Huawei savaged by Brit code review board over pisspoor dev practices
HCSEC pulls no technical punches in annual report
Britain's Huawei oversight board has said the Chinese company is a threat to British national security after all – and some existing mobile network equipment will have to be ripped out and replaced to get rid of said threat.
"The work of HCSEC [Huawei Cyber Security Evaluation Centre]… reveals serious and systematic defects in Huawei's software engineering and cyber security competence," said the HCSEC oversight board in its annual report, published this morning.
The oversight folk added: "Work has continued to identify concerning issues in Huawei's approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation."
While the report itself does not identify any Chinese backdoors, which is the American tech bogeyman du jour, it highlights technical and security failures in Huawei's development processes and attitude towards security for its mobile network equipment:
In some cases, remediation will also require hardware replacement (due to CPU and memory constraints) which may or may not be part of natural operator asset management and upgrade cycles… These findings are about basic engineering competence and cyber security hygiene that give rise to vulnerabilities that are capable of being exploited by a range of actors.
Even though Huawei has talked loudly about splurging $2bn on software development, heavily hinting that this would include security fixes, HCSEC scorned this. Describing the $2bn promise as "no more than a proposed initial budget for as yet unspecified activities", HCSEC said it wanted to see "details of the transformation plan and evidence of its impact on products being used in UK networks before it can be confident it will drive change" before giving Huawei the green light.
The report's findings had been telegraphed long in advance by British government officials, who have been waging war with Huawei through the medium of press briefings.
Amateurs in a world desperately needing professionals
Huawei bungled router security, leaving kit open to botnets, despite alert from ISP years priorREAD MORE
One key problem highlighted by the HCSEC oversight board was "binary equivalence", a problem Huawei has been relatively open about. HCSEC testers had previously flagged up problems with not knowing whether the binaries they were inspecting for Chinese government backdoors were compilable into firmware equivalent to what was deployed in live production environments. Essentially, the concern is that software would behave differently when installed in the UK's telecoms networks than it did during HCSEC's tests.
In today's report, the Banbury centre team said: "Work to validate them by HCSEC is still ongoing but has already exposed wider flaws in the underlying build process which need to be rectified before binary equivalence can be demonstrated at scale. Unless and until this is done it is not possible to be confident that the source code examined by HCSEC is precisely that used to build the binaries running in the UK networks."
HCSEC also highlighted something The Register exclusively revealed precise details of this morning, saying: "It is difficult to be confident that vulnerabilities discovered in one build are remediated in another build through the normal operation of a sustained engineering process."
It also criticised Huawei's "configuration management improvements", pointing out that these haven't been "universally applied" across product and platform development groups. Huawei's use of "an old and soon-to-be out of mainstream support version" of an unnamed real time operating system (RTOS) "supplied by a third party" was treated to some HCSEC criticism, even though Huawei bought extended support from the RTOS's vendor.
HCSEC said: "The underlying cyber security risks brought about by the single memory space, single user context security model remain," warning that Huawei has "no credible plan to reduce the risk in the UK of this real time operating system."
Hygiene, that's something you do in the shower with soap… right?
OpenSSL is used extensively by Huawei – and in HCSEC's view perhaps too extensively:
In the first version of the software, there were 70 full copies of 4 different OpenSSL versions, ranging from 0.9.8 to 1.0.2k (including one from a vendor SDK) with partial copies of 14 versions, ranging from 0.9.7d to 1.0.2k, those partial copies numbering 304. Fragments of 10 versions, ranging from 0.9.6 to 1.0.2k, were also found across the codebase, with these normally being small sets of files that had been copied to import some particular functionality.
Even after HCSEC threw a wobbly and told Huawei to sort itself out pronto, the Chinese company still came back with software containing "code that is vulnerable to 10 publicly disclosed OpenSSL vulnerabilities, some dating back to 2006."
Huawei also struggles to stick to its own secure coding guidelines’ rules on memory handling functions, as HCSEC lamented:
Analysis of relevant source code worryingly identified a number pre-processor directives of the form "
#define SAFE_LIBRARY_memcpy(dest, destMax, src, count) memcpy(dest, src, count)", which redefine a safe function to an unsafe one, effectively removing any benefit of the work done to remove the unsafe functions.
"This sort of redefinition makes it harder for developers to make good security choices and the job of any code auditor exceptionally hard," said the government reviewers.
In a statement issued this morning Huawei appeared not to be overly bothered about these and the other detailed flaws revealed by NCSC, saying that it "understands these concerns and takes them very seriously". It added: "A high-level plan for the [software development transformation] programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent."
Commenting on the NCSC's vital conclusion that none of these cockups were the fault of the Chinese state’s intelligence-gathering organs, Rob Pritchard of the Cyber Security Expert told The Register: "I think this presents the UK government with an interesting dilemma - the HCSEC was set up essentially because of concerns about threats from the Chinese state to UK CNI (critical national infrastructure). Finding general issues is a good thing, but other vendors are not subject to this level of scrutiny. We have no real (at least not this in depth) assurance that products from rival vendors are more secure." ®
Sponsored: Becoming a Pragmatic Security Leader