6. fredesmite2

    But - IT"S CHEAP !

    And already DONE .. READY TO SHIP

  7. TeeCee Gold badge
    Facepalm

    There was nothing in the report suggesting the Chinese state had planted intentional backdoors in code...

    Why would they bother when just hiring a s'kiddie to hack through the swiss cheese security and tell 'em everything that's going on is so much simpler.

    1. Richocet

      Script kiddies could do much of the hacking, but writing reports is not their strong point.

    2. Anonymous Coward
      Anonymous Coward

      But that surely is the point - the backdoors are there - only the report calls them "vulnerabilities" and poor coding practices - its called hiding in plain sight.

      Exploitation of the backdoors is unfortunately open to all and sundry, including the PLA

  8. DavCrav

    What's confusing to me is, if I had regular reports about all the mistakes I was making and how to fix them, I would expect to slowly be making fewer mistakes. This does not appear to be the case here. They must be finding new and exciting ways to fuck up every day.

    1. John Sturdy

      Perhaps they are rapidly replacing their staff with ones who haven't yet learnt from experience, a bit like IBM seem to be doing.

    2. A.P. Veening Silver badge

      What's confusing to me is, if I had regular reports about all the mistakes I was making and how to fix them, I would expect to slowly be making fewer mistakes. This does not appear to be the case here. They must be finding new and exciting ways to fuck up every day.

      See:

      "There are ongoing concerns about the quality of Huawei's security performance at a technical level, rather than concerns [about] hard evidence of Chinese state interference. That's an ongoing process of remediation. The US sanctions are very tightly defined, they do impact new deployments so that's why there's a bar on new deployments and as part of the package announced in July, contingency plans were made to ensure the existing stuff could be serviced."

      Basically, US sanctions make updates (fixes) at the very least very difficult.

  9. Anomalous Cowshed

    Silly security errors in code

    = plausible deniability if someone connected with a certain Asian superpower should happen to exploit them...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like