Huawei disputes U.S. cyber firm’s findings of flaws in gear
Ohio-based Finite State said it stood by its findings
WASHINGTON—China’s Huawei Technologies Co. disputed findings from a U.S. cybersecurity firm that its gear is far more likely to contain flaws than equipment from rival companies, characterizing the analysis as incomplete and inaccurate.
A report released last week by Finite State, based in Columbus, Ohio, found that over half of the nearly 10,000 firmware images encoded into more than 500 variations of Huawei enterprise network-equipment devices tested by the researchers contained at least one such exploitable vulnerability. Firmware is the software that powers the hardware components of a computer.
Before its public release, the Finite State report circulated widely among senior Trump administration officials, who said they deemed it credible and that it further validated their tough posture toward Huawei. It was reviewed by senior officials at the White House, Department of Homeland Security and the U.K.’s National Cyber Security Center, as well as by lawmakers.
In a lengthy rebuttal, Huawei criticized Finite State for using an “unconventional approach” that didn’t include outreach to Huawei during the review or an advance copy of the analysis before it was published.
Huawei also accused Finite State of selectively presenting results that betrayed a lack of neutrality by testing older gear likely to contain more defects and comparing results to smaller rivals Arista Networks Inc. and Juniper Networks Inc. but not other market leaders, such as Cisco Systems Inc.
“Due to the approach Finite State has taken and the weakness of their tools and methodology, the results are at best suspect and at worst just inaccurate,” Huawei’s Product Security Incident Response Team said. “This could have been avoided by collaborating rather than taking a political stance on security.”
Finite State shot back with its own detailed response and said Huawei continued to demonstrate a lack of commitment to common security principles. It said in nearly all cases the firmware it tested was the most recent version made available in April of this year and that Huawei validated some of Finite State’s findings by saying it would take some actions in response, such as the removal of embedded cryptography keys in at least one device.
“We stand by our report,” said Matt Wyckhouse, Finite State’s chief executive. “Our position is still that Huawei’s vulnerabilities are extensive, they are real, and they are pervasive across their product line.”
Asked why Finite State compared Huawei gear to Juniper and Arista and not Cisco, Mr. Wyckhouse said his firm compared Huawei equipment to the devices the company had access to given its existing customer base. “There was no malicious intent whatsoever,” he said. “We would be happy to analyze Cisco firmware at large scale too.”
Huawei criticized the analysis for demonstrating only one case study measuring the vulnerabilities of one of its high-end network switches against Juniper and Arista. In response, Mr. Wyckhouse said the conclusions in the report were based on weighing Huawei’s rate of flaws against over 250,000 firmware images in its database that has tested equipment from a variety of vendors. It didn’t compare the overall Huawei data set it tested to a specific Juniper or Arista data set.
While the Finite State report documented what it calls extensive cybersecurity flaws found in Huawei gear and a pattern of poor security decisions purportedly made by the firm’s engineers, it stops short of accusing the company of deliberately building weaknesses into its products. U.S. officials have repeatedly said Huawei is a national-security threat because it could be used for espionage or disruption by the Chinese government, allegations that Huawei and Beijing have emphatically denied.
Senior Huawei officials initially indicated they welcomed Finite State’s research. Appearing on Fox Business Network last week, Andy Purdy, Huawei’s chief security officer, said the detection of flaws in its gear was the result of common cybersecurity testing that greets new technology products.
“The good news is this is exactly what is necessary to make America safer in communications and 5G,” Mr. Purdy said. “Independent verification of everybody’s products to international standards to help make sure we’re safe.”