Britain found ‘critical’ weakness in Huawei equipment

British intelligence forced Huawei Technologies to fix flaws in its products that could have put the security of the country’s networks at risk, a government agency said.

“Critical, user-facing vulnerabilities” were found in the Chinese supplier’s fixed-broadband products caused by poor code quality and an old operating system, the Huawei Cyber Security Evaluation Centre Oversight Board said in a report. “UK operators needed to take extraordinary action to mitigate the risk.”

The centre, near Oxford in England, was set up between the Shenzhen-based technology giant and the British government in an arrangement to let the UK’s National Cyber Security Centre examine its hardware and software.

In the annual report published on Thursday, the HCSEC Oversight Board said Huawei repaired the security issue. No exploitation of it was detected. However, the fix then created a new, different “major issue”. The incident was “further evidence that deficiencies in Huawei’s engineering processes remain”, it concluded.

The event had “national significance” and marked a rare occasion where a full description of the problem was temporarily held back from Huawei while Britain assessed its impact. The NCSC does not believe the defects identified were due to Chinese state interference, the report said.

The revelation comes at a sensitive time for Huawei after the British government decided to ban telecoms operators from using its gear in their fifth-generation mobile networks. The government is now reviewing Huawei’s role in supplying fixed-broadband infrastructure.

The HCSEC Oversight Board said it “can only provide limited technical assurance in the security risk management of Huawei equipment in UK networks”, reiterating a finding of last year’s report.

“This is a poor state of affairs, especially as Huawei kit will remain in UK networks and may even be added to it, despite the ban,” said lawmaker Bob Seely, a member of the ruling Conservative party who has campaigned for tighter restrictions on Huawei.

It’s business as usual for this Huawei group despite US sanctions

Asked about the report’s findings, a spokesman for Huawei said the supplier is the only one that faces such a tough level of scrutiny. “Huawei calls for all vendors to be evaluated against an equally robust benchmark, to improve security standards for everyone,” the spokesman said.

Britain had previously decided it could manage the risks of keeping some Huawei in 5G networks. It reversed course in July after US sanctions cut off Huawei’s access to American microprocessor technology. British security services said this meant the security of Huawei supplies could not be assured.

The HCSEC oversight board’s report covered the situation in 2019. However, it noted that Huawei had already begun to swap out American components for replacements from elsewhere toward the end of 2019 to comply with the US blacklist rules.

This may “limit the number of products that can be analysed by HCSEC, and hence the number of products that can be used within the UK”, it said.

The US “entity list” made it harder for the HCSEC to do its job for a further reason, the report pointed out: the facility is owned by Huawei, so it is more difficult to obtain security monitoring products that use US intellectual property. Officials are looking at how to solve the issue.