For months, Huawei Technologies has faced U.S. allegations that it flouted sanctions on Iran, attempted to steal trade secrets from a business partner and threatened to enable Chinese spying through the telecommunications networks it's built across the West.
Now Vodafone has acknowledged to Bloomberg News that it found vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier's Italian business. While Vodafone says the issues were resolved, the revelation threatens to further damage the reputation of a major symbol of China's global technology prowess.
Europe's biggest phone company identified hidden backdoors in the software that could have given Huawei unauthorized access to the carrier's fixed-line network in Italy, a system that provides Internet service to millions of homes and businesses, according to Vodafone's security briefing documents from 2009 and 2011, as well as people involved in the situation.
Vodafone asked Huawei to remove backdoors in home Internet routers in 2011 and received assurances from the supplier that the issues were fixed, but further testing revealed that the security vulnerabilities remained, the documents show.
Vodafone also identified backdoors in parts of its fixed-access network known as optical service nodes, which are responsible for transporting Internet traffic over optical fibers, and other parts called broadband network gateways, which handle subscriber authentication and access to the Internet, the people said. The sources asked not to be identified because the matter was confidential.
A backdoor, in cybersecurity terms, is a method of bypassing security controls to access a computer system or encrypted data. While backdoors can be common in some network equipment and software because developers create them to manage the gear, they can be exploited by attackers. In Vodafone's case, the risks included possible third-party access to a customer's personal computer and home network, according to the internal documents.
President Donald Trump's administration, arguing that such end-runs around security in Huawei's equipment could invite espionage by the Chinese state, is trying to persuade Western allies to block the company from the next generation of mobile networks. Huawei has repeatedly denied it creates backdoors and says it's not beholden to Beijing.
Huawei's ability to continue winning contracts from London-based Vodafone, despite the carrier's security concerns, underscores the challenge facing the U.S. as it tries to hinder the world's top telecom equipment vendor and No. 2 supplier of smartphones. Huawei is vying against a stable of Western companies, including Nokia Oyj and Ericsson AB, to roll out fifth-generation, or 5G, wireless networks.
Vodafone has defended Huawei against the U.S. efforts, which has placed Europe -- Huawei's largest market outside China -- in the middle of a trade battle between two superpowers. At stake is leadership in key areas, principally 5G technology and new applications in industries such as automotives, energy and health care. Vodafone Chief Executive Officer Nick Read has joined peers in publicly opposing any bans on Huawei from 5G rollouts, warning of higher costs and delays.
In a statement to Bloomberg, Vodafone said it found vulnerabilities with the routers in Italy in 2011 and worked with Huawei to resolve the issues that year. There was no evidence of any data being compromised, it said. The carrier also identified vulnerabilities with the Huawei-supplied broadband network gateways in Italy in 2012. Vodafone said those were resolved the same year.
Vodafone also said it found records that showed vulnerabilities in several Huawei products related to optical service nodes. It didn't provide specific dates but said the issues were resolved. It said it couldn't find evidence of historical vulnerabilities in routers or broadband network gateways beyond Italy.
"In the telecoms industry it is not uncommon for vulnerabilities in equipment from suppliers to be identified by operators and other third parties," the company said. "Vodafone takes security extremely seriously and that is why we independently test the equipment we deploy to detect whether any such vulnerabilities exist. If a vulnerability exists, Vodafone works with that supplier to resolve it quickly."
In a statement, Huawei said it was made aware of vulnerabilities in 2011 and 2012 and that they were addressed at the time.
However, Vodafone's account of the issue was contested by people involved in the security discussions between the companies. Vulnerabilities in both the routers and the fixed-access network remained beyond 2012 and were also present in Vodafone's businesses in the U.K., Germany, Spain and Portugal, said the people. Vodafone stuck with Huawei because the services were competitively priced, they said.
While backdoors are common in home routers, they are usually fixed by manufacturers once disclosed, said Eric Evenchick, principal research consultant at Atredis Partners, a U.S.-based cybersecurity firm. Evenchick called the situation with Huawei's equipment "very concerning."
Founded in 1987, Huawei entered the European market in 2000. Landmark contracts with Britain's BT Group PLC and Norway's TeliaSonera helped Huawei win market share from -- and eventually surpass -- Nokia and Ericsson.
Information for this article was contributed by Tommaso Ebhardt, Tom Giles, Thomas Seal, Frank Connelly and Patricia Suzara of Bloomberg News.
Business on 05/01/2019