Back in Januari 2019 I had already warned not to use equipment from Huawei if security and privacy are important to you. I warned my friends and colleagues who wanted to buy Huawei phones not to do so, and here on my blog I wrote:
If you’re using (networking, computing, and communications) equipment from Huawei, it would be wise for you to assume that the Chinese government can easily gain access to your information via Huawei.
Well now we have the first clear — smoking gun — piece of evidence that this is true. Here’s from ZDNet:
Microsoft has now detailed how it found a severe local privilege escalation flaw in the Huawei PCManager driver software for its MateBook line of Windows 10 laptops. Thanks to Microsoft’s work, the Chinese tech giant patched the flaw in January.
As Microsoft researchers explain, third-party kernel drivers are becoming more attractive to attackers as a side-door to attacking the kernel without having to overcome its protections using an expensive zero-day kernel exploit in Windows.
The flaw in Huawei’s software was detected by new kernel sensors that were implemented in the Windows 10 October 2018 Update, aka version 1809.
The sensors are part of Microsoft’s response to the WannaCry malware outbreak of 2017, which caused havoc in the UK’s National Health Service and infected about 200,000 Windows PCs around the world. The malware was attributed to North Korean hackers.
Specifically, the sensors are designed to catch malware like DoublePulsar, a backdoor implant created by US National Security Agency hackers that was leaked by The Shadow Brokers in early 2017. DoublePulsar runs in kernel mode and was the vehicle for delivering WannaCry, copying the malware from the kernel to user-space.
Huawei’s PCManager triggered Defender ATP alerts on multiple Windows 10 devices, prompting Microsoft to launch an investigation.
“Hunting led us to the kernel code that triggered the alert. One would expect that a device management software would perform mostly hardware-related tasks, with the supplied device drivers being the communication layer with the OEM-specific hardware,” explains Amit Rapaport, a researcher on the Microsoft Defender ATP team.
The investigation led the researcher to the executable MateBookService.exe. Due to a flaw in Huawei’s ‘watchdog’ mechanism for HwOs2Ec10x64.sys, an attacker is able to create a malicious instance of MateBookService.exe to gain elevated privileges. Microsoft: Windows 10 devices open to ‘full compromise’ from Huawei PC driver
They’re calling this a “flaw” in Huawei’s driver software, but it’s also likely that this is a feature that was deliberately placed inside the software to give people who know about it a back door into the computer systems that it runs on. Such back doors can be disguised as bugs or other kinds of programming errors in the software, so that when they get discovered the company can claim: “Oops, sorry, we fucked up, honest mistake — here’s a fix.” In the mean time, when, for example, the Chinese government wants to target someone, they can obtain a list of “flaws” from these companies to use against their target.
Microsoft was able to detect this particular “flaw,” but there’s no easy way of telling what other so called “flaws” exist in the software unless you have access to the source code and do a thorough security audit on it. It’s also important to keep in mind that such “flaws” can also be built directly into the hardware.
In Suriname, where I live, the major ISP called Telesur uses a lot of communications equipment from Huawei, and I often tell people to safely assume that the entire ISP and networking (Internet) infrastructure is completely 0wn3d by Huawei. It would not surprise me in the least if China is able to read and monitor all communications from Suriname via Telesur, probably even in real-time.
The way things are going now, it’s probably going to become increasingly more important to use open source hardware and software, where you can control, inspect and audit every component on the system before you can trust and use it.