,
22 tweets,
5 min read
Read on Twitter
2. New additional risks with Huawei identified
These compound the previous risks of binary equivalence, and sloppy coding. Not to mention delays in translating firmware upgrades etc into English which slows the process down
These compound the previous risks of binary equivalence, and sloppy coding. Not to mention delays in translating firmware upgrades etc into English which slows the process down
2a. The report identified extensive non-adherence to basics ecure coding practices, including Huawei’s own internal standard, mandated since 2013
2b. The HCSEC also found extensive incorrect use of safe memory manipulation functions, significantly increasing the likelihood of memory safety vulnerabilities.
2c. WOW - Inappropriate suppression of warnings from static analysis tools, potentially hiding vulnerabilities. I wonder where we saw that before, sounds similar to the Volkswagen emissions scandal
3. New additional risks are 'significant'
The report does not deep dive into what these are, but its never good, and has to do with Huawei engineering processes - the genesis of coding and manufacturing which is an alarm bell sounding on Huawei supply chain security.
The report does not deep dive into what these are, but its never good, and has to do with Huawei engineering processes - the genesis of coding and manufacturing which is an alarm bell sounding on Huawei supply chain security.
4. Huawei has not fixed that which has already been identified
Despite promising £2bn to fix in 2 years (and then saying they could do it in 6 months after a ban was discussed), Huawei haven't done anything to fix problems identified
Despite promising £2bn to fix in 2 years (and then saying they could do it in 6 months after a ban was discussed), Huawei haven't done anything to fix problems identified
5. There's a compounded risk of vulnerability
The old and new identified risks, coupled with the issue of binary equivalency means that fixing the problems may be impossible within any #5G deployment timeline for UK carriers.
The old and new identified risks, coupled with the issue of binary equivalency means that fixing the problems may be impossible within any #5G deployment timeline for UK carriers.
6. Ongoing and continuous resource allocation required
In order to just to protect existing 4G networks carriers and the UK will need to invest significant resources - and that's just to deal with the backlog of vulnerability issues
In order to just to protect existing 4G networks carriers and the UK will need to invest significant resources - and that's just to deal with the backlog of vulnerability issues
7. Only limited assurances can be given on Huawei tech
This is not the first time the HCSEC have made such limited assurances. When should risk mitigation stop and when should risk neutralization begin with critical infrastructure?
This is not the first time the HCSEC have made such limited assurances. When should risk mitigation stop and when should risk neutralization begin with critical infrastructure?
8. The Board can't offer a plan for future mitigation
#5G technology will be so revolutionary and so embedded in society, in ways we cannot comprehend yet, that using Huawei gear could have ramifications for decades
#5G technology will be so revolutionary and so embedded in society, in ways we cannot comprehend yet, that using Huawei gear could have ramifications for decades
9. Difficult to risk-manage future Huawei products
They have no idea how it future products will interact with coding from older devices, if newer coding will awaken dormant coding that was able to avoid detection (in a nutshell)
They have no idea how it future products will interact with coding from older devices, if newer coding will awaken dormant coding that was able to avoid detection (in a nutshell)
10. The HCSEC has no confidence in Huawei to fix their security problem - purely based on their past performance with them
I am paraphrasing because the wording is very diplomatically worded, but that's what it's basically saying.
I am paraphrasing because the wording is very diplomatically worded, but that's what it's basically saying.
11. The HCSEC has judged Huawei plans to remedy defects in engineering and cyber security as INADEQUATE.
12. The HCSEC has NO CONFIDENCE in what is rectified in one Huawei build is rectified in another Huawei build as Huawei does not use modern software engineering processes that would give confidence.
13. Huawei’s configuration management improvements have not been universally applied. Therefore there is no end-to-end integrity - if a Huawei network was attacked, Huawei may not be able to fix the vulnerability - THIS IS MADNESS in a #5G world.
14a. Huawei uses an old, outdated, and not very utilized operating system that has a number of major security risks attached to it, and would incur severe outage if it were impacted.
14b. The NCSC does not believe that Huawei has any credible, secure plan to reduce the cyber security risk associated with the use of this 3rd party operating systems
14c. The heralded Huawei alternative operating system is subject to the same weak software engineering processes and binary equivalency issues and therefore cannot be deemed to be a secure, viable alternative.
15a. The Huawei software lifecycle management system is flawed, full of major security vulnerabilities. AND THIS IS A MAJOR ISSUE. What #Huawei offered as an improved version, was still riddled with security issues.
15b. The NCSC and HCSEC have no confidence in Huawei's ability to remediate the software engineering and cyber security issues in the LTE eNodeB product development and sustained engineering
16. Several HUNDRED #Huawei vulnerabilities had to be reported to UK operators in 2018 alone. Not all of these vulnerabilities have been resolved and are still in active networks in the UK.
