Vodafone Italy discovered backdoors in its Huawei home internet routers and software between 2009 and 2011 according to a new report from Bloomberg News. The backdoors have reportedly been fixed, but the revelations are still bad news for Huawei as the Chinese tech giant tries to secure contracts to build 5G infrastructure around the world.
Vodafone, the largest phone company in Europe, first identified 26 vulnerabilities in its Huawei routers in October of 2009, with nine of those described as “major,” reports Bloomberg. Backdoors can give companies, governments, and hackers various kinds of illicit access into electronic devices that are thought to be otherwise secure.
Huawei has previously denied that it creates backdoors for its equipment and often claims that suspicions of Huawei are just a “loser’s attitude” because American tech companies can’t compete fairly.
Vodafone asked Huawei to remove backdoors in home internet routers in 2011 and received assurances from the supplier that the issues were fixed, but further testing revealed that the security vulnerabilities remained, the documents show. Vodafone also identified backdoors in parts of its fixed-access network known as optical service nodes, which are responsible for transporting internet traffic over optical fibers, and other parts called broadband network gateways, which handle subscriber authentication and access to the internet, the people said. The people asked not to be identified because the matter was confidential.
In one of the most curious details from the new Bloomberg report, Vodafone requested that one of the backdoors for its telnet service be removed but Huawei reportedly refused:
Vodafone said Huawei then refused to fully remove the backdoor, citing a manufacturing requirement. Huawei said it needed the telnet service to configure device information and conduct tests including on wifi, and offered to disable the service after taking those steps, according to the document.
Huawei’s apparent reluctance only amplified concerns that were circulating even then that the company might pose a security threat to customers.
“What is of most concern here is that actions of Huawei in agreeing to remove the code, then trying to hide it, and now refusing to remove it as they need it to remain for ‘quality’ purposes,” Bryan Littlefair, Vodafone’s chief information security officer, wrote in 2011 according to documents reviewed by Bloomberg.
As Bloomberg notes, Huawei is still Vodafone’s fourth largest supplier and has embedded itself in telecom equipment across Europe.
Huawei is under increased pressure in the U.S. and around the world as countries from the Five Eyes spy alliance warn that Huawei’s ties to the Chinese government might be used to monitor users or even compromise national security. Huawei’s founder Ren Zhengfei has ties to the People’s Liberation Army (PLA) which make American intel agencies worried about Huawei’s security.
Huawei has repeatedly defended itself by insisting that its business model depends on world class security, but the company also points the finger at other nation-states by saying that the American government spies on consumer tech as well. Huawei’s rotating chairman Guo Ping even invoked NSA whistleblower Edward Snowden back in February.
“The irony is that the US CLOUD Act allows their governmental entities to access data across borders,” Guo said.
The U.S. Justice Department filed a lawsuit against Huawei back in January charging the company with fraud, obstruction of justice, and the theft of trade secrets from T-Mobile. Huawei then filed its own suit against the U.S. government in March over the ban on using Huawei products at federal agencies.
And this particular New Cold War battle isn’t just impacting Huawei. The FCC recently decided to deny China Mobile, the largest telecom company in China, from offering mobile phone services in the United States. And if history is any guide, it’s only going to get messier before these squabbles settle down.
Correction: I initially spelled Vodafone as “Vodaphone.” I’m an idiot and regret the error.