Security News > 2020 > October > Huawei's UK code reviewers say Chinese mega-corp is still totally crap at basic software security. Bad crypto, buffer overflows, logic errors...

The Huawei Cyber Security Evaluation Centre - mostly run by GCHQ offshoot the National Cyber Security Centre, though it is also staffed by some Huawei personnel - sighed that the Chinese company has made "Limited" progress on last year's recommendations to toughen up its act.

Code reviewers found "Evidence that Huawei continues to fail to follow its own internal secure coding guidelines. This is despite some minor improvements over previous years." In addition, "The Cell" said it had found more vulnerabilities during 2019 than it had in previous years - though Huawei was keen to paint this finding as "Proof the review system is working", something NCSC guardedly agreed with.

There was nothing in the report suggesting the Chinese state had planted intentional backdoors in code - though there was plenty to suggest that Huawei simply isn't taking the task of building robust and secure software and firmware with requisite seriousness.

Vulns uncovered by HCSEC researchers poring over the source code of Huawei's mobile network equipment firmware included "Unprotected stack overflows in publicly accessible protocols, protocol robustness errors leading to denial of service, logic errors, cryptographic weaknesses, default credentials" as well as "Many other basic vulnerability types".

A Huawei spokesman told The Register: "This latest report highlights our commitment to a process that guarantees openness and transparency, and demonstrates HCSEC has been an effective way to mitigate cyber security risks in the UK. The report again concludes that the NCSC 'does not believe that the defects identified are a result of Chinese state interference'."

News URL

https://go.theregister.com/feed/www.theregister.com/2020/10/01/huawei_uk_security_code_review_panel/