Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Huawei Equipment Has Major Security Flaws, U.K. Says (wsj.com)
39 points by JumpCrisscross on March 29, 2019 | hide | past | favorite | 12 comments



> We have no real (at least not this in depth) assurance that products from rival vendors are more secure.

This. Huawei may be bad but most embeded devices (routers, switches, motherboards, etc) are just bad accross the board. The fact that embeded devices are treated like black boxes allows to ship messy code and out of date libraries. Hopefully, governments and companies will wise up and start demanding realeasing (a portion of) the source and/or requiring 3rd party audits/code review which would insentivize manufacturers to consolidate code bases and fix bugs not individual products.


I suspect using really old and shoddily cobbled together software is one of the reasons vendors usually don't like you looking under the hood.

I recently figured out how to poweroff a brocade switch (there is no native command for it) and ended up enabling a hidden command that allowed me to run poweroff via bash.

Bash was version 2.04, almost 20 years old! Now, it hopefully isn't used in any security-sensitive contexts to enable exploitation (or maybe it's a custom patched version), but it is sort of indicative of how these things get built.


I like this quote from theregister’s take on the story:

> "I think this presents the UK government with an interesting dilemma - the HCSEC was set up essentially because of concerns about threats from the Chinese state to UK CNI (critical national infrastructure). Finding general issues is a good thing, but other vendors are not subject to this level of scrutiny. We have no real (at least not this in depth) assurance that products from rival vendors are more secure."

I wouldn’t be surprised if a lot of other vendors would exhibit the same sort of issues if observed under the same lens.


This is really funny:

#define SAFE_LIBRARY_memcpy(dest, destMax, src, count) memcpy(dest, src, count)


They probably mean it has less exploitable security flaws than local HW, for which they can add their own backdoors at will. Huawei is known to be better than most other router vendors, esp. Cisco which is just laughably bad at security, and which does expose the government mandated "lawful" interception and control methods, Huawei refuses to add.




Don’t bother it’s just FUD with zero detail nor does anything to acknowledge US or UK are as bad as China.


Why would the U.K. be concerned with the U.K. as a security risk?


One thing that makes Huawei really suspicious is that they lock the bootloader and offer no way to unlock it. This makes it impossible to root it and xiaomi is even making it harder; they make you wait 15 days after first try.

They are making it harder and harder to remove the crapware that comes preinstalled in their phones that blatantly send all data back to their server


xiaomi is possibly among the best vendors on Earth for unlocking a bootloader, there's a reason LineageOS supports nearly all their models.

Absolutely bizarre statement, who are you comparing them to? Samsung? Apple? Virtually every phone company on Earth provides no unlock support.

Theres no wait time for Android one models either.


They are making it harder to unlock bootloader. The latest ones including mi9 have waiting period of 15 days.

I always had a Nexus or OnePlus and they both are pretty easy to unlock.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: