At the Black Hat Europe conference that is currently in progress, Russian security expert Nikita Tarakanov has presented the results of his analysis of the driver software that Huawei ships with its 3G/4G USB sticks. According to the researcher, the various components – drivers, configuration software, update mechanisms – are all of insufficient quality.
The central update server was identified as a massive attack vector by Tarakanov: the Huawei software installs an application and driver auto-update component on every computer. The researcher said that the service in question will contact a server in the Netherlands and query it for updates every 15 minutes. Apparently, the web server is still running on Microsoft’s outdated Internet Information Server (IIS) version 6.0, which is part of Windows Server 2003. Tarakanov pointed out that whoever hacked that machine could infect millions of computers worldwide with malicious software.
After the presentation, three Huawei representatives who had listened eagerly in the first row of the auditorium, written everything down and frantically taken pictures of every presentation slide with a tablet PC told The H‘s associates at heise Security that they had assumed the update server’s security was adequate. Tarakanov didn’t give the manufacturer any advance notice of his discoveries.
According to the Russian hacker, another issue with the update component is that the relevant service contains a vulnerability that makes it easy for potential attackers to escalate their privileges under Windows. Whether the service is vulnerable to remote attacks remains unclear. A further problem was discovered accidentally by iOS and PHP expert Stefan Esser just before the presentation: the researcher tweeted that installing the update component (ouc.app) gives unrestricted write access to the
/usr/local directory under Mac OS X, which potentially allows malware to be injected into the system directory. His discovery became a last minute addition to the presentation.
The Huawei representatives told heise Security that their company would work to provide updates to solve the disclosed problems as soon as possible; they added that they didn’t know long this would take or how the new software versions would reach customers.