Ironically, the UK centre was set up as a transparency effort so that British signals intelligence bureaux could review source code that Huawei uses for its gear and other technologies because the Chinese wanted to show that they had nothing to hide.
The report details a large amount of amateur-hour engineering flubs by Huawei. There's use of coding functions deprecated decades ago because they're notoriously unsafe and easy to exploit for hacks.
Even the freshest newbie coders will know not to use those functions because the documentation for them warns, in big fat letters, not to do that.
Huawei's fixes for those security issues was, in some parts of code, to "redefine a safe function to an unsafe one, effectively removing any benefit of the work done to remove the unsafe functions in the source code," the HCSEC oversight board wrote.
Where did that code with the unsafe functions go?
Huawei uses it for its Evolved Node B processing boards that are part of LTE 4G mobile networks.
These are public facing and the HCSEC oversight board noted that they handle communications with untrusted interfaces and that would be expected to be coded in a robust and defensive manner — especially since the operating system used for them lacks mitigations against attacks.
Open source developers are usually quick to patch security bugs and release new versions of their code — it's unpaid and under-appreciated work that everyone should be grateful for — and upgrade their installations.
Not so with Huawei. HCSEC's oversight board points to Huawei's use of the popular OpenSSL cryptographic library that's used to secure data traffic, saying it found multiple versions of the code, some of which had vulnerabilities dating back to 2006.
The board said Huawei continues to use an ancient real time operating system (RTOS) that's close to being put out to graze by the vendor the company got it from.
A Linux-based replacement is in the works, but HCSEC is not confident Huawei will deliver it. And either way, much of the gear it runs on doesn't have enough processing power and memory capacity for the upgrade.
Ergo, telcos would need buy new gear for the upgraded OS, which they wouldn't be happy about.
The HCSEC was set up in 2010, and last week's report by the oversight board is the fifth annual one.
You can sense of how exasperated the spooks from Britain's National Cyber Security Centre and Government Communications Headquarters have grown over the years with Huawei, after trying to persuade the Chinese to fix their dangerously buggy code and end bad security practices, but not getting anywhere.
Long story short, Huawei's lack of engineering competency, as described by the oversight board, means there's no need for backdoors in the company's gear. If it's that full of security holes, attackers can waltz through with very little effort.
To Huawei's credit, the company has accepted the criticism of its software engineering and cyber security processes. It has promised to invest $2 billion over five years "in a company-wide transformation that will contain and mitigate the concerns raised by the oversight board".
We'll see how that goes but the report doesn't say how telcos and internet providers buying Huawei gear missed the lack of engineering quality over so many years.
Sure, Huawei customers probably don't always get to see source code and not all know how to analyse it.
However, when you connect to network equipment for regular work and check version numbers and dates of the software tools that are on them, it's pretty easy to tell that "uh oh, this is old and buggy stuff that really needs updating or we'll be hacked".
In other words, both Huawei and its customers have some explaining to do before they can be trusted.
Especially for the upcoming 5G networks that will be much more pervasive than 3G/4G ones with massive Internet of Things deployments and self-driving vehicles.
The Brits are now seeking a long-term remediation plan to help get its telcos and internet providers out of the mess.
This is to manage having Huawei equipment deployed in their networks and to ensure that the reviewed source code matches what's being built into production environments as currently the HCSEC is not sure that's the case.
If that doesn't happen, things could become dire for Huawei in the UK market.
"NCSC made clear that without such a plan, there could be no long-term confidence in Huawei's technology or Huawei's ability to support operators in its secure use long-term," the report concludes.
