From the UK’s report on Huawei base station software analysis. assets.publishing.service.gov.uk/government/upl…

Also, this section on reproducing the build process is pretty bad. Nobody can even tell if the software running in the equipment was built from the reviewed source.

Many people are saying that other manufacturers probably have the same defects as Huawei. I bet they’re right. This isn’t really the point, though (short thread.)

The UK and other western nations have been having a debate about whether to trust Huawei equipment and software to run critical national infrastructure. There are financial motivations, political ones, real concerns etc. It is very complicated and above my pay grade. 2/

What the UK appears to have been attempting is to split this difference. Buy Huawei equipment, but put an independent layer of UK cybersecurity analysis on top — to ensure that they can obtain the financial benefits while also mitigating security concerns. 3/

What this report says is *not* that Huawei is uniquely bad. And *not* that there’s anything malicious in the software. But rather, that the current condition of Huawei SW development makes this external review layer non-functional. 4/

There are several problems here, but they all amount to “our reviews are worthless.” The biggest one is that currently, the UK govt can’t even verify that the code running in Huawei equipment is the same code they were given to review. 5/

This problem of “reproducible builds” is a big annoying one across our industry. The binaries running on the devices have to be the same as the ones that get built from code that’s been reviewed, or you’re just wasting people’s time. 6/

Even if Huawei solves that problem (and they’ve been trying for some time apparently), the codebase is apparently a mess. It contains a bunch of insecure dependencies, each of which brings in a stack of known vulnerabilities. 7/

While this is potentially true of other vendors, particularly those that are just spinning up and have immature codebases, those vendors aren’t trying to achieve the unique feat that the UK-Huawei partnership is: namely make a not-fully-trusted partner into a trusted one. 8/

Personally I think this is an impossible problem, even in the best case. Our best software security techniques are barely sufficient to stop accidental vulnerabilities being introduced by honest developers. They can’t possibly work against a manufacturer acting with malice. 9/

Whether you believe this or not, this report shows that Huawei-UK is nowhere near even having the capability to give this a shot. 10/

Last point: I am not saying that Huawei is malicious. I am only saying that dishonest behavior by Huawei is *within the threat model the UK is applying*, and that the partnership and review systems are trying to rule out. 11/

I’ve worked with Huawei engineers. They were super nice and I found the entire organization to be impressive and earnest.

But, as the Snowden documents showed, it’s never good policy to blindly trust a foreign equipment manufacturer if you don’t trust their government. /Fin