While a recently discovered flaw in software pre-installed to Huawei’s Matebook laptops might not have been intentionally added with malicious intent, the Chinese technology company still poses a threat, a cybersecurity expert has insisted.
The vulnerability, which was disclosed and patched “quickly and professionally” according to Microsoft by Huawei in January, could have potentially provided administrative rights to accounts without superuser privileges. Researchers at Microsoft detailed the discovery of the security flaw in a driver for Huawei’s device manager software, PCManager, last week.
This presented a similar backdoor to EternalBlue, an exploit developed by the United States’ National Security Agency, which led to the widespread and costly WannaCry ransomware attack.
PCManager backdoor highlights Huawei threat
Despite the United States’ warnings that Huawei may be used by the Chinese government to spy on foreign nations, there is nothing to suggest that the backdoor was intentionally added to the software. The Huawei Cyber Security Evaluation Centre (HCSEC) has stated that it “does not believe that the defects identified are a result of Chinese
Yet, according to Oleg Kolesnikov, vice president of threat research and head of Research Labs at Securonix, while the vulnerability may not expose Huawei as a state actor, it does expose its lacking security practices:
“While there currently is no direct evidence that the software security issues were intentionally added for Huawei’s driver code to be leveraged for a malicious backdoor, these vulnerabilities appear to align with the earlier National Cyber Security Centre, GCHQ, etc. report regarding Huawei products and the lack of proper software security practices in the Huawei’s approach to software engineering likely significantly increasing the risk to the operators.”
HCSEC’s annual report concluded that it has identified “concerning issues in Huawei’s approach to software development”. It was stated that “no material progress has been made” by the company on cybersecurity and “further significant technical issues have been identified in Huawei’s engineering processes” since last year, which has added new risks in the UK’s telecommunications networks.
According to Kolesnikov, the PCManager discovery shows the difficulty in determining whether security vulnerabilities are a result of “an intentional backdoor vs unintentional error”. Yet, regardless of intent, Huawei has put its customers at risk of attack.
“Had Huawei developers followed the proper software security design, development, and testing processes when implementing the MateBookService and the corresponding driver software components IRP/IOCTL functionality, chances are that the software security issues reported could have been mitigate and/or addressed proactively.”
Need for further testing
Given the security concerns aimed at Huawei, the discovery of one vulnerability means that there are likely others lurking around in the company’s products waiting to be exploited.
“Where there is one, there is often much more to find,” Kolesikov believes. But thorough software security analysis and more focus on safety and security in the development stage could help to discover these vulnerabilities and safeguard against future exploitation from those with malicious intent.
“It is critical not only to have the ability to perform an in-depth software and hardware security analysis related to the vulnerabilities, but also to ensure that the proper software development process and best practices are in place since software vulnerabilities often do not occur in isolation,”
The State of Technology This Week
The telecommuncations company “vehemently rejects” any suggestion that it intentionally builds backdoors into its products or services, and insists that the “common” incident highlights the need for companies to work together in the fight against cybercrime.
A statement released by Huawei states:
“In January, Microsoft informed Huawei of a potential vulnerability in a device management driver that forms part of Huawei PC Manager installed on the company’s Matebook range of laptops. According to Microsoft, Huawei “responded and cooperated quickly and professionally” and fixed the bug. A patch was issued on 9th January.
“This is a common process right across the IT industry and demonstrates the kind of intercompany co-operation that is needed to improve cybersecurity for everyone.
“Huawei vehemently rejects any suggestion or inference that “backdoors” exist in the development or delivery of any of our products or service, and any suggestion to the contrary is highly damaging to the Huawei brand.
“We are committed to creating the world’s best telecommunications products and services and in our 30 years of there has never been a single major security breach. Huawei is fully committed to refining and expanding a robust compliance system that is overseen by four western, auditing companies. We abide by all applicable laws and regulations in the countries and regions where we operate, including all export control and sanction laws and regulations of the UN, US, and EU. This is both corporate policy and our most fundamental operating principle.”