WASHINGTON—Telecommunications gear made by China’s Huawei Technologies Co. is far more likely to contain flaws that could be leveraged by hackers for malicious use than equipment from rival companies, according to new research by cybersecurity experts that top U.S. officials said appeared credible.
Over half of the nearly 10,000 firmware images encoded into more than 500 variations of enterprise network-equipment devices tested by the researchers contained at least one such exploitable vulnerability, the researchers found. Firmware is the software that powers the hardware components of a computer.
The tests were compiled in a new report that has been submitted in recent weeks to senior officials in multiple government agencies in the U.S. and the U.K., as well as to lawmakers. The report is notable both for its findings and because it is circulating widely among Trump administration officials who said it further validated their policy decisions toward Huawei.
“This report supports our assessment that since 2009, Huawei has maintained covert access to some of the systems it has installed for international customers,” said a White House official who reviewed the findings. “Huawei does not disclose this covert access to customers nor local governments. This covert access enables Huawei to record information and modify databases on those local systems.”
The report, reviewed by The Wall Street Journal, was prepared by Finite State, a Columbus, Ohio-based cybersecurity firm.
While the report documents what it calls extensive cybersecurity flaws found in Huawei gear and a pattern of poor security decisions purportedly made by the firm’s engineers, it stops short of accusing the company of deliberately building weaknesses into its products. It also didn’t directly address U.S. claims that Huawei likely conducts electronic espionage for the Chinese government, which Huawei has long denied.
A Huawei official said the company welcomed independent research that could help improve the security of its products but added he couldn’t comment on specifics in the Finite State report because it wasn’t shared in full with the company.
“Without any details, we cannot comment on the professionalism and robustness of the analysis,” the Huawei official said.
Based in Shenzhen, Huawei is the world’s largest telecommunications equipment provider and a leader in next-generation 5G wireless technology.
Huawei has emerged as a central fixture in the growing rift between the U.S. and China over technology, especially with the approach of 5G cellular technology.
The Commerce Department in May cited national-security concerns when it added the telecommunications giant to its “entity list,” which prevents companies from supplying U.S.-origin technology to Huawei without U.S. government approval.
Finite State Chief Executive Matt Wyckhouse co-founded the firm in 2017, after spending nearly 13 years at nearby Battelle, a private, nonprofit applied-science and technology firm that does work in the private and public sectors.
Mr. Wyckhouse, a computer scientist who worked in Battelle’s national security division handling defense and intelligence-community contracts, said Finite State did the work pro-bono and not on behalf of any government. He also said he felt the best way to make policy makers aware of the issues was to make his firm’s research available to the public. He plans to publish it this week.
“We want 5G to be secure,” Mr. Wyckhouse said.
Finite State said it used proprietary, automated systems to analyze more than 1.5 million unique files embedded within nearly 10,000 firmware images supporting 558 products within Huawei’s enterprise-networking product lines.
The company said the rate of vulnerabilities found in Huawei equipment was far higher than the average found in devices manufactured by its rivals, and that 55% of firmware images tested contained at least one vulnerability—which the authors described as a “potential backdoor”— that could allow an attacker with knowledge of the firmware and a corresponding cryptographic key to log into the device.
The report includes a case study comparing one of Huawei’s high-end network switches against similar devices from Arista Networks and Juniper Networks Inc. It found that Huawei’s device had higher risk factors in six of nine categories, generally by a substantial margin.
“In our experience, across the board, these are the highest numbers we have ever seen,” Mr. Wyckhouse said.
In one instance in the case study, Huawei’s network switch registered a 91% risk percentile for the number of credentials with hard-coded default passwords compared against all of Finite State’s entire firmware data set.
By comparison, the risk level for Arista and Juniper was rated at 0%.
Chris Krebs, the top cybersecurity official at the Department of Homeland Security, said Finite State’s research added to existing concerns about Huawei equipment and the conclusion that the company hasn’t shown the intent or capability to improve its security practices.
“With Huawei having not demonstrated the technical proficiency or the commitment to build, deploy, and maintain trustworthy and secure equipment, magnified by the Chinese government’s potential to influence or compel a company like Huawei to do its bidding, we find it an unacceptable risk to use Huawei equipment today and in the future,” Mr. Krebs said.
White House officials who reviewed the Finite State report said the findings revealed flagrant violations of standard protocols. They said the report’s findings also suggested Huawei may be purposely designing its products to include weaknesses.
For example, some of the vulnerabilities found are well-known cybersecurity problems that aren’t difficult to avoid. Of the devices tested, 29% had at least one default username and password encoded into the firmware which could allow malicious actors easy access to those devices if the credentials were left unchanged, according to the report.
A particularly unusual finding was that security problems became quantifiably worse in at least one instance for users who patched a network switch with an updated version of firmware compared with the two-year-old version being replaced. Patches are intended to reduce cybersecurity weaknesses, but a comparison of the two versions found the newer one performed worse across seven of nine categories measured.
“For years, Huawei has essentially dared the international community to identify the security vulnerabilities that have so often been alleged regarding the use of the company’s products,” said Michael Wessel, a member of the U.S.-China Economic and Security Review Commission, a bipartisan panel that makes recommendations to Congress. “It’s hard to see the range and depth of the vulnerabilities identified by Finite State to be anything other than intentional.”
The U.K.’s National Cyber Security Centre also reviewed the Finite State research, people familiar with the matter said, and found it broadly aligned with the technical analysis in the agency’s own report, published in March. The U.K. report accused Huawei of repeatedly failing to address known security flaws in its products and admonished the firm for failing to demonstrate a commitment to fixing them.
A 2012 U.S. government review of security risks associated with Huawei didn’t find clear evidence that the company was being used by China as a tool for espionage, but concluded its gear presented cybersecurity risks due to the presence of many vulnerabilities that could be leveraged by hackers.
Rep. Mike Gallagher, (R., Wis.), said the report highlights the urgency for members of Congress and others to stop Huawei from taking over the global telecommunications supply chain.
“I’ve long thought we should treat Huawei as an appendage of the Chinese Communist Party,” said Mr. Gallagher, who earlier this year introduced legislation targeting Chinese telecommunications firms. “But even I was taken aback by the scale of the security flaws within Huawei’s network architecture as revealed by the report.”