Vodafone denies historic Huawei “vulnerabilities” posed Italy security threat

Vodafone and Huawei have both denied that “vulnerabilities” in Huawei equipment supplied to Vodafone Italia between 2009 and 2012 posed a security risk or amounted to a “hidden backdoor”.

The rebuttal comes following a report from Bloomberg which alleged that Vodafone identified security flaws in software that could have given Huawei unauthorised access to the carrier’s fixed-line network in Italy.

The latest row comes amid ongoing global debate about whether Huawei’s equipment should be used in 5G networks, following allegations from the US it could be used by the Chinese government to spy. Huawei vociferously denies these claims.

Bloomberg’s report was based on Vodafone’s security briefing documents from 2009 and 2011, “as well as people involved in the situation”, the article said.

Vodafone and Huawei both confirmed the vulnerabilities were discovered in the Chinese routers, but denied they amounted to “hidden backdoors” that could be used to spy.

Telnet

In a widely reported statement, Vodafone said: “The issues in Italy identified in the Bloomberg story were all resolved and date back to 2011 and 2012.

“The ‘backdoor’ that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet.

“Bloomberg is incorrect in saying that this ‘could have given Huawei unauthorised access to the carrier’s fixed-line network in Italy’.

“In addition, we have no evidence of any unauthorised access. This was nothing more than a failure to remove a diagnostic function after development.

“The issues were identified by independent security testing, initiated by Vodafone as part of our routine security measures, and fixed at the time by Huawei.”

Industry-wide challenge

A Huawei spokesperson is quoted as saying: ‘We were made aware of historical vulnerabilities in 2011 and 2012 and they were addressed at the time.

“Software vulnerabilities are an industry-wide challenge. Like every ICT [information and communications technology] vendor, we have a well-established public notification and patching process, and when a vulnerability is identified, we work closely with our partners to take the appropriate corrective action.”

Earlier this week, Dutch operator KPN said it had signed an agreement with Huawei to upgrade its mobile radio and antenna network but will select a “Western vendor” for the core 5G network. The UK is expected to mandate a similar approach.