NSA-Inspired Vulnerability Found in Huawei Laptops

This is an interesting story of a serious vulnerability in a Huawei driver that Microsoft found. The vulnerability is similar in style to the NSA's DOUBLEPULSAR that was leaked by the Shadow Brokers -- believed to be the Russian government -- and it's obvious that this attack copied that technique.

What is less clear is whether the vulnerability -- which has been fixed -- was put into the Huwei driver accidentally or on purpose.

Posted on March 29, 2019 at 6:11 AM • 14 Comments


sleMarch 29, 2019 8:55 AM

I have another set of questions.

This vulnerability was discovered thank to Microsoft ATP, which uses specific monitorings inside windows kernel.

Can any other vendor perform the same? Or is the Kernel locked to Microsoft?

If locked, from a security standpoint is it better (only Microsoft can alter the kernel with caution and serious security process and review) or worse (in this field the innovation is reduced to Microsoft goodwill and ideas)?

Gunter KönigsmannMarch 29, 2019 9:26 AM

Process explorer shows that Microsoft allows for extensive Monitoring by userspace programs.

If locking down something is good or bad for security I don't know: the one who gives you the monitoring data might hide anything he wants. Not giving access to monitoring data means nearly anyone can hide his actions but if you allow to monitor things someone might use this data for spying on you in spectre-like days.

1&1~=UmmMarch 29, 2019 10:05 AM

@Bruce Schneier:

"What is less clear is whether the vulnerability -- which has been fixed -- was put into the Huwei driver accidentally or on purpose."

Or by whom and under what chain of authority.

There is also the question of 'When' as well.

As the article notes,

"'It also highlights just some of the extraordinarily awful things that hardware vendors do when they're tasked with writing software. When your hardware vendors are opening up big security flaws and copying malware techniques, one wonders if we need protection from the good guys as well as the bad ones.'"

Much of this 'awfulness' stems directly from the way the MicroSoft OS works and alows unknown, unchecked code into and below the kernel and it's limited security provisions.

We do and have for quite sometime know of better ways to do this. Which are both more efficient and secure. However doing things that way would but a bit of a major hole in what MicroSoft's 'telemetry' can more covertly get it's hands on.

JackMarch 29, 2019 11:01 AM

Shadow Brokers, believed to be the Russian government.. As in "Donald Trump, believed to be Vladimir Putin"?

Ross SniderMarch 29, 2019 1:40 PM

I'm confused about this. Wasn't DOUBLEPULSAR a malware implant - NOT a vulnerability? Did Huawei drivers come with an implant?

Also, "believed to be the Russian Government" - I've seen this opinion on primarily this blog and some forums but I've also run into lots of other theories and nothing - so far - close to conclusive. The blog post makes it sound like there's a good consensus in the community. Has more definitive information come out?

another readerMarch 30, 2019 2:56 PM

The United States have been trying hard to discredit chinese manufacturers, starting with Lenovo years ago. There had been a high pressure from the U.S. against European Union countries on this matter recently.

May it be a false flag operation against Huawei customers?

I would not discard a non-appropriately protected development server at Huawei being attacked to introduce this code.

AndersMarch 30, 2019 3:42 PM

@another reader

"Security" has been long used as a pretext to achieve another goals,
money, power, position, economical edge, shutting down the opposition etc, you name it.

I'm quite happy with my Huawei router.

VinnyGApril 1, 2019 5:42 AM

@1&1~=Umm re: "...by whom and under what chain of authority." Ex-freaking-xactly.
BTW, this being April 1, I note that many entities evidently still observe April Fools Day, and I wonder if there remains any real point in doing so. IMO - on the internet, every day is April Fools...

parabarbarianApril 1, 2019 9:02 AM

How the heck does a vulnerability get put in accidentally? I can understand the Chicoms wanting a backdoor access to routers which makes a claim of "Opps! It was an accident" even less believable.

Nameless CowApril 1, 2019 2:00 PM


> How the heck does a vulnerability get put in accidentally?

The same way the vast majority of bugs get into software?

1&1~=UmmApril 5, 2019 4:46 AM


Did you spot the sting in the tail of the Huawei response?

Firstly the 'no state interference" found by the GCHQ minions*

Secondly and more importantly,

"'The telecom industry requires unified standards for cybersecurity, which are necessary for its healthy development.'"

That is the 'We are going above and beyond our competitors' line, but the real sting is the unsaid 'We expect and will require that all our competitors go through the same level of scrutiny...'.

Which for those that don't recognise it for what it is, it is in effect a decletation of war on US and EU telecomms companies, and the Western politicians as usual blundered as though sleepwalking right into the trap, only they don't yet see it for what it is but they will.

So beware 'Inscrutable Orientals bearing gifts'... It's certainly not the first and definitely won't be the last time they play this game and win.

Ex UK Chancellor George 'Gidiot / White lines' Osbourne should be realy proud of himself on this one, having opened that door and walked straight in...

As has been noted on this blog before Confucianism which is a religion without being a religion teaches the benifits of long term thinking and strategy and is much respected in the Far East. Whilst most Western politicians have no such teaching and in effect despise it as they either can not or will not see beyond the next 'press release' to polish their ego, 'confidential briefing' to back stab a colleague, or in some cases lobbyist to tell them what to think...

I wonder if the NSA have realised what this means with respect to their activities with US telcos such as oh Cisco and Jupiter to name but two they have 'implanted' or 'supply line tampered' with...

* This could mean (1) there was no state interferance from China, or (2) the GCHQ minions did not see any evidence of state interferance from China, or (3) they saw evidence of state interference but did not attribute it to China for some reason.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.