Vodafone found Huawei security flaws in Italy in 2009

Woman walks past Huawei advert on bus stopImage copyright

Vodafone has revealed that it found vulnerabilities in equipment supplied to it by Huawei in Italy 10 years ago.

The mobile phone firm says it spotted security flaws in software that could have given Huawei unauthorised access to homes and businesses in the country.

Vodafone asked for these to be removed, but checks showed this did not happen.

The US refuses to use Huawei equipment for security reasons, but reports suggest the UK may let the firm have a small part in building its 5G network.

This is despite the US wanting the UK and its other allies in the “Five Eyes” intelligence grouping – Canada, Australia and New Zealand – to exclude the company.

Australia and New Zealand have already blocked telecoms companies from using Huawei equipment in 5G networks, while Canada is reviewing its relationship with the Chinese telecoms firm.

Several European telecoms operators are also considering removing the firm’s equipment from their networks.

But Huawei’s cyber-security chief John Suffolk has described the firm as “the most open [and] transparent company in the world”.

In January, Vodafone “paused” the deployment of Huawei equipment in its core networks in Europe until Western governments resolved their security concerns about the company.

Coding error?

The security vulnerabilities were first reported by Bloomberg News.

Cyber-security expert Prof Alan Woodward told the BBC that while there was no evidence to suggest the flaws were deliberate, the news would do little to help Huawei’s reputation.

“In the current machinations about 5G in the UK, this is not going to be helpful to Huawei’s case,” he said.

“The big question here is, was it intentional or not. What happened could be one of two things – either developers leaving some sort of remote access method for management purposes, or to test the code and the vulnerabilities just didn’t get taken out.

“So it could have been either a straight coding error or a security flaw.

“Having said that, if you were going to deliberately hide a ‘backdoor’, then you would make it look like a mistake, so you have plausible deniability.

“It’s also worth saying that these vulnerabilities were mainly found in home routers, and there have been security flaws found in those supplied by other companies in the past.”

  • Beijing defends Huawei amid UK’s 5G network row
  • Vodafone: Huawei ban will set back 5G
  • Vodafone puts Huawei rollout in core networks on hold

In a statement to Bloomberg, Vodafone said: “In the telecoms industry, it is not uncommon for vulnerabilities in equipment from suppliers to be identified by operators and other third parties.

“Vodafone takes security extremely seriously and that is why we independently test the equipment we deploy to detect whether any such vulnerabilities exist. If a vulnerability exists, Vodafone works with that supplier to resolve it quickly.”

A Huawei spokesperson said: ‘We were made aware of historical vulnerabilities in 2011 and 2012 and they were addressed at the time.

“Software vulnerabilities are an industry-wide challenge. Like every ICT [information and communications technology] vendor, we have a well-established public notification and patching process, and when a vulnerability is identified, we work closely with our partners to take the appropriate corrective action.”

Huawei has been accused of being a potential security risk and of being controlled by the Chinese government – allegations it has always firmly denied.

With the introduction of the 5G network in the UK approaching, telecoms operators say the way it would work, in a highly integrated system alongside 4G, means that excluding Huawei is not realistic without significant cost and delay,

That would include potentially removing existing hardware, leading to the UK falling behind other countries.

The company is the world’s third-largest supplier of mobile phones, behind Samsung and Apple.