Huawei Hacked My Laptop?

By , 25 July 2020

Huawei Hacked My Laptop?

The screenshot above shows a script called "Huawei Autorun" which executes the command "xhost +" when you login. This command makes your Linux desktop remotely accessible to anyone on the network. The "Huawei Autorun" script appeared on my laptop after installing a Huawei E353 HSPA+ 3G USB stick (with serial number CE0682 on the back).

It seems like I dodged a bullet as I don't use the standard Linux GNOME desktop, so the script was not enabled, but the fact remains that Huawei installed malware on my Linux laptop. If they managed to get into my laptop, imagine what is happening inside your phone.

State-sponsored hacking is real.

----UPDATE----

For those people who requested more information. The OS is Debian 8.1 LTS. The script is basically a one-liner embedded in an autostart launcher (see below). It was installed as root, so I must have screwed up big time there. Obviously, I'll have to reinstall my OS. Debian 8 is at end of life now anyway.

$ cat /etc/xdg/autostart/HuaweiAutoStart.desktop 
[Desktop Entry]
Version=1.0
Encoding=UTF-8
Name=Huawei  AutoRun
Name[en_US]=Huawei AutoRun
Exec=xhost +
SwallowExec=
SwallowTitle=
Terminal=false
TerminalOptions=
Type=Application
URL=
X-KDE-SubstituteUID=false
X-GNOME-Autostart-enabled=true
GenericName[en_US]=

----UPDATE 2----

Okay, I decided to check out this modem. It does include Linux drivers which require root for installation. I reran the installation script as root and sure enough the same autostart script was reinstalled.

$ ls /etc/xdg/autostart/ -l
total 116
-rw-r--r-- 1 root root  305 Oct 10  2014 at-spi-dbus-bus.desktop
-rw-r--r-- 1 root root 6351 Oct 21  2014 gnome-keyring-gpg.desktop
-rw-r--r-- 1 root root 7777 Oct 21  2014 gnome-keyring-pkcs11.desktop
-rw-r--r-- 1 root root 7339 Oct 21  2014 gnome-keyring-secrets.desktop
-rw-r--r-- 1 root root 5996 Oct 21  2014 gnome-keyring-ssh.desktop
-rw-r--r-- 1 root root 7741 Aug 27  2014 gsettings-data-convert.desktop
-rwxr-xr-x 1 root root  262 Jul 25 23:59 HuaweiAutoStart.desktop
....

This script is also installed to $HOME/.config/autostart/HuaweiAutoStart.desktop. Another script called ReadDisplay is installed in /usr/local/modem which passes the $DISPLAY environment variable to a binary called MobilePartner. The drivers do include a GUI, but if the sole purpose of all this is to fire up a GUI then it is not only exceptionally sloppy code, but also a security risk that needs explaining.

Below is a tarball image of the huawei e353 drivers so you can audit them for yourself. I've included the Windows drivers so you get an image of the disk just as I have it. Heck you could even try it for yourself. The drivers didn't compile the second time I did this, but the autostart script was still installed.

Download huawei e353 drivers (warning, possible malware!)

----UPDATE 3----

I'm giving Huawei the benefit of doubt on this one. As a commenter suggested, it is probably a hack to run the GUI as root. Either way, it is still a nasty vulnerability, even if your X server is configured to use local sockets by default. I guess this shows the folly of blindly trusting hardware manufactures. I'll be sticking to open source code from official repositories in the future.

Live and learn, I suppose.

Huawei Hacked My Laptop?

About Sunburnt Technology

Huawei Hacked My Laptop?

Sunburnt Technology has been helping businesses reach customers around the world since 2003. Our integrated Internet Business Platform includes SEO Tools, Web Analytics, Content Management, Website Designer, Email Marketing, Online StoreDomain Name Management and more.

Comment posted by: Andy, last week

Based on the article, I would think it is just a sloppy and lazy implementation, but the title does served as a bait clicker. The comment where avoiding pure chinese company or there is at least American company involved will be pure ignorance or turning a blind eye on what is happening around the world and purely cynical. Every country spying on people when they have the means and ways. So don't even think for a second that  an American company involvement will make it any better. That will be pure ignorant.
https://www.telegraph.co.uk/news/worldnews/northamerica/usa/10403598/35-world-leaders-had-their-phones-monitored-by-US-spies.html

Comment posted by: Graham, last week

It's more likely the package installed some graphical configuration tool that needs to run as root. Running "xhost +" is a lazy way to enable programs running as root to connect to your non-root user's X11 session.

I don't know what debian's default settings are regarding Xorg and networking, but on my laptop Xorg appears to only be listening on unix sockets, which are obviously not accessible from the whole network.

Comment posted by: Anon111, last week

State-sponsored hacking is real.

Yes. It's happening. 14 eyes (US+others) are also doing it. So I don't trust US services and devices either.

While they're banning each other of different things, open hardware is rising up and welcoming everyone (for example RISC V). We need things like this in this world to bring in peace so that they don't fight over silli things.

Comment posted by: hudhacks, last week

Clean the system, you most likely found one piece of the drop. Replace the drive, looks to be a long weekend

Comment posted by: Jon Durrem, last week

I avoid any pure Chinese tech, where possible. By law in China, all companies must work with the CCP (which means the military). Obviously, iPhones and such are made in China, although production is starting to move to other countries under Trump's trade policies, but at least there is an American company involved on the HW and SW sides.

Comment posted by: someperson, last week

Did inserting the Huawei E353 dongle attach a virtual CD-ROM drive that you manually installed drivers from? I know for a fact similar devices (eg, ZTE MF910) offer drivers this way. The generic Linux USB ethernet driver worked fine, so there's no need to install Huawei or ZTE's driver.

It's worth mentioning USB On-The-Go devices (including Android phones and 4G modems) have relatively powerful processors running a wide variety of network services, including an insecure web server (for the end-user web configuration interface), high-precision location, a high bandwidth internet side-channel (the 4G connection itself) while also having the ability to act as any USB client device (including keyboards to send keystrokes). They are an incredibly powerful platform for targeted cyberattacks and I imagine state actors are using them very often.