
Huawei Equipment Has Major Security Flaws, U.K. Says - JumpCrisscross
https://www.wsj.com/articles/u-k-says-huawei-gear-has-major-security-flaws-11553765403
======
KingMachiavelli
> We have no real (at least not this in depth) assurance that products from
> rival vendors are more secure.

This. Huawei may be bad but most embeded devices (routers, switches,
motherboards, etc) are just bad accross the board. The fact that embeded
devices are treated like black boxes allows to ship messy code and out of date
libraries. Hopefully, governments and companies will wise up and start
demanding realeasing (a portion of) the source and/or requiring 3rd party
audits/code review which would insentivize manufacturers to consolidate code
bases and fix bugs not individual products.

~~~
chousuke
I suspect using really old and shoddily cobbled together software is one of
the reasons vendors usually don't like you looking under the hood.

I recently figured out how to poweroff a brocade switch (there is no native
command for it) and ended up enabling a hidden command that allowed me to run
poweroff via bash.

Bash was version 2.04, almost 20 years old! Now, it _hopefully_ isn't used in
any security-sensitive contexts to enable exploitation (or maybe it's a custom
patched version), but it is sort of indicative of how these things get built.

------
mwambua
I like this quote from theregister’s take on the story:

> "I think this presents the UK government with an interesting dilemma - the
> HCSEC was set up essentially because of concerns about threats from the
> Chinese state to UK CNI (critical national infrastructure). Finding general
> issues is a good thing, but other vendors are not subject to this level of
> scrutiny. We have no real (at least not this in depth) assurance that
> products from rival vendors are more secure."

I wouldn’t be surprised if a lot of other vendors would exhibit the same sort
of issues if observed under the same lens.

------
xiphias2
This is really funny:

#define SAFE_LIBRARY_memcpy(dest, destMax, src, count) memcpy(dest, src,
count)

------
rurban
They probably mean it has less exploitable security flaws than local HW, for
which they can add their own backdoors at will. Huawei is known to be better
than most other router vendors, esp. Cisco which is just laughably bad at
security, and which does expose the government mandated "lawful" interception
and control methods, Huawei refuses to add.

------
0815test
Possibly relevant?
[https://news.ycombinator.com/item?id=19513727](https://news.ycombinator.com/item?id=19513727)

------
vesinisa
The Reg (no paywall):
[https://www.theregister.co.uk/2019/03/28/hcsec_huawei_oversi...](https://www.theregister.co.uk/2019/03/28/hcsec_huawei_oversight_board_savaging_annual_report/)

------
sqldba
Don’t bother it’s just FUD with zero detail nor does anything to acknowledge
US or UK are as bad as China.

~~~
kharms
Why would the U.K. be concerned with the U.K. as a security risk?

------
ganeshkrishnan
One thing that makes Huawei really suspicious is that they lock the bootloader
and offer no way to unlock it. This makes it impossible to root it and xiaomi
is even making it harder; they make you wait 15 days after first try.

They are making it harder and harder to remove the crapware that comes
preinstalled in their phones that blatantly send all data back to their server

~~~
A2017U1
xiaomi is possibly among the best vendors on Earth for unlocking a bootloader,
there's a reason LineageOS supports nearly all their models.

Absolutely bizarre statement, who are you comparing them to? Samsung? Apple?
Virtually every phone company on Earth provides no unlock support.

Theres no wait time for Android one models either.

~~~
ganeshkrishnan
They are making it harder to unlock bootloader. The latest ones including mi9
have waiting period of 15 days.

I always had a Nexus or OnePlus and they both are pretty easy to unlock.

