Huawei's UK code reviewers say Chinese mega-corp is still totally crap at basic software security. Bad crypto, buffer overflows, logic errors... UK.gov security researchers examining Huawei source code have so far verified just eight firmware binaries out of more than 60 used across Britain's mobile phone networks, according to the GCHQ-backed agency's annual report. The Huawei Cyber Security Evaluation Centre (HCSEC) – mostly run by GCHQ offshoot the National Cyber …
While the increased scrutiny directed at Huawei was sort of collateral damage of the trade bickering between the Beloved Leader of the Alternative Western World and China, ...
could we do this with every manufacturer of critical infrastructure?
Imagine a world, in which we can proof that our power distribution systems can not be hacked by some script kiddies from Elbonia.
Ok, I'll show myself out.
Just provide the source code and be done with it. Huawei makes its money selling hardware, by opening its code (even if that is just to its large telco customers) it would increase trust that it does not have back doors.
I doubt that their algorithms are vastly better than the competition.
If it does not want to do that then publish the complete hardware specs and customers could install their own firmware ... OK: something would need to be obtained, but once done, and shared with telcos world wide, we could have something robust.
The same should apply for Nokia, Cisco, etc.
> Huawei makes its money selling hardware
No it doesn't. Hardware is (was?) almost given away to get the footprint in the networks - certainly in the access networks. S/w licensing is then their revenue model, as each year 3GPP helpfully come up with new features, bells & whistles (and Gs) that Huawei can charge through the nose to implement in their software and deploy into the networks.
In terms of their development practise - it's "sell it, build it asap, chuck it through the door with minimal testing, let the field engineering/support teams debug it". It's designed and built by very talented people, but it's rushed, and as the old adage goes: "fast, good & cheap - pick any two".
I'm not sure how that would help. Just having the code does not automatically solve the problem. I'm all for open source but seeing as the source is provided in this instance it doesn't help.
Also, it's worth noting that static code analysis only goes so far in flagging up bugs.
could we do this with every manufacturer of critical infrastructure?
should ve could we do this with every manufacturer publisher of critical infrastructure software? FTFY
Otherwise you have to define which infrastructure is critical and there is no reason why the manufacturers of consumer electronics, cars or anything else should be able to get away with their current practice to seeing if anyone notices when things break.
Jim not sure I've ever worked for a company that didn't have default credentials on their kit installed in customer premises. The critical issue is how to gain access to the kit to be able to enter credentials. The Huawei kit, in particular the core network infrastructure, will be a server farm with rigourously policed network interfaces. The default is usually to shut everything down except for the explicit ports and routes needed for the kit to provide service. I've had cause to ask an operator to open a route between 2 IPs and it took weeks to authorise and even then they went by the letter of the (possibly clumsily specified) request and only opened it in one direction, necessitating another delay to get the reverse link opened.
They submit (even fund) this fairly public process where there vulnerabilities are revealed in public.
But seem to make little (any?) effort to improve their processes to cut down issues and improve quality.
Is this the price they feel they have to pay to get into the UK market?
The European market?
Of course no one can check what's really happening inside those chips.....
So this could be the illusion of security, rather than the real thing.
"it explains the river of terrible quality products flowing out of China."
That's because we, the consumer, want it cheap.
Look this widget cost X...but look this similar looking widget is 1/10 the price....I'll take that.
And to be fair I've bought Chinese stuff that's been better than the far more expensive rival.
I’ve heard it said that once Huawei did a deal, they’d hit a nearby office, ship over developers on tourist visas who would be there to resolve issues super fast as the kit was deployed, only the devs would get rotated fast because of the visa issue, so no continuity. Lots of custom fixes for a customer, divergence of the code base making upgrades difficult/impossible.
Quite apart from the fact that Huawei kit is currently off the UK's Christmas present wish list why are we doing their work for them in drawing the equipment's vulnerabilities to their attention? OK; if the NCSC says to Huawei there are n* vunerabilities that we have found without providing any specifics then all well and good, but as things stand we seem to be risking handing information about our specialists' abilities to find those vulnerabilities to a foreign entity whose intentions are not always necessarily benign, or might not be in the future. Just seems a bit wrong to me...
* Where n is an integer!
They're reviewing it anyway, so why not point out the problems? If they're hiding them from the public, that would be a problem, but they're not. They point out that there are many problems, and from the sound of it, the problems they have identified aren't exactly hidden. Even a very malicious version of Huawei can't get much out of that report other than that NCSC will read code sent to them and has some technical people in it. Meanwhile, if they actually changed some of this, it would mean that networks in the U.K. using Huawei infrastructure would be more secure.
We are probably still doing the checking as there is hope that Trump loses the election and we can then go back to installing the better Huawei kit we want to install. Even though a Nokia deal has been talked about im sure we are just biding our time in the hope of the sanctions being dropped if Biden wins.
Biden is anti-chinese too and akin to the devil in disguise so it might be a false hope.
Bottom line is we want the cheaper + better Hauwei kit.
What's confusing to me is, if I had regular reports about all the mistakes I was making and how to fix them, I would expect to slowly be making fewer mistakes. This does not appear to be the case here. They must be finding new and exciting ways to fuck up every day.
See:
"There are ongoing concerns about the quality of Huawei's security performance at a technical level, rather than concerns [about] hard evidence of Chinese state interference. That's an ongoing process of remediation. The US sanctions are very tightly defined, they do impact new deployments so that's why there's a bar on new deployments and as part of the package announced in July, contingency plans were made to ensure the existing stuff could be serviced."
Basically, US sanctions make updates (fixes) at the very least very difficult.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
