A British review of Huawei’s security found “serious” problems in its networking and telecommunications equipment that could be exploited by governments or independent hackers.
A Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board report released Thursday said that vulnerabilities related to Huawei's "basic engineering competence and cybersecurity hygiene" could be exploited on by a range of actors.
"HCSEC has continued to find serious vulnerabilities in the Huawei products examined," the oversight agency wrote in its 46-page report. "Several hundred vulnerabilities and issues were reported to U.K. operators to inform their risk management and remediation in 2018. Some vulnerabilities identified in previous versions of products continue to exist."
Huawei said in a statement that the issues identified in the HCSEC report will provide vital input for the ongoing transformation of the company's software engineering capabilities. The company said it has budgeted US$2 billion for a program focused on enhancing Huawei's software engineering capabilities.
"The 2019 OB [Oversight Board] report details some concerns about Huawei's software engineering capabilities," Huawei said in a statement. "We understand those concerns and take them very seriously."
However, the HCSEC noted that Huawei hasn't made any material progress in remediating the issues reported last year. Until the underlying defect in Huawei's software engineering and cybersecurity processes are remediated, the HCSEC said it will be difficult to appropriately risk-manage the company's future products.
"Similar strongly worded commitments from Huawei in the past have not brought about any discernible improvements," HCSEC wrote. "Therefore, significant and sustained evidence will be required to give the Oversight Board any confidence that Huawei’s transformation program will bring about the required change."
Attackers with knowledge of Huawei's vulnerabilities and access sufficient to exploit them would be able to affect the network's operations and possibly even cause it to stop operating completely. Threat actors could also access user traffic or reconfigure network elements, according to HCSEC.
But the architectural controls most U.K. operators have in place make exploitation of the vulnerabilities more difficult by limiting the ability of attackers to communicate with any network elements not explicitly exposed to the public, HCSEC said. Architectural controls by U.K. operators will remain critically important in the coming years to manage the residual risks stemming from the engineering defects.
"The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the U.K.," the HCSEC wrote.
The report comes after Australia's ban on Huawei providing 5G kit to the nation's telcos, and as the U.S. is pressuring its European allies not to adopt the company's 5G products.
Those decisions were made on the basis Huawei could be used to spy for China. Earlier this year, U.S. State Department officials used last year's HCSEC report to argue that Huawei's equipment shouldn't be trusted.