Cyber security analysts tasked with investigating Huawei equipment used in the UK’s telecommunications networks discovered a “nationally significant” vulnerability last year.
According to an official government report (via BBC), investigators at the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) found an issue so severe that it was withheld from the company.
“Critical, user-facing vulnerabilities” were found in the Chinese supplier’s fixed-broadband products caused by poor code quality and an old operating system, the HCSEC said in a report. “U.K. operators needed to take extraordinary action to mitigate the risk.”
The HCSEC said that the Chinese company has made “limited” progress on last year’s recommendations to toughen up its act.
Code reviewers from the GCHQ’s National Cyber Security Centre (NCSC) found “evidence that Huawei continues to fail to follow its own internal secure coding guidelines. This is despite some minor improvements over previous years.”
Additionally, the researchers said it had found more vulnerabilities during 2019 than it had in previous years. Huawei, on the other hand, said this finding is “proof the review system is working,” something NCSC agreed with.
“NCSC does not view the increase in vulnerabilities as an indicator of a further decline in Huawei’s product quality, but it certainly does not indicate any marked improvement or transformation,” said the agency in its report.
The revelation comes at a sensitive time for Huawei after the UK government decided to ban telecom operators from using its gear in their fifth-generation mobile networks. The government is now reviewing Huawei’s role in supplying fixed-broadband infrastructure.
The HCSEC Oversight Board said it “can only provide limited technical assurance in the security risk management of Huawei equipment in U.K. networks.”