“A High Risk to Their Users”: An Analysis of Huawei Devices’ Security Vulnerabilities

However, increased reliance on new technologies brings with it new threats. The possibility of a smart city shutting down, autonomous vehicles crashing, or factories going dark due to a cyber attack is a frightening proposition. 5G technology is a complex system involving hundreds of vendors, winding global supply chains, and the gamut of security threats. Thus, national security, global trade, and international competitiveness are all potentially impacted. If suppliers of 5G technology were to have secret or overt access to the infrastructure they are providing, there is considerable concern that they could be persuaded to use that access as leverage in times of peace, or perhaps something far more ominous in times of conflict.

Compounding this concern is the fact that a single company has emerged as the first and most dominant provider in 5G: Huawei Technologies Co. Ltd., commonly referred to as Huawei. The lack of competition in the 5G market has been described by Dr. Ian Levy, Technical Director for the UK National Cyber Security Centre (NCSC): “The market is fundamentally broken. We can’t possibly live in a world where only four or five companies provide all the critical infrastructure for a particular sector—that’s insane.”

The lack of competition in the market and clear dominance of that market by a Chinese company, coupled with economic and national security concerns, have caused policy debates over the implementation of 5G to boil over.  Countries are taking measures to limit their risks by doing everything from establishment of security verification centers to outright bans of Huawei products.

That said, much of this policy debate has been missing a key set of facts. There has been an underlying assumption that using Huawei equipment in a 5G network would provide Huawei and/or the Chinese government with access to that network, which could be used to execute espionage or military missions. But this assumption has never been concretely proven.

Huawei itself denies this possibility. As stated by Huawei’s Global Cyber Security and Privacy Officer, John Suffolk, “We don’t run networks, and because we don’t run the network, we have no access to any of the data that is running across that network.”

Cybersecurity experts disagree, as discussed in a recent Lawfare article: “Whoever provides the technology for 5G networks will be sitting in a position of incredible access and, thus, power. All data sent and received from a mobile device, smart home or even a car will pass through a network built with Huawei devices. These devices will be remotely controlled and updated, leading to exponential vectors of attack.”(3)

Without ground-truth data, it is hard to settle this debate. At Finite State, we believe greater transparency leads to better security for everyone, and that, fundamentally, policymakers should be making data-driven decisions about which risks they are, and are not, willing to take.

Finite State’s mission is to defend the next generation of networks containing critical IoT devices through unprecedented visibility, proactive risk management, attack detection, and enablement of rapid responses. As a core component, we have developed advanced technology to provide deep visibility into these previously opaque devices. Our platform unpacks and analyzes device firmware at massive scale, enabling proactive risk identification and robust supply chain security, which help rebalance the power for defenders.

To that end, we have undertaken a large-scale study of the cybersecurity-related risks embedded within Huawei enterprise devices by analyzing Huawei device firmware at an unprecedented scale. 

Finite State’s proprietary technology platform uniquely enabled us to conduct a comprehensive, unbiased analysis of the security properties of these devices. Our automated system analyzed more than 1.5 million files embedded within 9,936 firmware images supporting 558 different products within Huawei’s enterprise networking product lines. Our analysis looked for risks including hard-coded backdoor credentials, unsafe use of cryptographic keys, indicators of insecure software development practices, and the presence of known and 0-day vulnerabilities.

The results of the analysis show that Huawei devices quantitatively pose a high risk to their users. In virtually all categories we studied, we found Huawei devices to be less secure than comparable devices from other vendors. 

Through analysis of device firmware, we discovered that there were hundreds of cases of potential backdoor vulnerabilities – improper default configurations that could allow Huawei or a malicious attacker to covertly access a user’s device. These vulnerabilities manifested in the form of hard-coded, default user accounts and passwords, and several types of embedded cryptographic keys.

The study also found that each Huawei device had a large number of known vulnerabilities associated with the third-party and open-source libraries embedded within the firmware. On average, there were 102 known vulnerabilities (CVEs) associated with each firmware, a significant percentage of which were rated as high or critical in their severity.

By analyzing the embedded binary code, configuration files, and libraries, our system was also able to discern the extent to which Huawei is prioritizing security within their software development practices. In most modern software engineering organizations, standard processes are followed to minimize the number of vulnerabilities that can be introduced into a product. In fact, Huawei has pledged to invest $2B into improved security engineering for their products. Despite these investments, our research uncovered a substantial lack of secure development practices resulting in significant numbers of vulnerabilities. In some cases, engineers chose to use 20-year-old versions of software libraries rather than current, secure alternatives. Huawei engineers wrote insecure functions with misleading names indicating that the function was safe from conditions such as buffer overflows when in fact it was not.

By using advanced binary analysis, we also tested these unsafely built software components for vulnerabilities. Our system found hundreds of potential 0-day vulnerabilities (each of which will undergo additional verification and, if warranted, be properly disclosed to the vendors).

Overall, despite Huawei’s claims about prioritizing security, the security of their devices appears to lag behind the rest of the industry. Through analysis of firmware changes over time, this study shows that the security posture of these devices is not improving over time — and in at least one case we observed, it actually decreased. This weak security posture, coupled with a lack of improvement over time, obviously increases security risks associated with use of Huawei devices.

Security should be viewed as a risk management problem, and the goal of this report is to present actual risks clearly, in a format that policymakers can use while the debate continues. Whether those risks were introduced intentionally or accidentally is outside of the scope of a technical assessment, and thus, we cannot, and do not, draw any conclusions relating to intent.

Vulnerabilities exist in every device, but if the users of these devices are unaware, attackers have the advantage. If there is no extensive, scalable review process for devices, their supply chains, and their software, it is more likely that intentional and unintentional backdoors can slip in unnoticed. The findings in this report demonstrate that automated, scalable supply chain security reviews are possible, and when implemented properly and continuously against devices and their software updates, they can be a key factor in building out a security program.

Ultimately, the decision on whether to use Huawei devices will come down to individual risk tolerances and plans to manage that risk. Increased transparency into the devices we hope to entrust with our most critical services is paramount to achieving better security for everyone.

Key Findings
Huawei has been accused of maintaining backdoor access to networks, but until now, little evidence has been available to support or refute those claims. Finite State’s automated system analyzed more than 1.5 million unique files embedded within 9,936 firmware images supporting 558 different products within Huawei’s enterprise networking product lines — many of which could be used within the core of 5G networks.  Our analysis looked for risks including hard-coded backdoor credentials, unsafe use of cryptographic keys, indicators of insecure software development practices, and the presence of known and 0-day vulnerabilities.

The results of the analysis show that Huawei devices quantitatively pose a high risk to their users. In virtually all categories we examined, Huawei devices were found to be less secure than those from other vendors making similar devices.

1. Backdoor Access Vulnerabilities
Out of all the firmware images analyzed, 55% had at least one potential backdoor. These backdoor access vulnerabilities allow an attacker with knowledge of the firmware and/or with a corresponding cryptographic key to log into the device

• 29% of all devices tested had at least one default username and password stored in the firmware, enabling access to the device if administrators don’t change these credentials.

• We identified 76 instances of firmware where the device was, by default, configured such that a root user with a hard-coded password could log in over the SSH protocol, providing for default backdoor access.

• 8 different firmware images were found to have pre-computed authorized_keys hard coded into the firmware, enabling backdoor access to the holder of the private key.

• 424 different firmware images contained hardcoded private SSH keys, which can enable a man-in-the-middle to manipulate and/or decrypt traffic going to the device.

2. Pattern of Security Flaws
Huawei devices were shown to have a high number of known security vulnerabilities. Despite the fact that many of these vulnerabilities have been public knowledge for years, Huawei continues to make firmware updates without addressing them. These vulnerabilities increase the likelihood that attackers can compromise these devices.

• On average, Huawei devices had 102 known vulnerabilities inside their firmware, primarily due to the use of vulnerable open-source and third-party components.

• Across the firmware tested, there were 8,826 observations of vulnerabilities with a CVSS score of 10.0, the maximum severity level, indicating serious flaws in the systems.

• One tested device had a total of 1,419 known vulnerabilities in its most recent version of firmware.

3. Highly Insecure Software Development Practices
Despite claims of prioritizing security, we quantitatively demonstrate that Huawei engineers systematically made poor security decisions in building the devices we tested. This weak security engineering significantly increases the potential for serious vulnerabilities.

• Despite being a default compiler option, less than half of the binaries encountered used security features such as ASLR, DEP, and StackGuard.

• Huawei practices abysmal software configuration management as demonstrated by their use of 79 distinct versions of the OpenSSL library across their most recent firmware releases. In  some cases, Huawei used 10-year-old versions of libraries containing dozens of vulnerabilities rather than selecting newer, more secure options.

• On dozens of occasions, Huawei engineers disguised known unsafe functions (such as memcpy) as the “safe” version (memcpy_s) by creating wrapper functions with the “safe” name but none of the safety checks. This leads to thousands of vulnerable conditions in their code.

• Across 356 firmware images, there are several million calls into unsafe functions. Huawei engineers choose the “safe” option of these functions less than 17% of the time, despite the fact that these functions improve security and have existed for over a decade.

• On average, each binary analyzed had more than 12 possible buffer overflows, each of which are potential 0-day vulnerabilities.

• Security is not improving over time. In at least one instance, security became quantifiably worse for users that patched their devices to the updated version of firmware.

4. Quantitatively Higher Risk than Other Similar Devices
Compared to similar devices from other vendors, we quantitatively demonstrate that Huawei has substantially worse security.

• In analysis across different dimensions of risk categorized by the Finite State Risk Matrix, a Huawei device had the highest risk in six of the nine categories when ranked against comparable Juniper and Arista devices.

• The Huawei device had substantially more known vulnerabilities and 2-8x more potential 0-day vulnerabilities than the other devices.

• The Huawei device was the only device that contained hard-coded default credentials and hard-coded default cryptographic keys.

5. Firmware Security Verification is Possible at Scale
Despite assertions that devices and their firmware updates could not be scalably tested for security properties, we demonstrate that verification can be conducted at scale, enabling increased transparency and security.

• In a matter of hours, the Finite State Platform was able to process and analyze more than 9,936 firmware images comprised of more than 1.5 million unique files.

• Through firmware analysis, the platform was able to uncover deeper vulnerabilities than comparable vulnerability scanning tools.

• By using automated analytical tools, the end users of these devices have a mechanism to enforce security requirements upon their vendors — ultimately making networks safer for everyone.