While a recently discovered flaw in software pre-installed to Huawei’s Matebook laptops might not have been intentionally added with malicious intent, the Chinese technology company still poses a threat, a cybersecurity expert has insisted.

The vulnerability, which was disclosed and patched “quickly and professionally” according to Microsoft by Huawei in January, could have potentially provided administrative rights to accounts without superuser privileges. Researchers at Microsoft detailed the discovery of the security flaw in a driver for Huawei’s device manager software, PCManager, last week.

This presented a similar backdoor to EternalBlue, an exploit developed by the United States’ National Security Agency, which led to the widespread and costly WannaCry ransomware attack.

PCManager backdoor highlights Huawei threat

Despite the United States’ warnings that Huawei may be used by the Chinese government to spy on foreign nations, there is nothing to suggest that the backdoor was intentionally added to the software. The Huawei Cyber Security Evaluation Centre (HCSEC) has stated that it “does not believe that the defects identified are a result of Chinese
state interference”.

Yet, according to Oleg Kolesnikov, vice president of threat research and head of Research Labs at Securonix, while the vulnerability may not expose Huawei as a state actor, it does expose its lacking security practices:

“While there currently is no direct evidence that the software security issues were intentionally added for Huawei’s driver code to be leveraged for a malicious backdoor, these vulnerabilities appear to align with the earlier National Cyber Security Centre, GCHQ, etc. report regarding Huawei products and the lack of proper software security practices in the Huawei’s approach to software engineering likely significantly increasing the risk to the operators.”

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

HCSEC’s annual report concluded that it has identified “concerning issues in Huawei’s approach to software development”. It was stated that “no material progress has been made” by the company on cybersecurity and “further significant technical issues have been identified in Huawei’s engineering processes” since last year, which has added new risks in the UK’s telecommunications networks.

According to Kolesnikov, the PCManager discovery shows the difficulty in determining whether security vulnerabilities are a result of “an intentional backdoor vs unintentional error”. Yet, regardless of intent, Huawei has put its customers at risk of attack.

“Had Huawei developers followed the proper software security design, development, and testing processes when implementing the MateBookService and the corresponding driver software components IRP/IOCTL functionality, chances are that the software security issues reported could have been mitigate and/or addressed proactively.”

Need for further testing

Given the security concerns aimed at Huawei, the discovery of one vulnerability means that there are likely others lurking around in the company’s products waiting to be exploited.

“Where there is one, there is often much more to find,” Kolesikov believes. But thorough software security analysis and more focus on safety and security in the development stage could help to discover these vulnerabilities and safeguard against future exploitation from those with malicious intent.

“It is critical not only to have the ability to perform an in-depth software and hardware security analysis related to the vulnerabilities, but also to ensure that the proper software development process and best practices are in place since software vulnerabilities often do not occur in isolation,”

Huawei response

The telecommuncations company “vehemently rejects” any suggestion that it intentionally builds backdoors into its products or services, and insists that the “common” incident highlights the need for companies to work together in the fight against cybercrime.

A statement released by Huawei states:

“In January, Microsoft informed Huawei of a potential vulnerability in a device management driver that forms part of Huawei PC Manager installed on the company’s Matebook range of laptops. According to Microsoft, Huawei “responded and cooperated quickly and professionally” and fixed the bug. A patch was issued on 9th January.

“This is a common process right across the IT industry and demonstrates the kind of intercompany co-operation that is needed to improve cybersecurity for everyone.

“Huawei vehemently rejects any suggestion or inference that “backdoors” exist in the development or delivery of any of our products or service, and any suggestion to the contrary is highly damaging to the Huawei brand.

“We are committed to creating the world’s best telecommunications products and services and in our 30 years of there has never been a single major security breach. Huawei is fully committed to refining and expanding a robust compliance system that is overseen by four western, auditing companies. We abide by all applicable laws and regulations in the countries and regions where we operate, including all export control and sanction laws and regulations of the UN, US, and EU. This is both corporate policy and our most fundamental operating principle.”

Read more: Meet vxCrypter: the bizarre ransomware that tidies up victim’s files as it encrypts