Two recent examples of poor cybersecurity practices could weigh heavily on Huawei, as the Chinese tech giant tries to cast itself as a reliable purveyor of international telecom infrastructure to gain ground in the race to 5G.
On March 9, Dutch cybersecurity researcher Victor Gevers revealed that he had discovered a publicly available trove of what appears to be Huawei enterprise network credentials on the open-source software development platform GitHub. The type of credentials posted, which typically grant access to potentially sensitive company data, may have been posted late last year.
Less than a month later, on March 28, the UKโs Huawei Oversight Board (HCSEC) said in its annual report that Huaweiโs cybersecurity suffers from โunderlying defectsโ in software development, โbringing significantly increased risk to UK operators.โ HCSEC is Huaweiโs self-evaluation subsidiary in the UK, working under the oversight of British authorities.
The US government alleges that Huawei poses a national security threat because of its ties to the Chinese government. Any question regarding the companyโs ability to competently handle cybersecurity issues could further complicate Huaweiโs efforts to win the trust of key governments and potential partners overseasโsomething it is increasingly trying to accomplish.
โThe issue identified applies only on an isolated, virtual test environment. No Huawei or customer networks or data has or will be affected by this issue,โ a spokeswoman for Huawei told TechNode in response to queries about the GitHub leak.
Regarding the HCSEC report, a spokesman for Huawei countered some of the claims in the report in an emailed statement that, saying the document had attested that โHuaweiโs equipment has no backdoors.โ
The same statement highlighted that, in November, the companyโs board of directors had set aside $2 billion for a โtransformation programโ to enhance Huaweiโs software engineering capabilities.
Still, the HCSEC report noted that, more than three months since it was announced, the transformation plan remained short on details, describing it as โa proposed initial budget for as yet unspecified activities,โ and added that it hadnโt found any evidence to inspire confidence in Huaweiโs capacity to successfully carry out the transformation program.
Network access
In the GitHub case, both the post and related account were deleted soon after Gevers publicized his findings on Twitter.
GitHub repositories can only be removed by the author or the siteโs moderators. The open-source software development platform only removes content if it infringes on copyright or trademark, or if it โposes a security risk.โ
The code posted on GitHub showed the password of an administrator account of a Lightweight Directory Access Protocol (LDAP) for a Splunk app.
LDAP is an open directory standard that provides an interface to access and structure data. The database can contain anything, such as contact lists, but it is commonly used to manage passwords, said Nils Weisensee, founder of Frontier Intelligence, a Shanghai-based cybersecurity consultancy.
The Splunk platform is a big data analytics and visualization tool that companies can use to tailor apps to their purposes. The front-end of a Splunk app is a user-friendly web-style interface that visualizes data analyzed in the back-end, which connects directly to applications and devices to collect, index, analyze, and correlate big data.
The code could not be examined directly by TechNode.
Splunk is commonly used in IoT, business analytics, and security. It has a wide range of applications, including using AI to analyze the data that a company collects, Weisensee explained.
The code on GitHub indicates that the credentials granted access to Huaweiโs enterprise network, not a separate test domain. Huawei.com, the enterprise network, is named as the domain controller, the server that controls access to resources; the user shown has admin privileges, meaning it handles all security requests to access the network.
According to standard security practices, if the app were a test, the directory would have identified a separate test network, Gevers said. โYou do this because accidents like this can happen. You donโt want anyone to access the enterprise network, because you lose all control,โ he added.
โEither they were sloppy and testing in their enterprise network or their enterprise credentials were found online,โ he said.
Taken together, the GitHub incident and the HCSEC report shed further light on how security breaches can and do take place, pointing to a lack of understanding of basic cybersecurity principles, even by tech leaders like Huawei.
โThese incidents are not inspiring for a company that claims to be secure,โ Gevers told TechNode, referring to the GitHub post.
Gevers, the co-founder of the Dutch NGO GDI Foundation, has been the source behind many recent revelations about security lapses involving well-known Chinese companies like Huawei, Alibaba, and SenseNets, as well as a cache of data on 1.8 million Chinese women that included information about their โbreedreadyโ status.
The GDI Foundation says that because its aims are to address security flaws with responsible disclosure, not provide hackers with paths into sensitive information, they neither attempted to log onto Huaweiโs Splunk app nor publicly revealed the credentials.
Since neither Gevers nor anyone elseโto the extent that could be determined by TechNodeโtried to use the credentials, there is no way of knowing exactly what doors the data credentials opened.
Screenshots from Gevers show that the file was created on Sep. 1, 2018. It is likely that they were posted around that time on GitHub, said Gevers, meaning that by the time he discovered them they could have been available online for as long as four months. โThose files were there for a long time,โ increasing the security risk posed to Huawei, Gevers said.
On March 7, two days before Geversโs revelations, Huawei sued the US government. In a press conference held at Huaweiโs Shenzhen headquarters, the companyโs rotating chairman, Guo Ping, claimed that the US government had hacked into the companyโs servers and โstolen emails and source code.โ
Guo was alluding to a 2014 New York Times investigation that revealed that the USโs National Security Agency was spying on the conversations of Huaweiโs top executives and accessing proprietary information about its network equipment.
Lack of understanding
Geversโs main concern is not backdoors or malicious attacks, but the fact that people employed in positions that touch on securityโnot only at Huaweiโmay not be properly versed in cybersecurity principles.
In its report, HCSEC said Huaweiโs systems exhibit โextensive non-adherence to basic secure coding practices, including Huaweiโs own internal standard,โ severely increasing cybersecurity risk. System vulnerabilities may be obscured because Huawei suppresses warnings from static analysis tools, which check source code against programming rules before software is run, and does not properly manage or update software.
Moreover, the HCSEC report found that Huawei uses an old version of a well-known third-party operating system for the key function of processing incoming data flows in real-time, a function similar to Splunk apps. This attracts risk and a single point of failure can compromise the entire OS, the report stated.
According to Weisensee, out-of-date software is a common problem in China. โThere is a lot of outdated software in Chinaโpirated softwareโthat is not properly patched,โ he explained.
Weisensee pointed out that for companies of Huaweiโs size, it is difficult to ensure perfect security. A combination of factors exposes them to high security risks, he said. Most security breaches are due to human error, and Chinese tech giants like Huawei work with many complex databases, departments, and high employee turnover, which makes it easy for things to slip through the cracks.
In Weisenseeโs view, it is too big a logical leap to assume that Huawei purposefully left the LDAP credentials on GitHub. โIf someone wants to leak access to data, they will do it in a more obvious way.โ
Gevers added, โSomeone used the Git repository without actually knowing how it works. Itโs like having the key to your front door sticking [out from] under the doormat.โ
