Vodafone found backdoor vulnerabilities in Huawei software in 2009

According to security briefing documents from 2009 and 2011, Vodafone says it found vulnerabilities in Huawei’s software.

In a new Bloomberg report, Europe’s biggest phone company said it found hidden backdoors in Huawei’s software that could have potentially granted “unauthorized access to the carrier’s fixed-line network in Italy.”

Vodafone made it clear that it fixed these vulnerabilities but noted that these new revelations may affect the Shenzhen-based company’s reputation even more.

The European phone company said it told Huawei to remove these backdoors in home internet routers in 2011 and was reassured they were resolved, but according to Bloomberg’s report, Vodafone said the issues remained.

It also found backdoors in parts of its fixed-access network; this transports internet traffic over “optical fibres, and other parts called broadband network gateways, which handle subscriber authentication and access to the internet.”

By 2012, Vodafone said all issues were resolved.

“In the telecoms industry it is not uncommon for vulnerabilities in equipment from suppliers to be identified by operators and other third parties,” Vodafone said to Bloomberg. “Vodafone takes security extremely seriously and that is why we independently test the equipment we deploy to detect whether any such vulnerabilities exist. If a vulnerability exists, Vodafone works with that supplier to resolve it quickly.”

Huawei told Bloomberg that it was aware of the vulnerabilities in 2011 and 2012 and resolved them at the time.

Bloomberg reported that despite this, employees aware of the issue saw vulnerabilities remain even after 2012.

Further to this, the report notes Vodafone had concerns shortly after it began buying Wi-Fi routers from Huawei in 2008 for its Italian business. At the time, Vodafone directed its attention to 26 open bugs in the routers, of which, six were reported as “‘critical’ and nine as ‘major’.”

In 2011, Vodafone did a deeper “probe of the routers” and with the help of an independent contractor found a “telnet backdoor,” which is used by some router manufacturers to manage their equipment. Vodafone had “demanded” Huawei to remove this backdoor and was told by Huawei that the problem was fixed.

Vodafone, however, did more tests and found the backdoor again and noted in the documents that Huawei had “refused to fully remove the backdoor,” saying it was a manufacturing requirement.

Huawei still being reviewed in Canada

It should be important to note that it was around this time that political concerns started in Canada and around 2012, former Conservative prime minister Stephen Harper had banned Huawei from participating in any government contracts.

Huawei is currently being reviewed by Public Safety Minister Ralph Goodale on whether or not the company can be involved in providing 5G equipment to carriers in Canada. No decision has been announced yet.

Tensions between Canada and China began shortly after Huawei’s global CFO Meng Wanzhou was arrested in December. Since then, the Chinese government arrested two Canadian diplomats alleging they are a national security threat. The country has also sentenced a Canadian drug dealer to death. The U.S. charged Huawei and its subsidiary Skycom with 13 counts of bank and wire fraud. Canada has proceeded with the extradition case of Meng. Meng has since sued Canada’s RCMP and the CBSA and Huawei has sued the U.S. government.

It’s important to note that Bell and Telus are the two biggest carriers that use Huawei’s equipment to deploy 3G and 4G LTE networks. The two have said that they do not use Huawei in its core network, which is where the most vulnerable information exists. The two have also said they have not made a final decision on who their 5G vendor will be.

Source: Bloomberg