Huawei removed wi-fi transmitting cards from a Pakistan-based surveillance system’s CCTV cabinets after they were discovered by the project’s staff.
Punjab Safe City Authority (PSCA) told BBC Panorama it had told the firm to remove the modules in 2017 “due to [a] potential of misuse”.
The authority said that the Chinese firm had previously made mention of the cards in its bidding documents.
But a source involved in the project suggested the reference was obscure.
A spokesman for Huawei said there had been a “misunderstanding”. He added that the cards had been installed to provide diagnostic information, but said he was unable to discuss the matter further.
The PSCA confirmed that the explanation it had been given was that wi-fi connectivity could have made it easier for engineers to troubleshoot problems when they stood close to the cabinets, without having to open them up.
Two people involved in Lahore’s project helped bring the matter to the BBC’s attention and have asked to remain anonymous. One said that Huawei had never provided an app to make use of the wi-fi link, and added that the cabinets could already be managed remotely via the surveillance system’s main network.
A UK-based cyber-security expert said that it was not uncommon for equipment sellers to install extra gear to let them offer additional services at a later date.
But he added that the affair highlighted the benefit of oversight because if the authority had remained unaware of the cards’ existence, it could not have taken steps to manage any potential risk they posed.
“As soon as you give someone another method of remote connectivity you give them a method to attack it,” commented Alan Woodward.
“If you put a wi-fi card in then you’re potentially giving someone some other form of remote access to it. You might say it’s done for one purpose, but as soon as you do that it’s got the potential to be misused.”
There is no evidence that the cards created a vulnerability, and one of the sources involved confirmed that there had not been an opportunity to test if they could be exploited before the kit was removed.
Lahore’s Safe City scheme was first announced in 2016 following a series of terrorist bombings.
It provides a vast surveillance network of cameras and other sensors, and a brand new communications system for the city’s emergency services
As part of the system, Huawei installed 1,800 CCTV cabinets, within which it placed the wi-fi modules behind other equipment.
The PSCA’s chief operating officer told the BBC that Huawei had been “prompt” in its response to a request to remove them and had fully “complied with our directions”.
“It is always [the] choice of the parties in a contract to finalise the technical details and modules as per their requirements and local conditions,” added Akbar Nasir Khan.
“PSCA denies that there are any threats to the security of the project [and the] system was continuously checked by our consultants, including reputed firms from [the] UK.”
Local concerns have been raised over the Safe City scheme after reports that images had been leaked and circulated via social media earlier this year showing couples travelling together in vehicles.
But there is no suggestion that this was related to Huawei’s involvement, and in any case the wi-fi modules would have been removed by this point. The PSCA has also denied anyone from its office had been involved.
Panorama: Can We Trust Huawei? is available in the UK on iPlayer.