"Hidden back doors" were found in Huawei equipment, reports Bloomberg
Vodafone Italy discovered "hidden back doors" in Huawei equipment that would have given the Chinese company access to users' home networks as well as Vodafone's Italian fixed network, Bloomberg reports. The vulnerabilities were discovered between 2009 and 2011 in Huaweis's home internet router, as well as equipment used in parts of Vodafon's network infrastructure.
Bloomberg reports that both the router and network vulnerability continued to exist after 2012, and also existed on the company's network in the UK, Germany, Spain and Portugal. Sources say that Vodafone continued to use the equipment because it was cheaper than the competition and the cost of removing it was prohibitive.
In a statement given to Bloomberg Vodafone recognized the vulnerabilities, but contested the timeline, saying they were resolved in 201[ads1]1 and 2012. Huawei says it was informed about the vulnerabilities in 2011 and 2012 and that they were resolved at the time.
Revelations come as the role of Huawei in the future 5G networks are under intense control of the world for fear that the equipment may be exploited to aid China's intelligence efforts. Several countries are currently investigating Huawei's security practices, as the authorities decide which parts of their 5G network will be assigned to the Chinese giant. The United States is moving to ban the use of Huawei equipment, and lobby its allies to do the same. Meanwhile, the UK has made a preliminary decision to allow the use of Huawei's equipment in non-core parts of its networks, but is under pressure from US officials to ban it altogether.
Along with issues affecting network equipment, Vodafone Italia has also identified problems with Huawei's home internet routers, which Vodafone thought would give Huawei backdoor access to both local and broadband networks. Huawei was reportedly reluctant to disable the Telnet feature that created the vulnerability, claiming it was on it to configure the devices remotely.
Huawei characterized the vulnerabilities as "wrong" rather than conscious inclusion in the equipment. "These were technical flaws in our equipment that were identified and corrected," the company said. ZDNet "The approved definition of" backdoors "is deliberately embedded in exploitable vulnerabilities – these were not such. That was set correctly. "
A data security professor cited in the report, Stefano Zanero, said that there is no obvious way to know if a vulnerability is an accidental error or an intentional backdoor. But he added that "the vulnerabilities described in the Vodafone 2009 and 2011 reports have all the characteristics of backdoors: denitability, access, and tendency to be relocated in later versions of the code."
In January this year, Vodafone stopped using Huawei's equipment in its core business across Europe, referring to ongoing debates on the safety of the equipment. More recently, Vodafone has warned that a total ban may affect the deployment of its 5G networks, claiming that there was no evidence that Huawei's equipment was a security risk. The revelations about these historic vulnerabilities, and Huawei's approach to patching them, continue to question how safe the equipment will be used.
Last year, a British security guard raised concerns about the Chinese company's "basic engineering expertise and safety hygiene". The same day, the registry reported on how Huawei had patched a vulnerability in their routers in 2013 which later allowed them to be used as part of a botnet.