Products made by Chinese telecom giant Huawei contain a range of flaws that make it more vulnerable to cyber attacks than that of its competitors, according to a new study (pdf) by cybersecurity experts.
The research, published on June 26 by cybersecurity firm Finite State, analyzed around 10,000 firmware images supporting over 550 devices within Huawei’s enterprise network product lines, and found 55 percent of them to contain at least one potential backdoor. Firmware is software that allows hardware to run in a computer.
Such potential backdoors could allow Huawei or a malicious attacker to hack into the gear, the report said.
It concluded that “Huawei devices quantitatively pose a high risk to their users.”
“In virtually all categories we examined, Huawei devices were found to be less secure than those from other vendors making similar devices,” the report added.
On average there were 102 known vulnerabilities in each Huawei device tested, the study said, adding that the highest number of vulnerabilities detected in one firmware was 1,419.
The report also said Huawei engineers “systematically” made poor security decisions in the devices tested.
“Despite Huawei’s claims about investing in security, they appear to be behind the rest of the industry in almost every respect,” Matt Wyckhouse, founder of Finite State, said in a June 26 statement.
“This overall weak security posture is concerning and obviously increases the security risks associated with use of Huawei devices.”
The report did not consider whether the security flaws were intentionally or accidentally introduced.
An unnamed White House official who reviewed the report told the Wall Street Journal that the study “supports our assessment that since 2009, Huawei has maintained covert access to some of the systems it has installed for international customers.”
“Huawei does not disclose this covert access to customers nor local governments. This covert access enables Huawei to record information and modify databases on those local systems,” the official added.
Wyckhouse said that the finding was “particularly concerning given Huawei’s dominance on the eve of 5G implementation,” and suggested that governments rolling out 5G networks take these risks into account.
“Fundamentally, policymakers should be making data-driven decisions about which risks they are, and are not, willing to take,” he said.
A Huawei official told the Wall Street Journal that it couldn’t comment on the specifics of research because it wasn’t shared in full with the company.
The findings add to the growing security concerns held by Western officials, lawmakers, and experts, who say that Huawei’s equipment could be sued for espionage or to disrupt communication networks.
The company, the world’s dominant supplier of 5G network equipment, has been banned or restricted from supplying technology for the 5G networks in the United States, Australia, New Zealand, and Japan.
On June 25, the U.S. Senate Foreign Relations Committee passed a resolution on a voice vote recognizing Huawei and its Chinese counterpart ZTE as a national security threat.
In May, the U.S. administration put the telecom provider and 69 of its subsidiaries on a trade blacklist on security grounds, effectively banning it from doing business with U.S. firms.
Meanwhile, the company is also fighting two federal indictments in the United States. In the first case, the Justice Department accuses Huawei of stealing trade secrets from U.S. mobile provider T-Mobile, while the second indictment charges the company in relation to violations of U.S. sanctions against Iran.
A U.K. government cybersecurity watchdog, in a March report, criticized the Chinese tech giant for “serious and systematic defects in Huawei’s software engineering and cyber security competence.”
The report added that the watchdog no longer had confidence in Huawei’s ability to address these “underlying defects,” despite the company’s pledge to spend more than $2 billion fixing them.
A British cybersecurity official recently said that Huawei’s security is “shoddy” and “objectively worse” compared to its international rivals.
“Huawei as a company builds stuff very differently to their Western counterparts. Part of that is because of how quickly they’ve grown up, part of it could be cultural—who knows,” Ian Levy, Technical Director of Britain’s National Cyber Security Centre, said at a June conference in London, Reuters reported.
In a June 25 conference in London, Woody Johnson, the U.S. ambassador to the U.K., warned Britain against allowing Huawei to build its 5G network.
“It’s like letting a kleptomaniac move into your house,” he said, The Times reported.