Microsoft Discovers Huawei Driver Allowing Backdoor Hack Into Laptops
Huawei, which is at the center of a long-running scandal accusing China of spying on western establishments, is facing criticism after Microsoft discovered a backdoor-like vulnerability in the Matebook laptop series that could have allowed hackers remote system access, reported Ars Technica.
Microsoft said the security flaws were discovered by Windows Defender Advanced Threat Protection (ATP) kernel sensors, which traced the vulnerability back to a Huawei driver.
The report noted that Huawei’s driver allowed for remote device management also enabled access to the Windows 10 OS operating system, thus allowing for a backdoor-like hack.
“Further investigation revealed that on this particular occasion, it wasn’t malware that was injecting and running code in a user process; it was a Huawei-written driver. Huawei’s driver was supposed to act as a kind of watchdog: it monitored a regular user mode service that’s part of the PCManager software, and if that service should crash or stop running, the driver would restart it. To perform that restart, the driver injected code into a privileged Windows process and then ran that code using an APC—a technique lifted straight from malware.
Why Huawei chose this approach is not immediately clear, as Windows has as a built-in feature the ability to restart crashed services. There’s no need for an external watchdog.
The Huawei driver did make some attempts to ensure that it would only communicate with and restart Huawei’s own service, but improper permissions meant that even an unprivileged process could hijack the driver’s watchdog facility and use it to start an attacker-controlled process with LocalSystem privileges, giving that process complete access to the local system.
Microsoft’s researchers then continued to look at the driver and found that it had another flawed capability: it could map any page of physical memory into a user process, with both read and write permissions. With this, the user process can modify the kernel or anything else, and as such it, too, represents a gaping flaw.”
Huawei responded to Tom’s Hardware’s inquiry about the Matebook security flaw. They reiterated that the security flaw was not a backdoor attempt to spy on customers. Huawei also suggested it may take legal action against media over “misleading reports” about this issue:
“Huawei is concerned that some media misleading that Huawei’s PC Manager’s previous system vulnerabilities are ‘backdoors.’ Huawei firmly denied this. In its vulnerability research article, Microsoft also clearly stated that the vulnerability in Huawei PC Manager is a defect in software design, not a backdoor.
In November 2018, Microsoft discovered that Huawei PC Manager was vulnerable and reported it to Huawei (vulnerability ID: CVE-2019-5241, CVE-2019-5242). Huawei analyzed and processed the problem in the first time, and in 2019 The patch was patched in January. Huawei will continue to maintain close communication and cooperation with industry partners to continuously improve product safety and protect users’ interests from being infringed.
For misleading reports from some media, Huawei will retain the right to protect its rights and interests through legal means.”
So could an insecure Huawei driver really be a malicious backdoor attempt to steal customer’s data? Or maybe, Microsoft is showboating its new security platform [ATP]. You decide.