The Asahi Shimbun/The Asahi Shimbun via Getty Images
- Bloomberg reports that Vodafone found vulnerabilities, or "backdoors," in Huawei equipment, citing anonymous sources familiar with the matter and internal Vodafone documents.
- An academic who reviewed the Vodafone documents told Business Insider that the "vulnerabilities had many characteristics associated with backdoors."
- It's a potentially explosive revelation because US and other intelligence agencies suspect Huawei is a tool for Chinese spying, but there is no public evidence to support this.
- Vodafone and Huawei dispute the Bloomberg report, however, saying the vulnerabilities were resolved.
- Visit Business Insider's homepage for more stories.
Europe's biggest phone company Vodafone found evidence of a number of security vulnerabilities in Huawei equipment which could amount to "backdoors," according to Bloomberg.
The report, which has been disputed by Vodafone and Huawei, is potentially explosive. US and other intelligence agencies suspect Huawei is used as a tool for Chinese spying, but there is no public evidence to support this.
Citing internal Vodafone documents from 2009 to 2011 and information from anonymous sources, Bloomberg's report centers on Vodafone's Italian business, which started buying wifi routers from Huawei in 2008.
Vodafone managers reportedly became concerned about security bugs in the routers in 2009. By 2011, Vodafone Italy launched a probe, which Bloomberg claims found a security vulnerability in telnet - the text-based interface that lets users configure their home routers.
Bloomberg reports that the documents show Vodafone requested that telnet be removed, which Huawei agreed to do and said the problem was fixed. However, subsequent testing found telnet was still present, at which point Huawei refused to remove it entirely, reportedly citing manufacturing requirements.
Separately, sources familiar with the matter also told Bloomberg that Vodafone identified vulnerabilities in two other parts of its fixed access network: Optical service nodes (which transport internet traffic over optic fibres) and broadband network gateways (which process subscriber authentication and internet access).
The report comes at a sensitive time for Huawei, as the US has repeatedly warned allied countries against using Huawei's 5G equipment on the grounds that similar vulnerabilities might provide a vantage point for the Chinese government to spy. Huawei vehemently denies this.
Vodafone disputes Bloomberg's findings
Vodafone disputes Bloomberg's characterisation of events. It said that all the vulnerabilities noted in the story were resolved and there was no evidence of unauthorised access. A Vodafone spokesman told Business Insider:
"Bloomberg is incorrect in saying that this 'could have given Huawei unauthorized access to the carrier's fixed-line network in Italy.' In addition, we have no evidence of any unauthorised access.
"This was nothing more than a failure to remove a diagnostic function after development. The issues were identified by independent security testing, initiated by Vodafone as part of our routine security measures, and fixed at the time by Huawei."
Vodafone's spokesman also specifically refuted Bloomberg's characterisation of telnet. "The 'backdoor' that Bloomberg refers to is telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet," he said.
A Huawei spokeswoman told Business Insider that the issues were "addressed at the time." However, sources involved in the companies' discussions told Bloomberg that the vulnerabilities persisted past 2012 and cropped up in other European markets including the UK, Germany, Spain, and Portugal.
"These vulnerabilities had many characteristics associated with backdoors"
Stefano Zanero, an associate professor of computer security at Italy's Politecnico di Milano University, reviewed the Vodafone documents handed to Bloomberg.
He told Business Insider that vulnerabilities identified by Vodafone had "many characteristics associated with backdoors," but there is no way to prove whether they were deliberate.
"These vulnerabilities had many characteristics associated with backdoors: They were not a 'mistake' but an intentional feature; they were not configurable or disclosed/documented to users, but had to be discovered through testing; and most importantly, they were removed at request of Vodafone and subsequently readded in a slightly different way," Zanero said.
He also said Vodafone's description of telnet was outmoded. "While it is true that telnet was in the '90s used to perform such tasks, it has been abandoned in favor of more secure protocols, and more importantly this 'management interface' [telnet] was unknown to Vodafone, not documented and - once removed on their request - placed again against their will," he added.
The question of intent versus incompetence has been an issue for Huawei in the past. A UK government report found "major defects" in the company's security systems, but concluded they were the product of shoddy engineering, rather than state interference.