A Huawei Driver Was a Windows Security Vulnerability

Reading Time: 3 minutes.
Two Huawei laptops up against each other

The Huawei MateBook X Pro

I’ll start off with the good news: Huawei has patched their software. If you own a Huawei Windows machine, apply the latest security update and this security flaw won’t affect you.

Now the bad news. Huawei Matebook machines running Windows had a driver that made Huawei computers vulnerable to incredibly deep level attacks. An attacker could gain access to just about anything in storage or memory, run injected code at the highest levels, and gain access to anything in a system. This is because Huawei used techniques only seen in malware for one of their “features.” Could the company have intentionally opened up a backdoor into their systems? The U.S. government believes they could have.

Here’s how Microsoft caught Huawei’s highly unorthodox software, and what it could mean for Huawei.

How Microsoft Caught Huawei

Someone touching a Huawei computer screenArsTechnica has an excellent write-up on how Microsoft caught Huawei’s insecure driver here. However, I’ll summarize it for those of you with less technical backgrounds. Microsoft collects heuristics, that is, usage logs, on your machine. Not just what you’re doing and how you’re using the machine, but also what the machine is doing under the hood. They collect this data and, using machine learning, look for patterns. If they find a pattern that looks like known malware, it’s flagged for review. Microsoft can then block the threat, ensuring it doesn’t hurt more users. It can’t help the Windows users who were already affected, but it can stop the spread and prevent further information leaks from a host machine.

Microsoft saw something suspicious. What appeared to be malware was copying information from low level registries, protected areas of the machine, into the user space, less protected areas. It was also injecting code from that less secure user space into the lower level kernel space. This means that something that should not have high level security access was gaining that access. It was copying information as well as writing it. This is a primary tactic of malware. Microsoft had caught a huge security vulnerability using their heuristics program.

That vulnerability was Huawei’s drivers.

Huawei’s Drivers

Huawei MateBook X ProHuawei had a “service” to relaunch any programs that had crashed, even those with higher level access rights. They say this is all their drivers were doing. However, curiously, Microsoft’s Windows 10, already has tools to do this. Furthermore, Huawei was using the kind of code injection that’s typically only seen in malware. These were patterns that were clearly less reputable, yet a large company, perfectly capable of using Microsoft’s own tools, was leaving a gaping security hole in their drivers.

Huawei claimed it was only for their (completely unnecessary) process restarting program, but it left the system vulnerable. Someone, such as anyone at Huawei, could have taken advantage of this security vulnerability. It’s as though Huawei made a feature that seemed useful, to anyone who doesn’t know that Windows already restarts crashed processes, as an excuse to leave a back door into their computers. A backdoor that only they knew about. Huawei could have intentionally created a way to access any of their computers.

What other reason could they possibly have for using malware tactics to duplicate an existing Windows feature? The programming effort to create this would take significant time and was unnecessary for Huawei’s claimed purposes. Why bother unless you had ulterior motives?

What this Means for Huawei

Huawei's logo with the stars from the Chinese flag over itThis isn’t the first time Huawei has been caught with unaddressed security flaws. An independent British security company, at the behalf of the U.K. government, also did a thorough investigation of Huawei’s security. They couldn’t get full access to Huawei’s code, but found longstanding security vulnerabilities from previous years still unaddressed in Huawei’s infrastructure.

The Five Eyes security groups have warned against using Huawei technology due to security and privacy concerns. The U.S. has banned use of Huawei technology based on national security concerns, a decision that Huawei has sued over, but will likely lose, especially considering Huawei’s security vulnerabilities as well as violations of U.S. sanctions.

Huawei is trying to convince the world that their technology is secure and that they don’t give data to the Chinese government. With each passing scandal, that claim becomes less believable.


Source: Peter Bright, ArsTechnica