Telecoms giant Vodafone has revealed it discovered backdoors in equipment supplied by Chinese vendor Huawei that could have enabled spying.
Acknowledging the discoveries to Bloomberg, Vodafone said the vulnerabilities date back years. The issues have since been patched, but Vodafone claims they remained for some time after Huawei claimed they’d been fixed.
If exploited, the backdoors reportedly would have provided Huawei with unauthorised access to Vodafone’s fixed-line network in Italy. As Europe’s largest telco, the revelations from Vodafone are damning.
In a statement, Vodafone said:
“In the telecoms industry it is not uncommon for vulnerabilities in equipment from suppliers to be identified by operators and other third parties.
Vodafone takes security extremely seriously and that is why we independently test the equipment we deploy to detect whether any such vulnerabilities exist. If a vulnerability exists, Vodafone works with that supplier to resolve it quickly.”
The primary concern is with the time it took for Huawei to address the problems, and claiming they’d been rectified when further tests proved they had not been.
Security testing by an independent contractor for Vodafone identified a telnet backdoor which presented the greatest concern as it could provide unauthorised access to Vodafone’s broader Wide Area Network. Huawei is then said to have refused to remove the telnet service as it’s needed to configure device information and conduct tests.
“Unfortunately for Huawei the political background means that this event will make life even more difficult for them in trying to prove themselves an honest vendor,” Vodafone said in an April 2011 document seen by Bloomberg and authored by Bryan Littlefair, Vodafone’s chief information security officer at the time.
“What is of most concern here is that actions of Huawei in agreeing to remove the code, then trying to hide it, and now refusing to remove it as they need it to remain for ‘quality’ purposes,” Littlefair wrote.
Vodafone has a lot to lose if Huawei equipment is banned due to widespread existing use of the company’s gear in previous generation networks. The operator has warned replacing Huawei’s equipment would be costly and delay its rollout of 5G.
Update Vodafone has issued a statement hitting back at Bloomberg’s claims:
“The issues in Italy identified in the Bloomberg story were all resolved and date back to 2011 and 2012.
The ‘backdoor’ that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet.
Bloomberg is incorrect in saying that this ‘could have given Huawei unauthorised access to the carrier’s fixed-line network in Italy’.
In addition, we have no evidence of any unauthorised access. This was nothing more than a failure to remove a diagnostic function after development.
The issues were identified by independent security testing, initiated by Vodafone as part of our routine security measures, and fixed at the time by Huawei.”
Vodafone doesn’t address the claims made in the company document authored by its former chief information security officer of Huawei ‘trying to hide’ the vulnerability.
Just last week, a secret meeting to decide Huawei’s fate in the UK was leaked and suggested the company would be allowed to provide ‘non-core’ equipment for national 5G networks.
The US has been pressuring its allies not to use Huawei equipment in any part of networks over concerns the company is controlled by Beijing. Robert Strayer, a deputy assistant secretary at the US state department, threatened that a UK decision to allow Huawei in 5G networks would put security cooperation at risk.
Yesterday, China’s ambassador to the UK said that a ‘Global Britain’ should ignore external pressure and make its own decision over Huawei.
A dedicated Huawei Cyber Security Evaluation Centre (HCSEC) has been established in Banbury, UK since 2010. HCSEC only found minor concerns with Huawei’s equipment until last year when it could ‘no longer’ offer assurance that risks could be successfully mitigated.
A follow-up report this year highlighted that Huawei has been slow in addressing the concerns of UK intelligence officials. If Huawei is to ease Western concerns, it needs to be much faster in addressing them.
Interested in hearing industry leaders discuss subjects like this? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.