Vodafone sources claim Huawei created a “backdoor” for its home routers and network switching equipment and then lied about removing it

Vodafone discovered that the home routers that Huawei provided for its Italian residential broadband business had a “backdoor” — an open telnet interface that could allow attackers to take over the router and surveil the user’s network — and after they complained to Huawei about it, Huawei released an update that they claimed removed the interface, but that this was a lie.

Bloomberg’s Daniele Lepido broke the story, and it’s a little confusing. The term “backdoor” implies that Huawei left an interface open so that it could do something nefarious, like conducting surveillance on Vodafone’s customers, but Huawei’s statements about the interface imply that it was a sloppy mistake — they say that the telnet interface was used as part of the setup and configuration process, and that they couldn’t remove it altogether without making it hard (or maybe impossible?) to set up their routers.

If Huawei is to be believed, then they are guilty of terrible security practices (that’s a really stupid way to design a router), but not necessarily guilty of a “backdoor” in the customary sense of the word. But as one expert quoted by Bloomberg notes, if you were going to design a deliberate backdoor, you’d be smart to disguise it as a programming error.

Much more damning (and somewhat buried in the Bloomberg reporting) is the presence of telnet interfaces in “optical service nodes” (which are used for managing fiber optic traffic) and “broadband network gateways” (which bridge between customer equipment like home routers and internet backbones). A criminal or state actor who compromised these systems could conduct mass surveillance, as opposed to merely spying on (or compromising the devices of) a single household.

Vodafone told Bloomberg that it discovered these defects (or backdoors, or whatever) in 2011 and 2012, and that Huawei fixed them. But unnamed Vodaphone sources told Bloomberg that this is a lie: when Vodaphone checked to verify whether Huawei had patched its equipment, they discovered that it was still vulnerable.

Vodafone has recently taken up a vigorous defense of Huawei, whose equipment will be used in Vodafone’s UK 5G rollout. Bloomberg’s sources said that Vodafone’s defense of Huawei was motivated by cost-savings, because Huawei is cheaper than its competitors.

Vodafone managers had concerns with the security of the routers almost right away. They were the topic of an internal presentation from October 2009 that pointed to 26 open bugs in the routers, six identified as “critical” and nine as “major.” Vodafone said in the report that Huawei would need to remove or inhibit a so-called telnet service—a protocol used to control devices remotely—that the carrier said was a backdoor giving Huawei access to sensitive data.

In January 2011, Vodafone Italy started a deeper probe of the routers, according to an April report from the year. Security testing by an independent contractor identified the telnet backdoor as the greatest concern, posing risks including giving unauthorized access to Vodafone’s broader Wide Area Network (WAN is a network that spans a large footprint). Vodafone noted that it’s an industry practice by some router manufacturers to use a telnet service to manage their equipment, but the company said it didn’t allow this.

The document chronicles a two-month period during which Vodafone’s Italian unit discovered the telnet service, demanded its removal by Huawei and received assurances from the supplier that the problem was fixed. After further testing, Vodafone found that the telnet service could still be launched.

Vodafone said Huawei then refused to fully remove the backdoor, citing a manufacturing requirement. Huawei said it needed the telnet service to configure device information and conduct tests including on wifi, and offered to disable the service after taking those steps, according to the document.

Vodafone Found Hidden Backdoors in Huawei Equipment [Daniele Lepido/Bloomberg]

(Image: Mystica)