Microsoft Finds Backdoor in Huawei Laptops That Could Give Hackers Access

Microsoft Finds Backdoor in Huawei Laptops That Could Give Hackers Access
The Huawei MateBook X Pro laptop presented at a press conference at the Mobile World Congress in Barcelona, Spain on February 25, 2018. Microsoft recently revealed how it found a backdoor vulnerability within Matebook laptops. (JOSEP LAGO/AFP/Getty Images)
Nicole Hao

Researchers at U.S. tech giant Microsoft recently revealed that they discovered a backdoor in certain Huawei laptop models that allowed unprivileged users to gain access to all laptop data.

This vulnerability is similar to the technique DoublePulsar, a malware tool leaked by the hacker group The Shadow Brokers in early 2017. It had infected more than 200,000 computers running on Microsoft Windows software within a few weeks.
DoublePulsar was again used for the WannaCry ransomware attack in May 2017 that targeted Windows computers throughout the world, seeking payment in Bitcoin in exchange for restoring the computers.

The Backdoor

Microsoft published a blog post on March 25 that detailed how researchers found the backdoor on Huawei’s laptops and then proceeded to fix the loophole. Microsoft said that after it informed Huawei of the backdoor, the Chinese tech manufacturer released a patch on Jan. 9 to fix the vulnerabilities.

Microsoft did not specify when it discovered the backdoor.

All computers have a kernel, which is the core of the computer’s operating system and can completely control everything on the device.

After the DoublePulsar attacks in 2017, Microsoft tried to develop tools that can protect users. Starting from Windows 10, version 1809, released on Nov. 13, 2018, Microsoft installed newly-developed sensors to better detect kernel threats like DoublePulsar.

But then Microsoft detected an “anomalous” injected code in the kernels of the Huawei laptop model, Matebook.

Upon further investigation, Microsoft engineers traced the code to a device management software called PCManager that is pre-installed onto Huawei Matebooks. The software had included a driver that would allow unprivileged users to upgrade their access level to senior privilege. If these unprivileged users escalate to the highest Ring-0 privilege, they can visit all data on the computer and its connected computing system. If a third party gains access and inserts malware, it could ruin the computer’s operating system.

A computer’s user privilege has four levels. Ring-0 privilege in the kernel is the highest and allows users to control every hardware and software.

Microsoft reported the vulnerability to Huawei, and built a “detection mechanism that would raise an alert for any successful privilege escalation” in Matebooks, the blog explained.

Soon after, Microsoft engineers found another backdoor in the Matebook: the same unsafe driver provided a capability for unprivileged users to directly access all data without having to upgrade privilege levels.

On Jan. 9, Huawei released a fix for these two vulnerabilities.

U.S. tech media Lightreading commented on March 29: “News of the backdoor is a bad look for Huawei.”
In an emailed statement on April 3, the Chinese company characterized the vulnerability as common in the industry.

"Huawei vehemently rejects any suggestion or inference that 'backdoors' exist in the development or delivery of any of our products or service," the statement read.

Huawei’s Record

The company, one of the world’s largest manufacturer of telecommunications equipment, smartphones, and other electronic devices, has come under fire for its close ties to the Chinese regime, which the U.S. and other governments have warned could mean its products have backdoors that allow the Chinese regime access to spy on people overseas.

Huawei has continually denied those claims, including by reasoning that no backdoor incident has ever been detected. Though this latest Microsoft incident does not appear to involve the Chinese regime, there have been documented cases demonstrating Huawei’s liability.

In January 2018, French newspaper Le Monde revealed that data from the headquarters building of the African Union was being transferred to a server in Shanghai every night.
The African Union’s headquarters is located in Addis Ababa, Ethiopia. The building, which cost $200 million, was built and financed by the Chinese regime as a gift. Huawei is one of the suppliers for the building’s computing system and telecommunication system, according to an analysis by Canberra-based think tank Australian Strategic Policy Institute, citing content from Huawei’s own website and documents obtained from the African Union, including contracts for the union’s IT infrastructure.

The think tank pointed out that while it is possible Huawei was not aware of the alleged data theft, the company’s obliviousness would itself be cause for a “national security concern.”

Meanwhile, a November 2018 report by the Weekend Australian said that according to an intelligence source, Australia has evidence that Huawei officials have been approached by the Chinese regime and pressured to disclose access codes and network details to hack into a foreign network.

The United States, Australia, New Zealand, and Japan have banned Huawei from its markets, citing security concerns. Several European mobile operators have also recently announced that they would not use Huawei’s products for their rollout of 5G network infrastructure.

This article has been updated to include a comment from Huawei.
Nicole Hao is a Washington-based reporter focused on China-related topics. Before joining the Epoch Media Group in July 2009, she worked as a global product manager for a railway business in Paris, France.