> We have no real (at least not this in depth) assurance that products from rival vendors are more secure.
This. Huawei may be bad but most embeded devices (routers, switches, motherboards, etc) are just bad accross the board. The fact that embeded devices are treated like black boxes allows to ship messy code and out of date libraries. Hopefully, governments and companies will wise up and start demanding realeasing (a portion of) the source and/or requiring 3rd party audits/code review which would insentivize manufacturers to consolidate code bases and fix bugs not individual products.
I suspect using really old and shoddily cobbled together software is one of the reasons vendors usually don't like you looking under the hood.
I recently figured out how to poweroff a brocade switch (there is no native command for it) and ended up enabling a hidden command that allowed me to run poweroff via bash.
Bash was version 2.04, almost 20 years old! Now, it hopefully isn't used in any security-sensitive contexts to enable exploitation (or maybe it's a custom patched version), but it is sort of indicative of how these things get built.
I like this quote from theregister’s take on the story:
> "I think this presents the UK government with an interesting dilemma - the HCSEC was set up essentially because of concerns about threats from the Chinese state to UK CNI (critical national infrastructure). Finding general issues is a good thing, but other vendors are not subject to this level of scrutiny. We have no real (at least not this in depth) assurance that products from rival vendors are more secure."
I wouldn’t be surprised if a lot of other vendors would exhibit the same sort of issues if observed under the same lens.
They probably mean it has less exploitable security flaws than local HW, for which they can add their own backdoors at will. Huawei is known to be better than most other router vendors, esp. Cisco which is just laughably bad at security, and which does expose the government mandated "lawful" interception and control methods, Huawei refuses to add.
One thing that makes Huawei really suspicious is that they lock the bootloader and offer no way to unlock it. This makes it impossible to root it and xiaomi is even making it harder; they make you wait 15 days after first try.
They are making it harder and harder to remove the crapware that comes preinstalled in their phones that blatantly send all data back to their server
This. Huawei may be bad but most embeded devices (routers, switches, motherboards, etc) are just bad accross the board. The fact that embeded devices are treated like black boxes allows to ship messy code and out of date libraries. Hopefully, governments and companies will wise up and start demanding realeasing (a portion of) the source and/or requiring 3rd party audits/code review which would insentivize manufacturers to consolidate code bases and fix bugs not individual products.