The latest mini-leak in the ongoing Huawei propaganda war saw Vodafone admit to finding security flaws in some Huawei kit in the past.
The scoop comes courtesy of Bloomberg in a story headlined Vodafone Found Hidden Backdoors in Huawei Equipment. The kit in question was mainly domestic routers and some optical service nodes supplied to its Italian business back in 2011, which the report claims had security backdoors that could have given Huawei access to the whole fixed line network (and which Vodafone denies). Vodafone told Bloomberg the issues were eventually resolved, but it’s far from an open-and-shut case.
Vodafone said it asked Huawei to deal with the backdoors as soon as it spotted them and was told that they had been, but it took further prompting to get the lot of them. Furthermore some anonymous sources told Bloomberg that the vulnerabilities still remained beyond 2012 and were also present in Vodafone networks in other countries, including the UK. Vodafone allegedly knew about this but stuck with Huawei regardless because they were relatively cheap.
Apparently some in Vodafone had concerns about the security of Huawei routers from the start and flagged a bunch of bugs up, the most critical of which was a ‘telnet’ service that allows remote access. Vodafone Italy asked Huawei to remove this telnet and was once more told that it had been, when subsequent testing revealed it hadn’t. Huawei then apparently shifted the goalposts, saying it needed the telnet to configure devices, and offered to remove it once the configuration had been done.
This reportedly caused concern for Vodafone’s chief information security officer at the time, Bryan Littlefair, who wrote the following in a 2011 report: “What is of most concern here is that actions of Huawei in agreeing to remove the code, then trying to hide it, and now refusing to remove it as they need it to remain for ‘quality’ purposes.”
Now it should be stressed that this is still far from the smoking gun evidence of inherent security vulnerability the US claims to have and which Huawei wants to see. This stuff took place years ago and seems to have been quite isolated. Furthermore Huawei is hardly the only vendor to have vulnerabilities in its routers. Having said that this latest piece of circumstantial evidence is certainly unhelpful l to Huawei in the current environment and could well cause some reputational damage to Vodafone too.