‘Shortcomings’ in software used by Huawei could be security risk
SECURITY officials in the UK are concerned that the nation’s communica- tions backbone could be at risk thanks to a piece of Us-made software that is about to go out of date.
The software is currently being used by Chinese telecoms giant Huawei, the company responsible for supplying networking equipment for BT, Vodafone and their subsidiaries.
The problem surrounds Huawei’s use of Wind River Systems’ Vxworks operating system, according to three people with knowledge of the matter, who spoke anonymously to Reuters. The software will stop receiving security patches and updates in 2020, possibly leaving the Vxworks system open to attack. Huawei phones are banned in the US because officials believe its links to the Chinese government make the devices a security risk. In the UK, GCHQ works closely with the Chinese firm to test its products.
However, earlier this month, a government report said it had found “shortcomings” with Huawei equipment used in the UK. The report was written by the Huawei Cyber Security Evaluation Centre, which was set up in 2010 in response to fears that BT and others’ use of the firm’s equipment could pose a cyber security risk.
The report did not blame Californian company Wind River System but it did say: “Third-party software, including security critical components, on various component boards will come out of existing long-term support in 2020, even though the Huawei end of life date for the products containing this component is often longer.”
There is no evidence to suggest that a security patch will not be able to resolve the issue before 2020, or that the Vxworks flaw is intentional.
A Huawei spokesman told Reuters the issue would be addressed, and “cybersecurity remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems”.
The concerns, however, are the latest complication in an ongoing battle between Chinese and US companies.
It is possible that once the flow of security updates run out, should relevant vulnerabilities or security flaws be uncovered, British telecom networks and consumers could become vulnerable, whether through direct cyberattacks or covert surveillance.