Best of 2020: Was This Huawei’s Failed Attempt at a Linux Backdoor?

As we close out 2020, we at Security Boulevard wanted to highlight the five most popular articles of the year. Following is the fourth in our series of the Best of 2020.

A Huawei employee submitted a large, buggy patch to the Linux kernel. The so-called HKSP (Huawei Kernel Self Protection) apparently contained a “trivially exploitable” security hole.

The pseudonymous employee, wzt, has been fairly active in security for many years. So the behavior is curious, to say the least.

Yet, Huawei says it’s nothing to do with the company. In today’s SB Blogwatch, we study the suspicions.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Pandemic vs. Planes.


顽皮的华为?

What’s the craic? Catalin Cimpanu reports—“Huawei denies involvement in buggy Linux kernel patch proposal”:

 [A] buggy patch was submitted to the official Linux kernel project. … The patch allegedly introduced a series of security-hardening options to the Linux kernel.

The HKSP submission sparked interest in the Linux community. [So] the patch came under immediate scrutiny. [It] introduced a “trivially exploitable” vulnerability.

Rumors and conspiracy theories almost immediately started online, accusing Huawei of trying to sneakily introduce vulnerabilities in the Linux kernel. … The Chinese company has been accused numerous times in the past years of including backdoors in its networking devices, accusations that the company has always denied.

A report by the UK government last year found that Huawei networking equipment was riddled with security flaws that often went years without receiving patches. … Global anti-Huawei sentiment … has been spurred in recent years by countless security issues in the company’s products … accusations of hiding secret backdoors … and the West’s fear of having the Chinese government spy on worldwide communications.

And Bill Toulas adds—“Someone working for Huawei has tried to contribute to the Linux kernel”:

 Naturally, this discovery sparked rumors about the intention of the contributor, Huawei’s long-shot goal to try and weaken the security of the Linux kernel, and more. … The author of HKSP was forced to remove Huawei strings from the code and declared that this is a personal work and not an official project backed by his employer.

Huawei’s engineers have a documented history of screwing up security when they write code, so this story isn’t exactly unprecedented.

Who blew the whistle? Brad Spengler—“Huawei HKSP Introduces Trivially Exploitable Vulnerability”:

 We were contacted this morning by Huawei … ”The patchset is not provided by Huawei official but an individual. And also not used in any Huawei devices.”

Based on publicly-available information, we know the author of the patch is a Huawei employee, and despite attempts now to distance itself from the code after publication of this post, … it still retains the Huawei naming. Further, on information from our sources, the employee is a Level 20 Principal Security staffer, the highest technical level within Huawei.

The Github repository … had a commit added to it this morning [in] the README file, distancing the code from Huawei. This commit was … backdated to Friday when the repository was created, creating the impression that we somehow intentionally ignored pertinent information that was readily available. This is obviously untrue.

The patch itself is riddled with bugs and weaknesses and generally lacks any kind of threat model. [It] introduced a trivially exploitable vulnerability due to a complete lack of defensive programming.

Effective security defenses require defined, realistic threat models. Defenses in the kernel should be programmed defensively. … The kernel can effectively be thought of as the largest, most vulnerable setuid root binary on the system.

What does the perp have to say? Here’s the being known only as wzt:

 This mail and previous mail were my personal activities. I have done my research in spare time. The name of HKSP was given by myself, it’s not related to Huawei company.

This patch code is raised by me, as one person [who] do not have enough energy to cover everything. So there is lack of quality assurance like review and test. This patch is just a demo code.

The wzt doth protest too much, methinks. danieldk thinks similarly:

 If you are going to try to insert backdoors, you will come up with a way to [do] it with plausible deniability. Letting an employee post the patch [with] own their own credentials is one way way of setting up plausible deniability.

And Aighearach doesn’t exactly sit on the fence:

 It’s hilarious. He’s one of their top engineers, and it has nothing to do with his work, but he used the company name in its title.

Lying across cultures is so hard! Who knows which details will stand out. So much easier when you know which questions are allowed to be asked, and which aren’t.

But cycomanic whatabouts furiously:

 This seems to really be a story blown out of proportion based on the current political climate. I don’t believe a similar vulnerability in a patch from Cisco, Intel, Google or any of the others (and they had patches which were similarly criticized by grsecurity) would have received a backdoor label in the headlines.

That is not to say that we should not strongly scrutinise patches from Huawei.

Similarly, Pascal Monett compares and contrasts—“Ah, that old chestnut”:

 ”Security interests have been warning for over a year that Huawei Cisco and other Chinese US corporations are susceptible to governmental interference from Beijing Washington.”

To which, tails4e brings this smackdown:

 This is explicitly security oriented code. The release notes indicate a high awareness of security issues and discuss some advanced topics.

And then the code has a way of leaking kernel memory. Do you really doubt an engineer (or potentially team of engineers) working in security could not see [that]? It’s suspect at least.

Some say Huawei is new to this Linux thing. jeromef points out that’s bunkum:

 Huawei is a long time contributor to the kernel. [In] 2017:

– #15 in the list “Top companies contributing to the Linux kernel, 4.8– 4.13”
– #3 (after Intel and Google) in the list of companies bringing in the most new developers

I would be surprised if things had changed significantly in the last 2-3 years.

Meanwhile, dylan604 quacks up:

 Walks like a duck, sounds like a duck: Must be a duck. Don’t care what country a company is from.

And Finally:

Airports Before and After COVID-19

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image sauce: Gerd Altmann (Pixabay)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 595 posts and counting.See all posts by richi