Advertisement

UK oversight board discloses potential Huawei security issues

They could cause risks to the country's telecom infrastructure.

Chinese phone maker Huawei continues to get quite a bit of scrutiny as it tries to push into western markets like the US and UK. The FBI, CIA and NSA have warned against buying the company's phones, AT&T backed out of reported plans to bring the handsets to the US and Best Buy stopped ordering its smartphones. In the UK, the annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) oversight board says that it has continued concerns with Huawei's software engineering processes and the possible risks it could cause UK telecommunication networks.

The HCSEC was created in 2010 as a way for the UK government to keep a close eye on the company as it moved into telecommunications infrastructure in the country. The oversight board came about four years later -- it contains a senior executive from Huawei and senior representatives from various levels of government and the telecommunications sector. After saying that the HCSEC has been effective in pursuing its mission, the report states that it has "identified shortcomings in Huawei's engineering processes" that have "exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management."

The HCSEC wants to make sure that Huawei can deliver consistent binary code for its products. That way, it can be assured that such code does not contain anything malicious that could attack UK telecommunications systems (or leave them vulnerable to attacks). Huawei was only able to show that one of four specific products had software builds that were reproducible. The report notes that this particular build has not yet been distributed by any UK operators, but may be in the near future, with the other three products becoming available later this year if they can provide reproducible binaries as well.

Ultimately, the oversight board reported to the UK's National Security Adviser that it can "provide only limited assurance that all risks to UK national security from Huawei's involvement in the UK's critical networks have been sufficiently mitigated."