This is an interesting story of a serious vulnerability in a Huawei driver that Microsoft found. The vulnerability is similar in style to the NSA’s DOUBLEPULSAR that was leaked by the Shadow Brokers—believed to be the Russian government—and it’s obvious that this attack copied that technique.
What is less clear is whether the vulnerability—which has been fixed—was put into the Huawei driver accidentally or on purpose.
Gunter Königsmann • March 29, 2019 9:26 AM
Process explorer shows that Microsoft allows for extensive Monitoring by userspace programs.
If locking down something is good or bad for security I don’t know: the one who gives you the monitoring data might hide anything he wants. Not giving access to monitoring data means nearly anyone can hide his actions but if you allow to monitor things someone might use this data for spying on you in spectre-like days.
1&1~=Umm • March 29, 2019 10:05 AM
@Bruce Schneier:
“What is less clear is whether the vulnerability — which has been fixed — was put into the Huwei driver accidentally or on purpose.”
Or by whom and under what chain of authority.
There is also the question of ‘When’ as well.
As the article notes,
“‘It also highlights just some of the extraordinarily awful things that hardware vendors do when they’re tasked with writing software. When your hardware vendors are opening up big security flaws and copying malware techniques, one wonders if we need protection from the good guys as well as the bad ones.'”
Much of this ‘awfulness’ stems directly from the way the MicroSoft OS works and alows unknown, unchecked code into and below the kernel and it’s limited security provisions.
We do and have for quite sometime know of better ways to do this. Which are both more efficient and secure. However doing things that way would but a bit of a major hole in what MicroSoft’s ‘telemetry’ can more covertly get it’s hands on.
Jack • March 29, 2019 11:01 AM
Shadow Brokers, believed to be the Russian government.. As in “Donald Trump, believed to be Vladimir Putin”?
Anders • March 29, 2019 1:19 PM
I think i add here this new CCDCoE Huawei raport.
(otherwise planned to put it into the squid)
Ross Snider • March 29, 2019 1:40 PM
I’m confused about this. Wasn’t DOUBLEPULSAR a malware implant – NOT a vulnerability? Did Huawei drivers come with an implant?
Also, “believed to be the Russian Government” – I’ve seen this opinion on primarily this blog and some forums but I’ve also run into lots of other theories and nothing – so far – close to conclusive. The blog post makes it sound like there’s a good consensus in the community. Has more definitive information come out?
Murphy's Law, #9 • March 29, 2019 4:30 PM
OT, but
Running TENS (not deluxe) 1.7.5, in Virtual Box, User Agent- Windows/FF, w/NoScript, Plug-Ins (never activate),
gives you a relatively common, w/Panopticlick, browser; ~ 1 in 7k
https://www.tens.af.mil/download.htm ; USG DoD
https://panopticlick.eff.org
another reader • March 30, 2019 2:56 PM
The United States have been trying hard to discredit chinese manufacturers, starting with Lenovo years ago. There had been a high pressure from the U.S. against European Union countries on this matter recently.
May it be a false flag operation against Huawei customers?
I would not discard a non-appropriately protected development server at Huawei being attacked to introduce this code.
Anders • March 30, 2019 3:42 PM
@another reader
“Security” has been long used as a pretext to achieve another goals,
money, power, position, economical edge, shutting down the opposition etc, you name it.
I’m quite happy with my Huawei router.
VinnyG • April 1, 2019 5:42 AM
@1&1~=Umm re: “…by whom and under what chain of authority.” Ex-freaking-xactly.
BTW, this being April 1, I note that many entities evidently still observe April Fools Day, and I wonder if there remains any real point in doing so. IMO – on the internet, every day is April Fools…
Nameless Cow • April 1, 2019 2:00 PM
@parabarbarian
How the heck does a vulnerability get put in accidentally?
The same way the vast majority of bugs get into software?
lurker • April 4, 2019 4:55 PM
Some light might be shed by UK Govt analysis of Huawei’s 5G efforts: http://www.gov.uk/government/publications/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2019 and Huawei’s response https://www.huawei.com/ch-en/facts/voices-of-huawei/statement-in-reaction-to-hesec-oversight-board-report-2019.
I’m a hardware guy myself, and keep well away from software if I can …
1&1~=Umm • April 5, 2019 4:46 AM
@Lurker:
Did you spot the sting in the tail of the Huawei response?
Firstly the ‘no state interference” found by the GCHQ minions*
Secondly and more importantly,
“‘The telecom industry requires unified standards for cybersecurity, which are necessary for its healthy development.'”
That is the ‘We are going above and beyond our competitors’ line, but the real sting is the unsaid ‘We expect and will require that all our competitors go through the same level of scrutiny…’.
Which for those that don’t recognise it for what it is, it is in effect a decletation of war on US and EU telecomms companies, and the Western politicians as usual blundered as though sleepwalking right into the trap, only they don’t yet see it for what it is but they will.
So beware ‘Inscrutable Orientals bearing gifts’… It’s certainly not the first and definitely won’t be the last time they play this game and win.
Ex UK Chancellor George ‘Gidiot / White lines’ Osbourne should be realy proud of himself on this one, having opened that door and walked straight in…
As has been noted on this blog before Confucianism which is a religion without being a religion teaches the benifits of long term thinking and strategy and is much respected in the Far East. Whilst most Western politicians have no such teaching and in effect despise it as they either can not or will not see beyond the next ‘press release’ to polish their ego, ‘confidential briefing’ to back stab a colleague, or in some cases lobbyist to tell them what to think…
I wonder if the NSA have realised what this means with respect to their activities with US telcos such as oh Cisco and Jupiter to name but two they have ‘implanted’ or ‘supply line tampered’ with…
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
sle • March 29, 2019 8:55 AM
I have another set of questions.
This vulnerability was discovered thank to Microsoft ATP, which uses specific monitorings inside windows kernel.
Can any other vendor perform the same? Or is the Kernel locked to Microsoft?
If locked, from a security standpoint is it better (only Microsoft can alter the kernel with caution and serious security process and review) or worse (in this field the innovation is reduced to Microsoft goodwill and ideas)?