Huawei's UK code reviewers say the company is still crap at basic software security

Huawei's UK code reviewers say the company is still crap at basic software security security researchers examining Huawei source code have so far verified just eight firmware binaries out of more than 60 used across Britain's mobile phone networks, according to the GCHQ-backed agency's annual report.

The Huawei Cyber Security Evaluation Centre (HCSEC) – mostly run by GCHQ offshoot the National Cyber Security Centre (NCSC), though it is also staffed by some Huawei personnel – sighed that the Chinese company has made "limited" progress on last year's recommendations to toughen up its act.

Code reviewers found "evidence that Huawei continues to fail to follow its own internal secure coding guidelines. This is despite some minor improvements over previous years." In addition, "The Cell" said it had found more vulnerabilities during 2019 than it had in previous years – though Huawei was keen to paint this finding as "proof the review system is working", something NCSC guardedly agreed with.

"NCSC does not view the increase in vulnerabilities as an indicator of a further decline in Huawei's product quality, but it certainly does not indicate any marked improvement or transformation," said the agency in its report.

There was nothing in the report suggesting the Chinese state had planted intentional backdoors in code – though there was plenty to suggest that Huawei simply isn't taking the task of building robust and secure software and firmware with requisite seriousness.

Vulns uncovered by HCSEC researchers poring through the source code of Huawei's mobile network equipment firmware included "unprotected stack overflows in publicly accessible protocols, protocol robustness errors leading to denial of service, logic errors, cryptographic weaknesses, default credentials" as well as "many other basic vulnerability types".

Is this a backdoor?

Binary e ..