Prime Minister Jacinda Ardern’s whistle-stop visit to Beijing this week did little on the face of it to improve Huawei’s prospects of playing a role in building the country’s 5G mobile networks.
But technically anyway, it is not as simple as that. While geopolitics and the trade priorities of New Zealand and its Five Eyes security partners, may have triggered the intense scrutiny of the Chinese telecoms equipment maker in recent years, the only way out now for Huawei is to fix the software bugs and security holes in its currently installed mobile systems.
It will need to move fast in doing that to avoid missing out on billions of dollars’ worth of mobile network contracts.
The vulnerabilities were identified yet again last week in a report from the Huawei Cyber Security Evaluation Centre (HCSEC) oversight board, a body set up by the UK’s National Cyber Security Centre specifically to scrutinise Huawei’s technology.
The fifth annual report from board overseeing the HCSEC, which is a centre in Banbury, Oxfordshire funded by Huawei but with independent governance and auditing, slammed Huawei for numerous deficiencies. The technical details have been deliberately kept vague but the message is clear:
“HCSEC has continued to find serious vulnerabilities in the Huawei products examined. Several hundred vulnerabilities and issues were reported to UK operators to inform their risk management and remediation in 2018,” the oversight board reported.
“Some vulnerabilities identified in previous versions of products continue to exist,” it pointedly noted.
The report appears to take a hard line following positive signals from UK government officials in February that the troubling vulnerabilities in Huawei’s systems could be addressed.
Huawei has pledged to spend US$2 billion over the next five years fixing its security problems which it estimates could take that long to address. But with no coherent plan to do so presented to the oversight board, the window is closing on its involvement in 5G network deployments in the UK over the next two years.
UK mobile operators EE has already ruled out using Huawei equipment in its core network, while Vodafone has pressed “pause” on its efforts across Europe to work with Huawei on core networks until security agencies clarify whether Huawei can be involved.
The UK scenario is being keenly watched here in New Zealand, because versions of the Huawei equipment and software analysed by HCSEC is likely to also be deployed in the existing 3G and 4G networks operated by Spark and 2Degrees.
Huawei has said it will likely pitch for the 5G radio access network business locally, rather than the core mobile network infrastructure, to allay concerns. The first commercial 5G networks are likely to go live in the middle of 2020.
Fixable but will take time
Massey University telecommunications networking expert, Dr Faraz Hasan, says the issues flagged in the UK report appear to be fixable, but with large numbers of Huawei devices and base stations powering Britain’s mobile networks, it could be a major job.
“They appear to be mainly software bugs, with one security issue to do with a cryptographic weakness,” says Hasan, who is currently researching how fifth generation or “5G” networks are designed and the radio emissions they generate.
“The sole security issue is related to a cryptographic weakness of the Huawei devices. It means the devices are not able to hide the message that is being wirelessly sent. If somebody steals that message, which is relatively easy to do on a wireless link, there's more chances for it to be decoded.”
That security issue relates to Huawei’s use of the widely-trusted “Open SSL” security protocol. The oversight board found vulnerabilities in Huawei’s code relating to Open SSL that dated as far back as 2006.
“This shows the lack of maintainability and security resulting from the poor configuration management, product architecture and component lifecycle management,” the report noted.
Apples and oranges
An even bigger issue, says Hasan, is the oversight board’s concern that the source code HCSEC examined in test equipment supplied by Huawei, does not appear to be exactly the same as the code used across the UK mobile networks.
“It means that different instances of the same code appear to be building differently,” he says.
“This is problematic because different deployments of the same Huawei equipment, may lead to different performance and security levels.”
Until UK security agencies can be sure what is being tested in the lab mirrors what is deployed in the real world, Huawei faces an uphill struggle to regain their trust.
“HCSEC aren't convinced because Huawei don't have a concrete plan to address the issues,” says Hasan.
While all the recent attention on Huawei has focussed on whether the company will be given the greenlight to build 5G networks in many countries, it is current networks featuring Huawei equipment that are causing UK officials the real concern.
That, says Hasan, has implications for new networks because the first phase of 5G will be built on the existing 4G network.
“Nothing will change except that the number of base stations will increase. The network will remain largely centralised. The security provisions we have for 4G may be extended to 5G. Those Huawei devices may already exist on the network on which the 5G network will be built.”
Later down the track, substantially more devices would be connected to the 5G network, an ‘internet of things’ network offering vastly increased connectivity and convenience, but also opportunities for hackers to infiltrate the network.
“With 4G my mobile phone or laptop is communicating with the network,” says Hasan.
“With 5G my toaster will be connected on the network. [Hackers] can potentially mess with my electronic appliances at home and in the office. It is the scale of involvement of 5G in our lives which raises these concerns that it must be extra secure.”
How secure are other networking equipment makers such as Nokia, Ericsson and Samsung? Hasan says it is hard to know because, to his knowledge, none of them have been subjected to as much independent technical scrutiny as Huawei, which he says has a good reputation for quality, particularly in New Zealand.
The answer to Huawei’s woes then seems to be convincing UK security officials it can turn around the test results coming out of that Oxfordshire lab, which Huawei New Zealand has offered to replicate here to give the GCSB confidence in its technology.
That move would certainly help, says Hasan.
“On a technical level, it is a good way forward. It is funded by Huawei, but is independent enough to come out and say there are technical issues that must be solved.”