back to article Huawei savaged by Brit code review board over pisspoor dev practices

Britain's Huawei oversight board has said the Chinese company is a threat to British national security after all – and some existing mobile network equipment will have to be ripped out and replaced to get rid of said threat. "The work of HCSEC [Huawei Cyber Security Evaluation Centre]… reveals serious and systematic defects in …

  1. Paul Crawford Silver badge

    Real point here

    "We have no real (at least not this in depth) assurance that products from rival vendors are more secure"

    If, and it seems a good idea, that critical infrastructure needs to be secure against both back doors and crap code, then it should be a requirement that the alternative suppliers are similarly audited to show they actually do better. After all, it is not that Cisco have no history of both back doors and serious bugs needing fixed either...

    1. Aladdin Sane Silver badge

      Re: Real point here

      My thoughts exactly

    2. JetSetJim Silver badge

      Re: Real point here

      And what do you do when nobody does particularly well? You still need critical infrastructure, but it seems like all the players are a bit Swiss-cheese

      1. Anonymous Coward
        Anonymous Coward

        Re: Real point here

        ...and could we trust GCHQ to test CISCO? Surly they'd give it the stamp of approval as specified by their American counterparts. In fact I'm pretty sure they'd give it whatever stamp the Americans asked for, "how many hoops would you like us to jump through and which colour (sorry color) dress would you like us to wear".

        1. Archtech Silver badge

          Re: Real point here

          Befehl ist Befehl.

        2. Captain Badmouth
          Happy

          Re: Real point here

          "Surly they'd give it the stamp of approval"

          I'm sure they'd be quite nice about it, actually...

        3. Kaufman

          Re: Real point here

          I would have to agree. If Cisco even had the technology to compete with Huawei they would've been give the green light automatically without any vetting.

      2. TonyJ Silver badge

        Re: Real point here

        That's one of the reasons for layered security from different vendors. At leas if the penetrate one layer, they can't then (usually) go on to use the same tricks to get past the next layer.

        Of course, that costs money and is more complex to set up and manage.

        1. Anonymous Coward
          Anonymous Coward

          Re: Real point here

          Yep, heterogeneity can be your friend. The positive of homogeneous is that it scales real well. The negative is that bugs/flaws scale as well if not a bit better.

      3. Anonymous Coward
        Anonymous Coward

        Re: Real point here

        We need to stop building critical infrastructure on literal quicksand. We need to re-think software development procedures and structures, legally mandate companies to share their code and have independent audits done. Software development is broken, the products that stuff runs on are broken by extension.

        Looking over the report feels all too familiar to stuff that I have written after audit gigs.

        Point 3.11 in the paper mentions unprotected stack overflows. That is largely preventable these days. fuzzing and auditing attack surfaces. But barely anyone does it properly.

        3.19 in the report says that it is next to impossible to get a reproducible build. Yes, that is bad. And it is basically industry standard.

        Configuration management and management of third party libraries and their versions? Well, who here has it figured out conclusively?

        3.31 sounds a lot like "15 year old codebase, no one ever bothered to do a clean-up". Never touch a running system attitude. Not exactly unknown in the industry.

        We indeed have a problem. But it's not just Huawei.

        And the most irritating thing about that report... a codebase like this is basically an auditors dream. You could just grep for memcpy anf sprintf and the potential issues would fall out like cockroaches scrambling for cover when the light is turned on.

        The fact that they do not mention those actual bugs makes me thing that the report was not even penned by security folk, but by compliance people. Complaining about non-reproducible builds while pre-auth remote stack issues are present is like complaining about minor rust spots on a motor vehicle while the engine is on fire and wheels are rolling away in all 4 directions. "Not particularly relevant at this point..."

      4. Anonymous Coward
        Anonymous Coward

        Re: Real point here

        Ummm... maybe have your critical infrastructure done by engineers that do safety-critical engineering. It's not as if the concept is new! How much have I posted around this very topic this week? Too damned much.

        1. Anonymous Coward
          Anonymous Coward

          Re: critical infrastructure done by engineers

          Requiring other engineers to meet professionally determined educational, training and experience before being allowed to legally do engineering work was equally difficult to implement.

          I suspect the lack of IT regulation is going to follow the well worn path other fields of engineering followed. Resistance to regulation until forced by multiple high profile and expensive failures.

          As an average citizen I know nothing of Civil Engineering or bridge construction but when a bridge fails, particularly a new bridge failing on the first windy day, I become an expert on what bad engineering looks like.

          People know nothing about software or networks but when they see ransomware shutting down major networks they become experts on what is an isn't acceptable.

          Eventually citizens will not be willing to pay the price without having a say, without regulation.

          Or myabe by that time citizens and their influence will be restricted to local or social matters and it wouldn't matter what they think. In that case it might be the insurance companies.

      5. Archtech Silver badge

        Re: Real point here

        "And what do you do when nobody does particularly well? You still need critical infrastructure, but it seems like all the players are a bit Swiss-cheese".

        Perhaps you introduce a procurement system that doesn't automatically award contracts to the lowest bidder, thus actively encouraging (if not compelling) vendors to cheat and cut corners.

        Compare the American F-35 or the (non-existent) British equivalent to the Russian Su-57, for example. The Russians spend far less than one-tenth of the money and get much better results more quickly.

        1. SkippyBing Silver badge

          Re: Real point here

          Would that be the F-35 that has delivered over 300 aircraft and the Su-57 that has orders for 15? And which can trace development work back to at least the mid-90s as part of a failed competition for a Multirole Fighter?

      6. M.V. Lipvig

        Re: Real point here

        You either buy from like-minded allies who will at least be looking out for your welfare* or build your own gear. The only way to have truly secure communications is to build your own. But, even then SOMEONE is going to be able to eavesdrop. If it absolutely, positively has to stay secure, keep it in your head and pass it on in person. But as I like to say, a secret can only be held be one person or the entire world, there is no middle ground.

        *Yes, we Americans out ourselves first, as is proper, but as long as we're allies we can be counted on to at least be on your side** in a war.

        **Unless you're at war against another of our allies that is more important to us***.

        ***In which case we'll smear you into the ground**** like the insects you are.

        ****Unless you're engaged in guerlla style warfare, or unless our leaders have a personal interest in :not: crushing you.

    3. Aodhhan Bronze badge

      Re: Real point here

      Actually you do.

      Ever heard of Common Criteria or NIAP?

      Look at host which have been tested to EAL4+, and then read the report to find out how each did during the test. Just having the certification isn't enough, you should read the report as well.

      So where are all of the Euro-Brats who thought the USA and a few other countries thought were Bat-s-Crazy for bringing this up? Now, England will spend a fortune, because they refused to do research when they were first warned.

      Don't worry... China will still trade with you, they have no choice.

      1. granvil_33

        Re: Real point here

        I thought all equipment that was part of CNI had to be common criteria evaluated and then once implemented/deployed underwent security accreditation?

      2. Anonymous Coward
        Anonymous Coward

        Re: Real point here

        My thought is that the Chinese will trade with other countries as long as it suites them. They have a massive population that they still need to educate and should be able to count on internal growth for a long time, if and when that suites them. Especially, now that they own, or more accurately in many cases have access to, the Intellectual Property of many Corporations not based in China. I'm sure the other BRIC countries and those under import/export controls by the West would be happy increase trade with China, as well as most of the African countries.

    4. Anonymous Coward
      Anonymous Coward

      Re: Real point here

      Funny you should mention Cisco. Just recently this flew past...

      https://twitter.com/RedTeamPT/status/1110843396657238016

      Too lazy to click link? The nutshell: Cisco had a remote code execution issue in their Small Biz Router line. The PoC made use of curl. The Cisco "patch" blacklisted the curl User-Agent. Let that sink in.

      1. Rajesh Kanungo

        Re: Real point here

        The issues isn't really if there was a security hole; there will always be vulnerabilities. Cisco has processes in place to reduce these vulnerabilities. And the idiot who came up with the mitigation should not have received an OK from the security team. And Cisco doesn't make money off the their small stuff. So they are guilty to some degree too.

        However, Huawei has no processes or they are ineffective. Big difference.

        1. sanmigueelbeer Silver badge
          Thumb Down

          Re: Real point here

          Cisco has processes in place to reduce these vulnerabilities.

          And one of those process is to believe that no one else is smarter than Cisco, hence, they blacklisted the curl useragent. Who actually approved this "fix"? (Maybe I should ask the question: Did SOMEONE approve this fix?)

          No, Cisco has dropped the ball. Again. The "quality" of their code, an example is IOS-XE, makes me want to hang my head in shame. There are tons of bugs that should've been picked up during "internal testing" but it's not.

          Cisco is cutting a lot of corners. And it is starting to show.

          (Oh well, as long as the shareholders and happy.)

          1. Warm Braw Silver badge

            Re: Real point here

            it is starting to show

            It's not a new problem. Historically, just about every major cisco customer had a custom version of IOS to a greater or lesser extent: try to manage security updates in that environment. That's a lesser problem now, though, on the other hand, they seem to have shed a lot of engineering talent over the past few years, which is a different problem.

            It's an industry-wide problem. Nobody makes enough money from low-end kit to provide proper support and there is no incentive to spend the money on high-end kit because it won't, in the end, influence purchasing decisions. Probably the only thing that might help would be certification requirements for critical infrastructure devices - then watch the deployment of 5G go back 10 years (not that it would necessarily be a bad thing...).

          2. Anonymous Coward
            Anonymous Coward

            Re: Real point here

            I have recently been interfacing with Juniper router.. also full of bugs. :(

    5. gsej0

      Re: Real point here

      So does the fact that Huawei has had this free code review mean it's now been given a competitive advantage?

      1. crayon

        Re: Real point here

        What values of "free" are you talking about considering that Huawei provides funding to run HCSEC?

    6. low_resolution_foxxes

      Re: Real point here

      I can't fail to notice that Apple and Samsung, beloved tech corps of the USA govt, have taken an utter pounding this year by Huawei (Apple's share value dropped by several hundred billion dollars recently, with huge market sharegoing to Huawei).

      For one, while Apple is plugging £1000 bland unexciting phones, Samsung preloads (and bans the deletion) of epic bloatware, Huawei stuck to a headphone jack and sold a £200 smartphone without bloatware, that even included a revolutionary technology called the 'headphone jack' (while Apple and Samsung push £200 wireless headphones, ick).

      So alas, I, for one take American criticism with an ounce of salt.

      1. Archtech Silver badge

        Re: Real point here

        Of course, commercial success is far from being aligned with technical quality.

        Indeed, I strongly suspect an inverse relationship - just look at Microsoft.

    7. mladoux

      Re: Real point here

      This should be standard procedure for all secure government installations when dealing with vendors, both foreign and domestic.

    8. David Shaw

      here's REAL malware

      https://shadowhammer.kaspersky.com/

      a targeted attack on a million ASUS's , signed using a 'real' ASUS certificate, downloaded from the real ASUS website, sniffs a lot of a Nation State APT attack who's parliament now permits illegal acts for NatSec.

      meanwhile, according to https://www.asiatimes.com/2019/03/article/the-eu-bows-to-systemic-rival-china/

      all of this digital protectionism is too little, too late. get over it.

      1. David Shaw

        Re: here's REAL pisspoor dev practices

        https://syssec.kaist.ac.kr/pub/2019/kim_sp_2019.pdf

        er... rather a few errors in 4G infrastructural systems

    9. CheesyTheClown

      Re: Real point here

      I was hoping to see a comparative study to Cisco. My company gives Cisco over a billion Euro a year and while this seems damning to Huawei, I am the pretty sure Cisco is as bad.

      1) Multiple OpenSSL instances is normal. They should however be pulled from the same repositories. There are good reasons to compile OpenSSL differently based on context. I compile it differently when using it in kernel space or in user space. OpenSSL is an absolute must for security... this is because OpenSSL is the absolute most hacked library EVER because of mass economy. But that also means it should be the fastest patched.

      2) Large amount of C code in a network product unless it’s the forwarding engine itself is a really bad idea. Even then, companies like Ericsson code large amount of their systems in Erlang. While I’m no fan of Erlang, it has many benefits over C with regards to this. As such, it would make sense choose Ericsson over Huawei for 5G. Cisco uses C VERY heavily and if you were to look at much of the code Cisco has made public... let’s say they have pretty bad practices.

      3) Poorly mapped safe-C type functions for string management. If you’re using C and safe in the same sentence... just don’t. Even the absolute best C code will almost certainly degrade over time. A common pattern which has grown over time in C circles is to make insane messes of goto statements for reallocating objects in the “right order” at the end of functions. I have seen many cases where this degraded over time.

      4) 3rd party real-time operating systems are common. If you’re developing network hardware, RTOS makes a lot of sense as opposed to Linux. One reason is because network hardware should have deterministic latency to support protocols like ATM, SDH, ISDN, T1/E1. Vxworks, QNX, GreenHills all made excellent operating systems for communication grade equipment. Most of these systems however suffer from age. SYSBIOS from TI is also great. An excellent aspect of RTOS systems often is the ability to partition the CPU based not only on time share, but also cores.

      I honestly think this review might be the best thing to ever happen to Huawei. It is a roadmap to let them plan their next steps. They should really consider looking into using Redox as a foundation to something new. If they invest in building a RTOS scheduler, it could be something glorious... especially for Huawei.

    10. Anonymous Coward
      Anonymous Coward

      Re: Real point here

      Speaking as someone who has worked for another far-eastern-based telecoms equipment supplier (and quit in exasperation), Huwaei sound like paragons of virtu in comparison. As the guy says, we really ought ot be subjecting *everyone* to this level of scrutiny.

  2. Anonymous Coward
    Anonymous Coward

    "We have no real (at least not this in depth) assurance that products from rival vendors are more secure."

    Wot? They look the same as us so they must be legit... right?

  3. sabroni Silver badge

    Seems a little prejudiced

    How come it's a "Huawei oversight board" and not a "5G oversight board"?

    1. Joe W

      Re: Seems a little prejudiced

      There's this one because ZOMFG Chinese backdoors. As hinted in the article, and remarked above by somebody else, a general code review for all critical infrastructure would be a good idea. Likely, similar issues will be uncovered in most other equipment.

      And IMNSVHO: whoever wrote that code snippet should be [redacted because it's a family friendly site]

      1. EricM

        Re: "Likely, similar issues will be uncovered in most other equipment."

        No, that is "Likely, similar issues _would_ be uncovered in most other equipment, _if_ said other equipment was put through the same detailed tests"... but it isn't.

    2. Anonymous Coward
      Anonymous Coward

      Re: Seems a little prejudiced

      Because it was set up specifically to address the oversight of Huawei

      And if it was the 5G oversight board, we probably wouldn't see it for another two years featuring anyone but Huawei.

      1. Anonymous Coward
        Anonymous Coward

        Re: Because it was set up specifically to address the oversight of Huawei

        Thanks so much! Like "brexit means brexit" then?

        Genius.

  4. Trollslayer Silver badge
    Flame

    The biggest threats to security

    Are complacency, laziness and greed.

    1. Drew Scriver

      Re: The biggest threats to security

      you omitted ineptitude...

    2. ma1010 Silver badge
      Coat

      Re: The biggest threats to security

      The three biggest threats to security are complacency, laziness, greed, and ineptitude - are FOUR threats. Threats to security contain such diverse elements as...

      1. BebopWeBop Silver badge

        Re: The X biggest threats to security

        Where is your comfy sofa when you REALLY need it

    3. Rajesh Kanungo

      Re: The biggest threats to security

      Fear.

      1. Teiwaz Silver badge

        Re: The biggest threats to security

        Fear, surprise, ruthless inefficiency and an almost fanatical devotion to profit.

  5. Dan 55 Silver badge
    Meh

    I'm looking at the list of sins...

    ... and I see nothing that hasn't been done in any western multinational, where individual programmers who might have a clue are unable to do anything against the massive internal bureaucracy which doesn't particularly care and the antiquated development environments where no installation, compiler, or library is updated because otherwise stuff might break and it would need retesting to check and we can't do that.

    1. Yet Another Anonymous coward Silver badge

      Re: I'm looking at the list of sins...

      So this is conclusive proof that Huawei have been spying on British and American workers.

      Once GCHQ discovers that the entire platform has been knocked up in PHP scrapped from Stackoverflow by an Indian outsourcer we will know that they have penetrated to the heart of our military-industrial complex

      1. Rajesh Kanungo

        Re: I'm looking at the list of sins...

        China doesn't normally outsource to India ... competence is rare but incompetence is universal.

  6. Anonymous Coward
    Anonymous Coward

    Isn't there some vague idea of mixing suppliers anyway ?

    OK, costs a little more, but a damn sight cheaper than being beholden to a single supplier. Also has the bonus of making it much harder to infiltrate the infrastructure.

    Obviously not the what the UK every does things with it's (very) shortlist of suppliers though.

    1. Gene Cash Silver badge

      Re: Isn't there some vague idea of mixing suppliers anyway ?

      Nobody really mixes suppliers because nobody wants to spend for training (HA!) on more than one set of kit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Isn't there some vague idea of mixing suppliers anyway ?

        BT usually maintains two suppliers for a given tech, not because they want a mixed network for any ideals of security or multi layering, but because they can use the price from the second vendor to beat the first vendor's price with. I have it on reasonable authority that they never actually expect to use the second vendor so just pass any old turd as being ok.

  7. Andytug

    One wonders...

    what would have happened if the stuff had been really, really secure, presumably other governments wouldn't have had the excuse to go poking around in them......I guess "This stuff is a bit cheap, not very well made and insecure due to bad software" doesn't attract the attention and £££ that "OMG National Security Chinese backdoors!!!!" does.

    1. Drew Scriver

      Re: One wonders...

      If it had been really secure the complaint might have been that it's so secure that they couldn't do a proper review - and thus were unable to determine if the company had implemented any back doors (although the jury is still out on those, apparently).

      1. Rajesh Kanungo

        Re: One wonders...

        It would be considered only if the code, build process, supply chain, and design WERE reviewed by security experts.

  8. Drew Scriver

    Who needs back doors...

    if you can use existing vulnerabilities?

  9. lorriman

    All things considered, the pattern I'm seeing here is of HCSEC already having been corrupted or firmly leant on.

  10. Chris Miller

    So Huawei are a threat because they're really crappy at security (though not noticeably crappier than many other manufacturers), not because they're fiendish orientals controlled by China's Ministry of State Security. As you were, then.

    1. doublelayer Silver badge

      No, Huawei are really crappy at security and thus make people worried. That's why we should start doing this level of code review for other suppliers as well. Just because it is possible (and likely, I admit that) that other suppliers did the same kind of thing doesn't mean Huawei is great. Without that review, you cannot make a statement like "not noticeably crappier than many other suppliers", just like you couldn't make the statement "infinitely worse than all other mainstream suppliers". You lack the evidence, and have made a completely unfounded statement. In parallel, there are still concerns about links to Chinese intelligence, which this review has not concerned. The code review has not announced the existence of these threats, nor has it announced the completion of the search.

  11. sitta_europea Bronze badge

    And all this surprises us?

  12. LDS Silver badge
    Devil

    "70 full copies of 4 different OpenSSL versions [.. ] partial copies of 14 versions [...]"

    Nothing different from the average open source projects, it looks...

  13. maffski

    ...memory constraints... ...70 full copies of 4 different OpenSSL versions...

    I can see an optimisation coming on.

    #define SAFE_LIBRARY_memcpy(dest, destMax, src, count) memcpy(dest, src, count)

    Seems a sensible first step to me - makes it easy to see that you've got rid of all the memcpy references quickly and you can then replace it with a safe function and start the massive amount of testing that's going to be required to validate such a fundamental change.

    1. Rajesh Kanungo

      Re: ...memory constraints... ...70 full copies of 4 different OpenSSL versions...

      Come to think of it I can see this being turned on incrementally. Critical outward facing modules first running the checked version (turned on by another #define). I remember a system refused to boot after we turned on stack protection ... I guess we had, unknowingly, been corrupting parts of the stack for a long time. It was a brutal fight to get the developers to go find and fix the issues.

      1. Primus Secundus Tertius Silver badge

        Re: ...memory constraints... ...70 full copies of 4 different OpenSSL versions...

        I remember inheriting a system that was being compiled in debug mode with extra stack space, but was always a bit iffy when running. I rebuilt it with no debug and ordinary stack and it crashed immediately.

        A 'free()' statement was releasing ordinary memory, not heap memory. The original 'malloc()' statement had been in a module far away. That module had been long ago edited to replace the malloc with a use of stack space, but the corresponding free statement had been overlooked.

        Fixed that, but the system still crashed, somewhere else but for the same reason. Had to fix three or four such cases before the system would run.

        I concluded that the previous programmers did not really understand stacks and heaps.

        1. DougS Silver badge

          Re: ...memory constraints... ...70 full copies of 4 different OpenSSL versions...

          This is where tools like Purify are worth their weight in gold. Had you run it against the code before you made any changes, these problems would have been found and fixed and your no-debug build would have run correctly on the first try.

          I don't really do software development, but if I did I'd insist on having the proper tools before I'd take a job. Winging it or using the tools Linux ships with just doesn't cut it.

    2. wtrmute

      Re: ...memory constraints... ...70 full copies of 4 different OpenSSL versions...

      Funniest thing is, if they only wrote

      <pre>

      #define SAFE_LIBRARY_memcpy(dest, destMax, src, count) memcpy(dest, src, (destMax) < (count) ? (destMax) : (count))

      </pre>

      Then they'd be at least immune to piss-poor stack overflow attacks, even if using plain libc.

      1. dajames Silver badge

        Re: ...memory constraints... ...70 full copies of 4 different OpenSSL versions...

        Funniest thing is, if they only wrote

        #define SAFE_LIBRARY_memcpy(dest, destMax, src, count) memcpy(dest, src, (destMax) < (count) ? (destMax) : (count))

        Then they'd be at least immune to piss-poor stack overflow attacks, even if using plain libc.

        Well, no ... Even if the codebase has been tested as it stands (which may be hopelessly optimistic) the values supplied for destMax in the calls have not been tested and may be meaningless. You still need at the very least to manually sanity-check the destMax value passed in every call, and then retest the whole codebase with the new macro.

        ... and that assumes that the code won't misbehave because you've truncated the result of a copy operation.

  14. Rajesh Kanungo

    Security is not a part of the of organization's KPI

    I have dealt with organizations like this ... Top Mgt. gives lip service, hires a few security experts, the developers get trained and every time the developers want to make a change the managers pull out the "schedule slip" card. The engineers go cowering to their corner. Please don't blame the engineers (that much). I even worked in an org which refused to allow static code analysis.

    This will only work if every manager has security as part of his KPI. Every fix should be celebrated, every slip should be evaluated for how it could have been fixed. I found that secure code actually runs more reliably. And for people screaming about performance: crashed software has no performance. Buggy software has 0 performance. And hacked software has negative performance.

    1. martinusher Silver badge

      Re: Security is not a part of the of organization's KPI

      The problem with the Chinese is that they're likely to take this away, go back to their burrows and turn up in a year or two with everything fixed. This isn't the first time we've seen slapdash coding but given the importance of the code and the resources that can be brought to bear on the problem of fixing it they are quite likely to do just that.

      So then we'll end up with a whole bunch of competing kit that we'll smugly assume is OK. It won't be, of course, but by the time we discover we've unleashed a formidable competitor it will be very late in the development cycle to do much about it.

  15. Rajesh Kanungo

    It is not a security hole if only our spy agencies can exploit them. Didn't you get that memo? From the report it seems that EVERY spy agency can exploit Huawei's products. /Sarcasm. However, sarcasm aside, I really think that the US was actually serious when they said the Huawei products were really open like a gown that they give you to wear in hospitals.

  16. Phil Endecott Silver badge

    70 instnces of libssl.....

    Presumably this is an RTOS that doesn’t have dynamic libraries?

  17. Speltier

    We Take Your Concerns Seriously

    Until you seriously want to pay for good code, good luck with that; lip service is cheap, good code isn't. Before the open source weenies can screech, where is this open source 5G firmware running on open source hardware ASICs (or even soft rads)? Was the VHDL examined for convenient weaknesses? ("enable high security mode" flag in that header file for a hardware register-- does the flag really do that?)

    And on a corollary topic, just because the inspected code is back door free, who says some future patch is back door free? Someone going to pay for evaluation of each patch? Everyone going to tolerate an extra 6 months of delay for patching while the evaluation is done? No, of course not-- next quarter the budget is axed and the back doors are installed-- because that is cheaper for the bean counters at the end users. Security is a frictional loss and no one wants to pay for security if they can avoid the profit sapping endeavor.

    Basically it comes down to being able to trust the source company not to sell out to someone you don't like-- be that GHCQ, NSA, BND, FSB, or some tentacle of the ChinCom government.

  18. Androgynous Cupboard Silver badge

    A good thing?

    Does this mean now we should choose Huawei Infrastructure kit over any else's, as they're probably all as bad as each-other but at least Huawei's have been audited?

    1. SWCD

      Re: A good thing?

      I don't doubt they're all as bad as each other for a second.

      Would be interesting if code from other devices was audited too.

      Say maybe, the software on an aeroplane.

  19. bigtreeman

    D-Link

    Exactly the same can be said for D-Link,

    "serious and systematic defects in (D-Link's) Huawei's software engineering and cyber security competence"

    and probably lots of companies who are pushing cheap product out the door for profit.

  20. bpfh Bronze badge

    I’ve not done C in a long time...

    But did that define directive just rename memcpy() to one called secure_memcpy and call it a day and hope nobody noticed?

    1. Phil Endecott Silver badge

      Re: I’ve not done C in a long time...

      Yes.

  21. Anonymous Coward
    Anonymous Coward

    Adastral Park

    Flagged ten years back at BT before CyberSecurity Centre took the lead.

    Wow.... no fundamental improvement and now Huawei kit permeates our entire national infrastructure.

    :(

  22. Yes Me Silver badge

    And as for economic warfare...

    ...this redoubles the obvious: the Americans are waging economic warfare against Huawei, not because they are under Chinese government instructions, but because they're cheaper than Cisco.

    Yes, they have security holes, just like everybody else. And they must fix them. But the economic warfare is nothing to do with security.

    1. sanmigueelbeer Silver badge

      Re: And as for economic warfare...

      but because they're cheaper than Cisco.

      +1

  23. Anonymous Coward
    Anonymous Coward

    The UK is just another satrap of the US

    1. Archtech Silver badge

      Too much respect

      The UK is just another catamite of the US.

      FTFY.

  24. ATeal

    Yeah I was gonna say...

    I wont bitch about how shit the world is now and all that - I may copy and paste the bitching but....

    It's about par for the course - all Huweiewaiwoo can say is "we take it very seriously" - like the others. A lot of gear that doesn't get much public exposure to penetration testers/security researchers/pointers-at-the-emperor's-genitals ect is hidden in telecom stuff - and some of the most dreadful stuff is there,

    Not to get all philosophical on you guys but the more "open" "it" (the platform, to the ideal of the code and a usable toolchain*) is the better. For example take a TV (getting a "dumb" one is hard these days), skybox, games console, ect. These are computers but locked to fuck and there's absolutely no way without HUGE effort to poke with these. That barrier is bad, it was once thought it was good enough but as a certain TLA has taught us, actually some will go to great lengths to "poke at it" and keep it secret.

    It needs to be pokable.

  25. Anonymous Coward
    Anonymous Coward

    Plucky British

    The Great People's Republic will not be amused.

  26. Anonymous Coward
    Anonymous Coward

    US can be as bad

    I know of a router used in US military systems where it passed all security audits with flying colors, but it has a small RTOS license cost to the supplier. The supplier replaced the router with one based on Open Source, and that wouldn't even pass the most basic of security audits. The US military didn't bat an eye-lid. Or perhaps the fears of all the suppliers engineers were not passed on and the military didn't check.

  27. Lars Silver badge
    Thumb Up

    5G

    Hurry up Nokia and Ericsson.

  28. Anonymous Coward
    Anonymous Coward

    Boeing 737 Max Audit

    I would like the software gods at GCHQ audit the 737 Max system.

    It would be interesting to hear their opinions about all those legacy code.

    I used to work for a large telecom company, so much legacy code with security issues in those systems.

    1. Anonymous Coward
      Anonymous Coward

      Re: Boeing 737 Max Audit

      Their conclusion would be that the North Koreans / Iranians hacked the software.

      :/

  29. Joe Montana

    Audit

    So they decided to audit Huawei code because they were afraid of chinese backdoors... Turns out they didn't find any provable backdoors, but lots of security vulnerabilities due to poor code.

    It makes a lot of sense to audit vendors products like this, but why do this only for Huawei?

    Unless you've audited all the suppliers, you can't really draw any comparisons - is the huawei code any worse than other vendors? If anything, it's probably better as at least huawei were willing to let their code be audited... Perhaps other vendors know their code is worse and don't want it exposed.

  30. shaunhw
    Holmes

    Uk skills required here.

    What about a bit of good old fashioned code disassembly here ? Surely that would help to find out how memcpy etc. was being used.

    Even if a safe version was being used - you still have to tell it how large the destination buffer is. So you can lie if you really wanted.

    The best option would be for the full source code to be supplied and for the UK telcos to be able to build their own binaries from it, and inspect those, and the source code too, very diligently.

    As for the OS itself - a known flavour of Linux should be specified, one which could be also built over here from scratch.

  31. Brent Beach

    The report was written to be as bad as possible, given that no back doors were found.

    Why as that? Could it be that British security is totally under the thumb of the US security establishment? Which in turn is totally controlled by the Trumpstr? Who is totally out of control, living in a fact free universe.

    Would any report from any 5Is country say anything else?

    Added to the Brexit reports released over the last few years, the UK is getting a reputation for being a laughing stock. No longer a serious player in anything.

    1. Rajesh Kanungo

      You don't need explicit backdoors when the code is that bad.

  32. AmenFromMars

    Funtionality

    always trumps security - "Does it work?", "Yes", "Ship it"

    1. Smoking Man

      Re: Funtionality

      And speed and cost efficiency trump functionality (and security):

      "Does it compile?"

      "Yes."

      "Well then, ship it!"

  33. SNAFUology
    Go

    DIY

    So then it's basically do it yourself !!!

    It gets costly having HCSEC & GCHQ to inspect countless product by many vendors only to say tisk tisk you're naughty, naughty, naughty and then rip their stuff out and re do it.

    Design and Build it yourself, then seek tenders for suitably vetted engineering companies to produce hardware and software check your own product and roll it out.

  34. Anonymous Coward
    Anonymous Coward

    Can someone please explain what all the fuss is about.

    If the data traversing the infrastructure is encrypted end to end, what does it matter if the network is being spied on?

    1. Archtech Silver badge

      Re: Can someone please explain what all the fuss is about.

      "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench".

      - Gene Spafford

      1. Anonymous Coward
        Anonymous Coward

        Re: Can someone please explain what all the fuss is about.

        Exactly. So again, who cares if Huawei infrastructure is compromised.

        Or is the fuss just more fake news?

  35. spold Bronze badge

    In case anyone has not noticed....

    The Senior Vice President and the Global Cyber Security & Privacy Officer (GSPO) of Huawei is John Suffolk, formerly the CIO and CISO of the UK Government. So I would imagine everything security and privacy is tickety-boo, and indeed shipshape and Bristol fashion (or perhaps Cheltenham fashion) at Huawei.

    ;-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019