Huawei Phones Unlikely to Receive Security Updates as Trade Ban Begins

Some Huawei phones are set to stop receiving software updates after a US reprieve, which allowed some trade with Huawei, lapsed last week.

According to the Washington Post, the reprieve expired last Thursday, and provided some exceptions to a trade ban which the Trump administration imposed last year on Huawei.

The ban generally prohibited US companies from exporting technology to Huawei, but the reprieve allowed US software providers to continue sending updates and patches to Huawei, so it could provide them to customers using Huawei phones or Huawei wireless network equipment.

In a support update published in February, Google said the ban “prohibits all US companies, including Google, from collaborating with Huawei.

“We have continued to work with Huawei, in compliance with government regulations, to provide security updates and updates to Google’s apps and services on existing devices, and we will continue to do so as long as it is permitted,” Google said earlier this year.

The Commerce Department confirmed that the license has expired, telling the Washington Post that the license had provided “an opportunity for users of Huawei devices and telecommunications providers to continue to temporarily operate such devices and existing networks while hastening the transition to alternative suppliers.”

Brian Higgins, security specialist at Comparitech.com. told Infosecurity that, in this case, Huawei has been caught in the political crossfire and it looks like whilst support remains available, it can no longer be installed. “The best, and quite possibly only, advice for Huawei customers is to take the hit and upgrade to a post-May 2019 device as soon as possible,” he said. “At least they run on proprietary Huawei software and you can update them whenever you’re prompted. Just don’t ever decide to update later.”

Niamh Muldoon, senior director of trust and security at OneLogin, said: “The Huawei saga keeps being pushed around the political playing field, but this eventuality is likely to have an impact on the individual Huawei user. Failure to update to the latest version of a mobile device’s software is one of the main in-roads for cyber-criminals looking to compromise a device, or to compromise the accounts hosted on the device, such as banking, messaging or social media applications.

“If a vulnerability is patched in a software update, and a user installs said update, they are protected from it. However, if this option is taken away from people, it leaves them with no option but to continue using an outdated software model which may leave them vulnerable to compromise. While the concerns around Huawei are politically complex and not appropriate for simple answers, for them to be potentially affecting the end user in this method is unacceptable.”

Also in a statement published on Monday, the Bureau of Industry and Security in the Department of Commerce added 38 Huawei affiliates to the entity list, which imposes a license requirement for all items subject to the Export Administration Regulations. It also imposed license requirements on any transaction involving items subject to Commerce export control jurisdiction where a party on the entity list is involved, such as when Huawei (or other list entities) acts as a purchaser, intermediate or end user.

“These actions, effective immediately, prevent Huawei’s attempts to circumvent US export controls to obtain electronic components developed or produced using US technology,” the statement said.

What’s Hot on Infosecurity Magazine?