Vodafone is said to have found Huawei security flaws from 2009

For months, Huawei Technologies Co. has faced U.S. allegations that it flouted sanctions on Iran, attempted to steal trade secrets from a business partner and threatened to enable Chinese spying through the telecom networks it has built across the West.

Now Vodafone Group has acknowledged to Bloomberg that it found vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier’s Italian business. While Vodafone says the issues were resolved, the revelation may further damage the reputation of a major symbol of China’s global technology prowess.

Europe’s biggest phone company identified hidden back doors in the software that could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy, a system that provides internet service to millions of homes and businesses, according to Vodafone’s security briefing documents from 2009 and 2011 seen by Bloomberg, as well as people involved in the situation.

Vodafone asked Huawei to remove back doors in home internet routers in 2011 and received assurances from the supplier that the issues were fixed, but further testing revealed that the security vulnerabilities remained, the documents show. Vodafone also identified back doors in parts of its fixed-access network known as optical service nodes, which are responsible for transporting internet traffic over optical fibers, and other parts called broadband network gateways, which handle subscriber authentication and access to the internet, the people said. The people asked not to be identified because the matter was confidential.

Back doors allow their users to bypass security controls to access a computer system or encrypted data. While back doors can be commonly built into some network equipment and software so technicians can manage the gear, they can also be exploited by attackers. In Vodafone’s case, the risks included possible third-party access to customers’ personal computers and home networks, according to the internal documents.

RELATED: The man behind Huawei »

The Trump administration, arguing that such end runs around security in Huawei’s equipment could invite espionage by the Chinese state, is trying to persuade Western allies to block the company from participating in building the next generation of mobile networks. Huawei has repeatedly denied that it creates back doors and says it’s not beholden to Beijing.

Huawei’s ability to continue winning contracts from London-based Vodafone, despite the carrier’s security concerns, underscores the challenge facing the U.S. as it tries to restrain the world’s top telecom equipment vendor and No. 2 supplier of smartphones. Huawei is vying against a stable of Western companies including Nokia Oyj and Ericsson AB to roll out fifth-generation, or 5G, wireless networks.

Vodafone has defended Huawei against the U.S. onslaught, which has placed Europe — Huawei’s largest market outside China — in the middle of a trade battle between two superpowers. At stake is leadership in key areas, principally 5G technology that’s designed to support the internet of things and new applications in industries spanning automotive, energy, healthcare and more. Vodafone Chief Executive Nick Read has joined peers in publicly opposing any bans on Huawei from 5G rollouts, warning of higher costs and delays. The defiance shows that countries across Europe are willing to risk rankling the U.S. in the name of 5G preparedness.

In a statement to Bloomberg, Vodafone said it found vulnerabilities with the routers in Italy in 2011 and worked with Huawei to resolve the issues that year. There was no evidence of any data being compromised, it said. The carrier also identified vulnerabilities with the Huawei-supplied broadband network gateways in Italy in 2012 and said those were resolved the same year. Vodafone also said it found records that showed vulnerabilities in several Huawei products related to optical service nodes. It didn’t provide specific dates and said the issues were resolved. It said it couldn’t find evidence of historical vulnerabilities in routers or broadband network gateways beyond Italy.

“In the telecoms industry it is not uncommon for vulnerabilities in equipment from suppliers to be identified by operators and other third parties,” the company said. “Vodafone takes security extremely seriously and that is why we independently test the equipment we deploy to detect whether any such vulnerabilities exist. If a vulnerability exists, Vodafone works with that supplier to resolve it quickly.”

In a statement, Huawei said it was made aware of historical vulnerabilities in 2011 and 2012 and they were addressed at the time. A company spokesman said the flaws in the equipment were related to maintenance and diagnostic functions common across the industry, as well as vulnerabilities. “There is absolutely no truth in the suggestion that Huawei conceals back doors in its equipment.”

However, Vodafone’s account of the issue was contested by people involved in the security discussions between the companies. Vulnerabilities in both the routers and the fixed-access network remained beyond 2012 and were also present in Vodafone’s businesses in the U.K., Germany, Spain and Portugal, said the people. Vodafone stuck with Huawei because the services were competitively priced, they said.

Although back doors are common in home routers, they are usually fixed by manufacturers once disclosed, said Eric Evenchick, principal research consultant at Atredis Partners, a U.S.-based cybersecurity firm. Evenchick called the situation with Huawei’s equipment “very concerning.”

Founded in 1987, Huawei entered the European market in 2000. Landmark contracts with Britain’s BT Group and Norway’s TeliaSonera helped Huawei win market share from, and eventually surpass, Nokia and Ericsson.

Vodafone started buying Wi-Fi routers from Huawei in 2008 for its Italian business and, later, for the U.K., Germany, Spain and Portugal. Routers distribute data on internet networks.

Vodafone managers had concerns with the security of the routers almost right away. They were the topic of an internal presentation in October 2009 that pointed to 26 open bugs in the routers, six identified as “critical” and nine as “major.” Vodafone said in the report that Huawei would need to remove or inhibit a so-called telnet service — a protocol used to control devices remotely — that the carrier said was a back door giving Huawei access to sensitive data.

In January 2011, Vodafone Italy started a deeper probe of the routers, according to an April report from that year. Security testing by an independent contractor identified the telnet back door as the greatest concern, posing risks including giving unauthorized access to Vodafone’s broader wide area network. Vodafone noted that it’s an industry practice by some router manufacturers to use a telnet service to manage their equipment, but the company said it didn’t allow this.

The document chronicles a two-month period during which Vodafone’s Italian unit discovered the telnet service, demanded its removal by Huawei and received assurances from the supplier that the problem was fixed. After further testing, Vodafone found that the telnet service could still be launched.

Vodafone said Huawei then refused to fully remove the back door, citing a manufacturing requirement. Huawei said it needed the telnet service to configure device information and conduct tests, and offered to disable the service after taking those steps, according to the document.

Huawei’s apparent reluctance only amplified concerns circulating even then that the company might pose a security threat to customers.

How Huawei became a target for governments

“Unfortunately for Huawei the political background means that this event will make life even more difficult for them in trying to prove themselves an honest vendor,” Vodafone said in the April 2011 document authored by its chief information security officer at the time, Bryan Littlefair. He noted that Vodafone had made a recent security visit to Shenzhen and said he was surprised that Huawei hadn’t given the matter a greater priority.

“What is of most concern here is that actions of Huawei in agreeing to remove the code, then trying to hide it, and now refusing to remove it as they need it to remain for ‘quality’ purposes,” Littlefair wrote.

Huawei declined to comment on the concerns raised by Littlefair. Littlefair didn’t respond to requests for comment.

“There’s no specific way to tell that something is a back door and most back doors would be designed to look like a mistake,” said Stefano Zanero, an associate professor of computer security at Polytechnic University of Milan. “That said, the vulnerabilities described in the Vodafone reports from 2009 and 2011 have all the characteristics of back doors: deniability, access and a tendency to be placed again in subsequent versions of the code,” he said.

Huawei called software vulnerabilities “an industry-wide challenge.” In a statement, it said: “Like every ICT vendor we have a well-established public notification and patching process, and when a vulnerability is identified we work closely with our partners to take the appropriate corrective action.”

Huawei has expanded its relationship with Vodafone well beyond routers and is now its fourth-largest supplier, behind Apple, Nokia and Ericsson. Huawei’s gear is found across Vodafone’s wireless networks in Europe; in the U.K., equipment from Huawei accounts for about one-third of the radio-access network, a crucial piece of the infrastructure.

Some telecom companies have taken steps to limit Huawei’s access to the most sensitive parts of their networks, amid the added government scrutiny. In January, Vodafone’s CEO Read said the company had paused purchases of Huawei equipment for the core of its mobile networks in Europe, citing too much “noise” around the situation.

Still, carriers including Vodafone are resisting suggestions that Huawei be banned in Europe because they’ve come to rely so heavily on the supplier. Abandoning Huawei for 5G, with Europe already lagging behind China and the U.S., could force them to rip out the supplier’s 4G gear, a process that could take years and cost billions of dollars.