Vodafone discovered backdoors in Huawei equipment. But it was 2011 ..

Huawei made the headlines again, Vodafone identified backdoors in software that could have handed Huawei unauthorized access to the carrier’s fixed-line network.

According to Bloomberg, Vodafone identified hidden backdoors in software that could have handed Huawei unauthorized access to the carrier’s fixed-line network in Italy used to connect to the internet.

“Now Vodafone Group Plc has acknowledged to Bloomberg that it found vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier’s Italian business.” reads the blog post published by Bloomberg. “While Vodafone says the issues were resolved, the revelation may further damage the reputation of a major symbol of China’s global technology prowess.”

Wait a moment … the flaws in the Huawei technology were discovered by Vodafone a decade ago.

Bloomberg obtained Vodafone’s security briefing documents from 2009 and 2011 and spoke with people involved in the situation. The version provided by AFP, is slightly different because even if Vodafone confirmed the presence of the flaws, it is not true that bugs could have allowed unauthorized access to Italy’s fixed-line network.

“Vodafone confirmed to AFP that the issues were resolved but stressed it was incorrect to suggest that the flaw could have allowed unauthorized access to Italy’s fixed-line network.” reported the AFP.

Bloomberg revealed that once discovered the backdoors in home routers in 2011, Vodafone asked Huawei to address them. The Chinese firm told the supplier that the issues were fixed, but according to Bloomberg further testing revealed that the vulnerabilities were not completely solved.

“Vodafone asked Huawei to remove backdoors in home internet routers in 2011 and received assurances from the supplier that the issues were fixed, but further testing revealed that the security vulnerabilities remained, the documents show.” continues bloomberg. “Vodafone also identified backdoors in parts of its fixed-access network known as optical service nodes, which are responsible for transporting internet traffic over optical fibers, and other parts called broadband network gateways, which handle subscriber authentication and access to the internet, the people said. “

Bloomberg refers to the backdoor as unauthorized Telnet access to the Huawei equipment.

“The ‘backdoor’ that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet,” Vodafone said in an emailed statement.

“The issues were identified by independent security testing, initiated by Vodafone as part of our routine security measures, and fixed at the time by Huawei,” 

Huawei clarified that the flaws were discovered back in 2011 and 2012 and were quickly fixed.

“We were made aware of historical vulnerabilities in 2011 and 2012 and they were addressed at the time. Software vulnerabilities are an industry-wide challenge.” said Huawei.

Huawei explained it has “a well established public notification and patching process, and when a vulnerability is identified we work closely with our partners to take the appropriate corrective action”.

Huawei is in the middle of a heated debate, many governments, driven by the US, have banned the company from the building of 5G networks.

A few days ago, the British Government has approved a limited role for Huawei in the building of a national 5G network in the country, ignoring security concerns from senior ministers.

Britain’s National Security Council approved a limited role for Huawei to help build a “non-core” infrastructure such as antennas,” Media reports said Prime Minister Theresa May had conditionally allowed Huawei to build the UK 5G network.

According to Bloomberg, Vodafone chief executive Nick Read “has joined peers in publicly opposing any bans on Huawei from 5G rollouts, warning of higher costs and delays”.

Anyway we have to consider that it is not difficult to find vulnerabilities in network equipment of almost any vendor, in many cases the flaws remained unfixed for a long time.

The cases reported by Bloomberg are dated back 2011 and 2012, and the unique aspect of the story to check is if Huawei has addressed the flaw just after Vodafone reported them to the Chinese vendor.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – China, Vodafone)

[adrotate banner=”5″]

[adrotate banner=”13″]