Where they don't describe it as a "backdoor." Simply what it is: A local privilege escalation in a driver.
Privilege escalations aren't that rare unfortunately. Kind of cool that ATP might be able to detect some of them going forward, particularly in drivers that are often black-boxes.
This isn't a backdoor, nation state or otherwise. LPEs are super boring and common, there's often several a month discovered on Windows (inc. third party services/software/drivers/etc).
For it to be a backdoor it would typically need to facilitate the ability to access the system itself (e.g. Remote code execution, hidden credentials, etc), but even then intent is implied with the word which we simply don't have here.
Plus it LPEs aren't as powerful as they once were. Most of the good stuff is now running in userspace, the only thing a LPE grants you is persistence.
To give you an idea of how overblown this is: HP used to run a local webserver as SYSTEM (highest priv) which any webpage could call via iFrame to execute local commands. I don't consider that a backdoor either, even though that issue is ten times more serious than this one.
>Upon investigation, researchers found a driver containing components that run with ring-0 privileges in the kernel.
>"We traced the anomalous behaviour to a device management driver developed by Huawei," researchers said in the post. "Digging deeper, we found a lapse in the design that led to a vulnerability that could allow local privilege escalation."
>Researchers who reported the vulnerability to Huawei said the company responded and cooperated quickly and professionally. A patch was released earlier this year on 19 January.
A rather clickbait-y title for what actually happened. Of course though, rehashed old news is great for harvesting karma when it's the right bogeyman.
Karma aspersions aside :-) It does sound like "manufacturer driver has an exploit", gets reported, exploit gets fixed. Wrapped around a completely different narrative where an intelligence service 'diverts' a delivery and installs an exploit.
Reminding us once again that as far as has been documented in the open media the US is the only country that has been identified as having done this.
Sadly this is Tony Morbin's modus operandi.[1]
That said, two nice takeaways, one the standard tools that Microsoft shipts found a problem, and the vendor quickly patched it. Both of those things are good news.
Backdoors don't have to be, let's call it explicit.
A good way to inject a backdoor is to discourage the fixing of poorly designed drivers. I'm certain the NSA has a vast collection of vulnerabilities they exploit to do their work, who would be surprised if they didn't at least once try to discourage the fixing of one of those bugs.
Well then, get your disassembler out and find the evidence of this backdoor nobody else has managed to find in the past two decades.
The whole NSAKEY story is a laughable fabrication, nobody has ever described the mechanism by which the backdoor is supposed to work. This should be a trivial exercise.
The title of this article is misleading. "Backdoor" implies a deliberate mechanism built into the software, but here there's no evidence that the vulnerability wasn't simply a mistake.
Why would anyone malicious bother hiding a LPE vulnerability in a driver like this? What's the point if you're going to need another backdoor to actually get code exec in order to exploit this backdoor?
I personally of the opinion that this is just a bug, and not an intentional bug
That being said, there is value in a LPE as a part of a bigger exploit chain. There's all sorts of exploits that'll give you relatively unprivileged code execution, and you'd want to silently elevate in order to make yourself persistent for instance.
Windows LPE bugs tend to be quite cheap and plentiful, I just can't see much value in inserting a bug like this to possibly make it slightly cheaper on a few specific machines.
Windows LPEs are still up to $80k on zerodium, instead of the up to $50k for Linux, Mac, and BSD. Yes those numbers are funny money, and you're more likely to see a third of that, but they're still useful numbers in a relative sense.
Like I said, I think this is just a bug, but Windows LPEs do have value.
You can build a complete pwn exploit by chaining several seemingly innocuous (more or less) vulnerabilities together just so. This vuln provides the escalation, another provides the remote execution...
Then when someone says: "Huawei pwns us", they can just claim ignorance and stupidity because a small mistake here and there provides better deniability than some whitehat finding out that Huawei provides the Chinese government with the whole set of keys to the kingdom.
I believe any piece of hardware that is sold local or internationally has a backdoor of some kind for government access. There are no mistakes. No company will say this, due to "laws" or "NDA" from a government that prevents the company from discussing these "mistakes."
It's generally hard to come by, leaving lots of room for assumptions. There was evidence of NSA tampering with ordered hardware in transit in the Snowden files, next to indications / speculations around certain cisco routers and even more about Intels Management Engine. But despite the last two being probable candidates I can't recall hard evidence for them.
Targeted interdiction is a far cry from what the parent comment alleges. Targeting shipments to backdoor or bug an item quite obviously happens everywhere in the world and has since the dawn of time.
The Snowden files said nothing about Intel’s ME. That isn’t a backdoor either. It’s a great place to put one, but there are lots of great places to put backdoors, and that doesn’t mean that’s what the manufacturer is doing.
I disagree with your statement. it's easy to keep a secret, if your life or livelihood is at risk, through blackmail or similar. You just haven't experienced it.
That is irrelevant. You aren’t being realistic or practical. The US government didn’t, and couldn’t blackmail every past, present, and future employee who may come across source code or documentation or communication about a backdoor for every company that produces a hardware or software product. They also did not blackmail every independent researcher who might discover one. To even attempt this and expect it to remain a secret would be incomprehensibly stupid and we would definitely know about it by now.
There have been cases where specific things were targeted. This isn’t even close to every piece of hardware.
“There are no mistakes” is a ridiculous notion for anyone who has ever had a career tangentially related to software or hardware. I don’t know how someone who holds this viewpoint even managed to find this website. You really don’t think bugs ever happen by accident?
It's fine to be upset at my point of view and implied experience within this area. I understand 100%. There are some coding mistakes that cannot be tested or caught during development and deployment. These can be exploited. There are however some that appear to be mistakes and are allowed or missed during the process.
This is a great website for freely expressing opinions, truth, lies and such!
>but here there's no evidence that the vulnerability wasn't simply a mistake.
So what, you want proof that the backdoor is deliberate? To do that, you'd either need some sort of internal directive from up top (good luck finding that), or the backdoor was comically bad (eg. if (signed by PLA) return true;).
> So what, you want evidence that the backdoor is delibrate?
If the title of the article is "backdoor found", then yeah. I'm of the opinion that it was an intentional backdoor too, I think that was a pretty clear possibility to anyone who saw the initial writeup. But to come out and claim unambiguously that it was a backdoor is masquerading an opinion as news.
Yeah, I've always found it entertaining that their corporate culture is characterized by a unique multi-decade inability to stop those darn engineers from writing backdoor accounts.
It would be more entertaining if I thought other vendors were less likely to be compromised[1].
The strictly local nature of this "backdoor" strongly suggests that it is not in fact a backdoor, if you're going to call it a backdoor maybe you should have the least bit of evidence to support that.
The conspiracy theorist in me would suspect that Huawei cloned or inherited existing backdoors from Cisco, Intel, Qualcomm code/tech they acquired. (not that they would necessarily be related to this news story.)
If the US security sector blew the lid on the backdoors, they would also be exposing their own backdoors, thus all they can do is generate FUD towards Huawei, and hope that they never need to present evidence.
How can you differentiate between a camouflaged back door and a mistake? It's clear you would want plausible deniability, so you would make it look like a mistake. And if you have mistake after mistake when do they stop being mistakes?
Well usually, Microsoft is on the receiving end of the "vulnerability found" game. To me it would appear as if they're making sure that every single thing they discover requires media attention.
Maybe I'm not easily triggered enough but generally speaking when one says "the Chinese" or "the Nigerians' or "the Russians" in a discussion that's about international relations, geopolitics or similar, I tend to think they're talking about the nation and its government, not the people themselves.
If that's the case, the distinction was subtle enough for me to miss, and probably a lot of others. It isn't hard to say "the Chinese government" if that's what parent meant. Instead saying "the Chinese" in response to an article about a Chinese company's product is clearly ambiguous. I don't see how it's okay to gratuitously say anything about "the Chinese" as if that was somehow a valid, well defined and understood group that warrants being judged and stereotyped in such a wide manner.
But it blurs the distinction and it normalizes thinking about the Chinese people and the Chinese gov't in similar ways. Honestly I think it's irresponsible and naive - let's not pretend there isn't a rising undercurrent of anti-Chinese sentiment in the West.
I think you're assuming some positive intent here that's definitely helpful to the conversation, but may not actually exist in this specific case.
For our part, I think us sane people can all agree that it's the PLC that we are suspicious of, whereas the people of (and from) China are wonderful people.
The fact that national governments aren't to be trusted is not racist. Your implication and terribly bad misapplication of the word "racist" is more disturbing than someone not trusting said foreign government.
Well, most of the Chinese people don't really seem to mind the fact that their government runs literal concentration camps. Perhaps it's fair to criticize them?
Yeah, those military divisions that they have that are constantly pinging virtually every IP address in the world looking for vulnerabilities...they surely have good in their heart!
I mean... All of the major governments do that, it's just IPs of botnets always tend to be Chinese or Russian since those tend to be the unpatched systems.
Could you please clarify if you mean all 1 billion Chinese nationals, their government, people anywhere of Chinese ethnic origin, or Chinese-domiciled companies and their workforce in general?
The past few articles i've read about Huawei - (The British Code review article from the Register and this) make it sound like the US is dressing what is actually incompetence as malicious intent because
a) Trade war
b) Chinese boogeyman makes US companies look better?
The double-think of the rhetoric against Huawei is staggering considering US programs like Prism were state-mandated data collection at a massive scale against private citizens and a secret courts program to access private sector companies data on those same citizens.
Ok granted China is light years behind the US, but we also have some crazy stories.
A Dakota Pipeline Protests journalist was stopped at the US border, "raising press freedom alarms."(1) Laura Poitras, Greenwald, Ladar Levison have been obviously victims of ill will from US authorities. Of course, don't forget the "get Gary Webb team" of industry experts the CIA watched over, which set out to "we're going to take away his Pulitzer."(2) Non-radical political parties are swat raided, intimidated, and silenced by secret courts in the US(3).
Of course this is just the start to a very long list. But comments which suggest everything is fine in this regard really worry me, as someone who loves America and its values.
Guantanamo and the whole "enemy combatants don't have human rights", "waterboarding is not torture", etc. legal gymnastics don't inspire a lot of trust either.
I was just pointing out that USA is capable of acting like an authoritarian regime if needed. Of course it can't be compared to China's, not by far, but it knows the road.
It isn't an either or question though. Chinese govt behavior being worse doesn't mean US govt behavior isn't bad, and shouldn't be called out. The current rash of scripted pearl clutching about Huawei etc. is nothing if not disingenuous... so it's fair to call that out too.
[edit] to clarify about the "disengenous" part. It's not about saying "This is bad", it's about saying "This is bad, we would never do anything like that, can you believe it, what evil people" when in fact it is something you do, or have done, and given the chance will probably do again. This obviously doesn't cover all of the bad behavior of Chinese govt, but it certainly does some.
Saying "we caught out country X doing something we don't like but also do to them" maybe doesn't have the same ring to it, but has the advantage of being honest.
I don't understand. You either think it's legitimate to call out bad behavior (US or Chinese) or you think doing so is disingenuous pearl-clutching. Is it only pearl-clutching when it's about the far worse behavior of the Chinese gov't? Or are you advocating for a constant apologizing for US misdeeds any time another countries' misdeeds are raised, even if that other countries' are far worse...?
Or are you advocating for a constant apologizing for US misdeeds any time another countries' misdeeds are raised, even if that other countries' are far worse...?
Actually I'd rather we avoid the whole pointless whataboutism exercise if we can.
Again, it's not either or. The originating comment was claiming that some of the news about Huawei is being driven by very different motivations (I think it was trade war fallout), and being stated in disingenuous ways. And yes, there seems a lot of pearl clutching going on right now about vaguely defined Chinese technology threats. As well as some very real concerns about Nation-state actors in this space, China in particular. That seems worth at least questioning.
What I am saying is that it is perfectly consistent to hold the mixture of views that the Chinese government is doing some really bad things with privacy and personal data, that the US government also does some really bad things with privacy and personal data (though not nearly as many as Chinese govt) and that some of what is being propagated in the media currently against companies like Huawei has very little to do with these things but rather is based more on domestic economic interests.
I think it's fair to call that last part out, without it devolving into a bunch of whataboutism on the former.
Agree that particular poster could have worded things better, but they had a (valid, I think) point.
>The double-think of the rhetoric against Huawei is staggering considering US programs like Prism were state-mandated data collection at a massive scale against private citizens and a secret courts program to access private sector companies data on those same citizens.
It doesn't have to be doublethink. Even if the US gathers intelligence in ways that make one uncomfortable, China doing it to US citizens makes one _more_ uncomfortable.
In other words, the US doing it doesn't make China doing it any better.
If I'm running a company, I don't want Chinese spies backdooring my equipment, regardless if the NSA is effectively doing the same thing. At least the NSA isn't going to steal my data and give it to foreign business competitors.
To be fair, the US has a long history of hyping up a boogeyman for its own purposes.
The doublethink is not about being concerned about China vs US spying. Its that every local privilege escalation by any other company is reported as incompetence or an unavoidable mistake. But when Huawei has one everyone assumes its malicious.
Inside national security circles, Huawei specifically has been on the "watch carefully" list for many years -- long before the trade war and long before the current president. It's just that with the trade war and the Huawei CFO's detention in Canada, some of the inside talk has made it into the popular media.
False equivalence. China is the country that imprisons the most journalists, and routinely emprisons or kills people as it wishes.
The US, while they gave their problems, are nowhere close or comparable in the spectrum of control over their citizen
Fearmongering. They clearly state in the article that there is no evidence that this is a backdoor. There is no new information here compared to the detailed writeup which was already posted here last week.
The real problem here isn't that this company is Western or from China, it's that all this stuff relies on trusting humans to have done due diligence on our behalf, without having means to verify. It's closed source junkware on a closed source OS.
I'm shocked, shock to find all the hacking going on here!
Seriously, I'm not even surprised. Whether it's intentional or not doesn't matter. Huawei pays a lot for advertising to all popular laptop reviewers on Youtube. But I'm not even considering buying Huawei laptops because I'm pretty sure it's full of crap like this.
Amend US law so there is CIVIL LIABILITY for backdoors with substantial statutory damages. The Tort bar in the US will make quick work of this and the problem will diminish, possibly cease.
Also, while I'm at it, it would be nice if Unbox Therapy and other like it would make mention of the Botnet threat in their product reviews.
> it would be nice if Unbox Therapy and other like it would make mention of the Botnet threat in their product reviews
Do you expect Youtubers to have a top-class security team to reverse engineer firmware? This was discovered weeks/months later after the product was released.
Is there any irony in describing it as an "NSA-style backdoor"? I mean, from a context of fearing Chinese espionage. Not sure what my opinion is, but that stuck out to me.
I guess this is "Red Scare 2.0"? Is it? I'm not sure whether to worry about China or not, I feel like all my worry is driven by the political forces in the USA and Europe rather than facts. It seems so one-sided that "China is Evil" that I feel like I'm being duped. I love my Huawei watch, but I've stopped using it because of the fear of spying, even if I don't have facts to support the fear. I don't trust nearly any source to properly vet this information, how can I? Is this all a ploy to take down China as a growing world power to save the America-Europe hegemony? I feel like at this point, I don't see a ton of difference between the two, both torture people (America's war on "terror"), both are committing genocide (America's ICE separating families), both are spying like crazy on the other, etc.
Yes their watch was okay but their software sucked. I think it's more likely China has spies within Huawei rather than Huawei being a literal intelligence operation. American engineers generally balk at inserting backdoors, why wouldn't Chinese engineers?
This is far from a complete answer, but consider Psychological Warfare [1]. With vast amounts of "boring" data about people's preferences in movies, music, friends, choice of words in messages, an actor can construct psychological profiles of individuals and populations and use those to manipulate people.
This is exactly what the Cambridge Analytica "scandal" is about. Individually, you may have nothing to hide, but in aggregate, the data is rather powerful.
The US government spies on you to prevent the next 9/11 so it goes. China spies on you to steal your IP to give to its native businesses. You should probably care about the later far more than the former.
https://www.microsoft.com/security/blog/2019/03/25/from-aler...