At the Black Hat Europe conference that is currently in progress, Russian security expert Nikita Tarakanov has presented the results of his analysis of the driver software that Huawei ships with its 3G/4G USB sticks. According to the researcher, the various components – drivers, configuration software, update mechanisms – are all of insufficient quality.
After the presentation, three Huawei representatives who had listened eagerly in the first row of the auditorium, written everything down and frantically taken pictures of every presentation slide with a tablet PC told The H's associates at heise Security that they had assumed the update server's security was adequate. Tarakanov didn't give the manufacturer any advance notice of his discoveries.
According to the Russian hacker, another issue with the update component is that the relevant service contains a vulnerability that makes it easy for potential attackers to escalate their privileges under Windows. Whether the service is vulnerable to remote attacks remains unclear. A further problem was discovered accidentally by iOS and PHP expert Stefan Esser just before the presentation: the researcher tweeted that installing the update component (ouc.app) gives unrestricted write access to the
/usr/local directory under Mac OS X, which potentially allows malware to be injected into the system directory. His discovery became a last minute addition to the presentation.
The Huawei representatives told heise Security that their company would work to provide updates to solve the disclosed problems as soon as possible; they added that they didn't know long this would take or how the new software versions would reach customers.
No comments:
Post a Comment