The annual report 2019 of the Huawei Cyber Security Evaluation Centre Oversight Board (HCSEC) shows that Huawei has ignored basic (partly their own) rules of software development for years and uses partly unmanageable software. Microsoft also reports that Huawei software unnecessarily used techniques otherwise known from malware.
The HCSEC is a body set up by the British government for the security evaluation of software developed by Huawei, which is used on so-called “LTE eNodeB“s, integral parts of the British LTE network. The problem is not that the security researchers have found major security vulnerabilities, but that the software at hand is so poorly managed by Huawei that it is impossible to arrive at a final assessment of the security of the software.
How can that be?
The biggest problem is that multiple compilations of software often result in the created binary file not always being the same. This ensures that binaries that are ultimately executed by the computer are not reproducible, making it impossible to say for sure whether the binary used is based on the source code at hand. Furthermore, the HCSEC investigation has shown that for some software components used (e.g. OpenSSL) so many different versions are allowed that it cannot be ruled out whether security holes exist due to outdated versions.
NSA malware technology used in Huawei driver
Microsoft has identified a security hole opened by a Huawa driver with the help of its own Defender, which comes free with Windows. The vulnerability affected Huawei MateBooks users and was part of their PC manager software. The software used a malware technique used by the NSA to restart crashed services. Meanwhile, the vulnerability is fixed.
What does it have to do with me?
Anyone who has nothing to do with the LTE network in the UK or with MateBooks may wonder why this is so interesting. Both cases are most likely not signs of deliberate malicious behavior by Huawei, but examples of what can happen if software is not properly managed. This problem certainly doesn’t only exist with Huawei, but with many large software vendors. This can simply have unpleasant consequences such as slow or buggy software, but can also lead to serious security vulnerabilities. For this and other reasons, software updates are so important, as they can fix such mistakes.