Huawei Security Concerns Apparently Stem From Use of Old Software

By Tom Pritchard on at

Huawei has been in the news a lot recently, for mixed reasons. The company has found a lot of success with the launch of the P20 smartphone, especially here in the UK, but it's also been criticised for issues with its hardware's security - especially equipment used as part of the UK's telecoms infrastructure. It's not a new concern, and it's the reason why the Huawei Cyber Security Evaluation Centre exists to monitor for any cybersecurity issues mass-use of its equipment may pose to the UK. Now, though, it seems part of the problem is down to the age of the software being used.

A couple of weeks ago a report from the HCSEC, which is funded by Huawei but operated by British security agencies like the GCHQ, stated that Huawei equipment may pose a risk to British national security. Now, thanks to sources speaking to Reuters, it's a bit clearer why this is the case. Apparently officials are concerned that Huwei equipment runs on an older version of Wind River's real-time operating system VxWorks, which is currently expected to lose security update support in 2020.

The important factor here is that much of the equipment running VxWorks will still likely be in use once they lose support from the California-based company. Like like NHS systems that are still running old versions of Windows, it means critical systems would be a lot less secure and could theoretically leave the UK's communications infrastructure more vulnerable to attack. This is something mentioned in the recent report, though VxWorks wasn't actually mentioned by name:

“Third party software, including security critical components, on various component boards will come out of existing long-term support in 2020, even though the Huawei end of life date for the products containing this component is often longer.”

That said, Reuters' sources all said that the situation doesn't appear to be deliberate, nor is there any indication that the software itself is a current security risk. It's all about that looming cut off date.

A spokesperson for Wind River spoke to Reuters, and while they wouldn't comment on the specifics of its relationship with Huawei it did add that it often helps customers upgrade their software to new versions:

“Wind River offers migration routes and paths for its customers, which should be pretty well known and understood in the industry."

Huawei also wouldn't comment on the specifics, only reiterating its commitment to cybersecurity:

“Cyber security remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems.”

[Reuters via Engadget]