COLUMBUS, OH – June 26, 2019 – Finite State, the pioneer in Internet of Things (IoT) device intelligence, today issued results from a large-scale study it conducted of the cybersecurity-related risks embedded within Huawei enterprise devices by analyzing Huawei firmware at an unprecedented scale. Utilizing its automated system to look at more than 1.5 million files embedded within nearly 10,000 firmware images supporting 558 products within Huawei’s enterprise networking product lines, Finite State found several classes of security issues, concluding that Huawei devices pose a quantifiable high risk to their users. Of all the firmware images analyzed, 55% had at least one potential backdoor.
China’s Huawei is the dominant provider of equipment used in the coming 5G networks that will usher in the next generation of consumer, enterprise and industrial technology. Concerns that using Huawei equipment could offer the Chinese government access to 5G networks, which could be used to execute espionage or military missions, has led countries to take measures to limit their risks, including outright bans of Huawei products. Until today’s report by Finite State, assumptions about the extent of cybersecurity vulnerabilities in Huawei devices has never been proven.
“At Finite State, we believe that increased transparency leads to better security for everyone. Fundamentally, policymakers should be making data-driven decisions about which risks they are, and are not, willing to take. Our analysis looked for risks including hard-coded backdoor credentials, unsafe use of cryptographic keys, indicators of insecure software development practices, and the presence of known and so-called 0-days, where a vulnerability exists but has never been publicly reported. Our analysis revealed that Huawei devices quantitatively pose a high risk to their users, which is particularly concerning given Huawei’s dominance on the eve of 5G implementation,” said Matt Wyckhouse, founder and CEO of Finite State.
Finite State analyzes firmware inside IoT devices, proactively identifying risks, detecting attacks and enabling robust response. Built by a team with backgrounds in the U.S. Intelligence Community, Finite State provides deep insight into hidden vulnerabilities on the network to help users understand and mitigate risks, detect advanced threats and respond to attacks.
The analysis found:
- Numerous instances of backdoor access vulnerabilities. These vulnerabilities enable an attacker with knowledge of the firmware and/or with a corresponding cryptographic key to log in to the device.
- Universally, Huawei devices were shown to have a very high number of known security vulnerabilities. On average, each device tested had 102 known vulnerabilities in its firmware — increasing the likelihood of being compromised by attackers.
- Despite claims of investing in security, Huawei engineers were found to have routinely made poor security decisions in building the devices, significantly increasing the potential for serious vulnerabilities.
- Huawei devices have substantially worse security than similar devices from other vendors.
- Prior Huawei claims that devices and their firmware’s security properties could not be tested at scale were disproven: Finite State’s firmware analysis platform, Iotasphere, was able to process and analyze 9,936 firmware images comprised of more than 1.5 million files in 36 hours.
“Despite Huawei’s claims about investing in security, they appear to be behind the rest of the industry in almost every respect. This overall weak security posture is concerning and obviously increases the security risks associated with use of Huawei devices,” Wyckhouse said. “Whether those risks were introduced intentionally or accidentally is out of the scope of a technical assessment, and thus we cannot and do not draw any conclusions relating to intent.”
The report is available via FiniteState.io.
About Finite State
Finite State provides comprehensive IoT cybersecurity for enterprise networks. With backgrounds in the US Intelligence Community, our team understands the intricacies of IoT risk better than anyone. IoT has become the entry point of choice for cyber attacks, and attackers have the edge in their ability to target and exploit trivial vulnerabilities in IoT firmware. Finite State gives defenders a tactical advantage by providing deep visibility and proactive protection of every device on their network, deterring even the most sophisticated actors. Learn more about Finite State at www.finitestate.io.