Summary
In this advisory we are disclosing a vulnerability in the Huawei Over-The-Air (OTA) update implementation that allows bypassing SSL protections and execute a Man-In-The-Middle attack. The vulnerability was fixed in March 2022.
Vulnerability Details
Huawei devices - both those running Android and those running HarmonyOS - use Huawei’s custom implementation for applying OTA updates.
OTA updates are packaged into a zip container. The update mechanism has several checks that are meant to ensure the authenticity of OTA images before they are applied: the over-the-air download is supposed to happen over a secure connection to prevent Man-In-The-Middle attacks, the zip file has a cryptographic signature that is verified by the update process, and finally the contents of the zip file include further authentications tags.
This advisory applies to a vulnerability in the way the secure connection is established which allows an effective MITM attack against both over-the-air update variants used in Huawei devices: OTA update triggered from Android (manually or automatically) and OTA update triggered manually from recovery (eRecovery FullOTA over Wi-Fi).
The usual Android OTA and the eRecovery Wi-Fi update downloads the update file from an update server. First, the update client asks Huawei’s query server if there is any update given its current version. Then, if there is, the query server replies with the URLs and version numbers of the newer firmware, which the update client downloads. It also request for an update authorization token, which is effectively a cryptographic stamp for the recovery to prove the just downloaded firmware is indeed legitimately requested and the update process is granted by Huawei on that particular device.
The query is requested from the query.hicloud.com domain through HTTPS protocol.
The CA of the SSL certificate used by the query server is pinned in both the recovery binary and the Android OTA updater app, so it is not feasible to impersonate the query server.
However, the problem is that when there is an update, the query server always returned HTTP URLs of the newer firmware!
The firmwares pointed by the returned URLs are located in a CDN server (in our tests they were all from the update.dbankcdn.com domain), which hosts not only the update archive, but a file listing and a changelog as well.
The file listing <base URL>/full/filelist.xml contains the MD5 and SHA-256 hashes of the update.zip.
These hashes do not have a cryptographic purpose, only used to detect download errors.
The plaintext communication layer (HTTP) completly undermines the integrity of the update archives.
It is trivial to hijack an HTTP stream and serve something completely different from the original data from a position of a network man-in-the-middle attacker.
The filelist.xml is also served from the same HTTP servers, so the hashes can be dynamically adjusted to match the hash of the injected custom update.zip.
The final step, in which the client requests the authentication token for the newer version, is served over HTTPS, similar to the first query.
However, the request of an authentication token only contains the device identifiers and the version number of the newer image, and nothing connected to the actual update.zip data.
As a result, the authentication is always successfully granted by Huawei’s servers and the update process continues.
For a detailed description of the vulnerability impact, see CVE-2021-40045 and our presentation.
Affected Devices (Verified)
-
Kirin 990
- Huawei Mate 30 Pro (LIO)
- Huawei P40 Pro (ELS)
- Huawei P40 (ANA)
-
Kirin 9000/9000E
- Huawei Mate40 Pro (NOH) EMUI
- Huawei MatePad Pro 12 (WGH) HarmonyOS
-
Qualcomm SM6115 Snapdragon 662
- Huawei nova 8i (NEN) EMUI
Fix
Huawei OTA images, released after March 2022, contain the fix for the vulnerability.
Timeline
- 2020.11.15. Bug reported to Huawei PSIRT
- 2022.02.02. Update requested
- 2022.02.03. Huawei promises a response
- 2021.02.25. Huawei confirms vulnerability, assigns CVE, confirms severity
- 2021.03.01. Huawei releases security bulletin