How Ericsson and Nokia's 5G hackathon could be a PR win for Huawei

• White hats were invited to try and break into vendors' products with mixed results
• Research firm Hardenstance says events like this are useful but not a panacea
• Once again it shows that determined hackers are vendor agnostic

Further details have emerged of Ericsson and Nokia's participation in a 5G cyber security hackathon which, in the current climate, raise some interesting points about Huawei.

Organised by Finnish regulator Traficom, it took place in late November last year at Oulu University in Finland. For 24 hours, 80 ethical hackers (also known as white hats) from 10 countries spent 24 hours attempting to gain access to commercial and pre-commercial 5G NR, 5G non-standalone core, and 5G fixed wireless access products exposed to them by Ericsson and Nokia.

This is according to cybersecurity research firm Hardenstance, which was in attendance. It highlighted that this is the first time either vendor has ever subjected their mobile network hardware and software to this degree of scrutiny at this scale, and certainly not together.

The hackathon was divided into three challenges.

The first called for participants to attempt to gain access to an Ericsson 5G NR product via the operations and maintenance (OAM) interfaces of the baseband unit and remote radio unit. In the second scenario, they had to attack a 5G network being used to deliver remote eHealth services to hospitals and homes. Finally, the third challenge called for hackers to gain access to a home fixed-wireless access router.

"Nokia went as far as deliberately configuring the fixed wireless access challenge sub-optimally from a security perspective," noted Hardenstance. "This was to make it easier for participants to gain initial access to the network and then go further to see what other flaws they could find and report back."

Ericsson and Nokia claim that the event did not identify any major vulnerabilities, Hardenstance said; however, they "confirmed that some flaws had been found, and committed to taking the findings back to their organisations and incorporating them into their R&D."

Hardenstance said hackathons like this should not be viewed as a panacea, but should be taken as an important contribution to the 5G cybersecurity ecosystem.

As far as the vendor market in general goes, the event could play into the hands of not just Ericsson and Nokia, but Huawei as well.

On the one hand, Ericsson and Nokia can legitimately claim they are transparent when it comes to identifying and addressing potential vulnerabilities in their 5G products. In contrast, Huawei's engagement on this front is more stage managed.

For instance, it has a newly-opened cybersecurity centre in Brussels where stakeholders can test products and examine source code. That's not the same though as urging a bunch of white hats to successfully compromise your products.

On the other hand though, Huawei can cite the hackathon when it insists that it doesn't matter which vendor a telco uses, dedicated hackers – state-sponsored or otherwise – will find and exploit weakness. It reinforces the argument that China does not need Huawei to install back doors on its kit if it wants to compromise mobile networks.

Of course, Huawei can point this out until it's blue in the face, but it won't stop China's adversaries from trying to have it blocked from 5G networks.