Severity: Unknown
Description: There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVSS Score: N/A
D
No data available.
No data available.
1. Risk Assessment
The vulnerability, improper authentication within the Huawei applock feature, presents a moderate risk. The nature of the vulnerability is that the applock, designed to secure applications on Huawei smartphones, doesn’t consistently perform robust authentication in certain, though potentially rare, conditions. This allows an attacker to bypass the applock and access the secured application. The business impact is primarily around data confidentiality – sensitive information within the unlocked application could be exposed. Likelihood of exploitation is moderate, as it relies on a specific rare condition, but the ease of exploitation, once the condition is met, is relatively high. Impacts on confidentiality are the primary concern, with potential for minor impacts to integrity depending on the application’s functionality. Availability is unlikely to be directly impacted unless the application itself is critical for a key business process. The EPSS score of 0.000500000 suggests a relatively low but non-negligible risk.
2. Potential Attack Scenarios
An attacker, physically present with the unlocked Huawei smartphone, could exploit this vulnerability. The scenario unfolds as follows: The user has activated applock on a banking application. The attacker observes the user unlocking the phone and initiating the banking application, but not fully completing the applock authentication sequence due to the specific rare condition (perhaps a quick screen switch or specific gesture). The attacker quickly switches to the banking application, bypassing the intended applock authentication, and gains access to the user’s banking details. This could lead to fraudulent transactions or data theft. The attack vector is physical access to the device, and the process involves timing and observation. The potential outcome is unauthorized access to the application and its associated data.
3. Mitigation Recommendations
The primary mitigation is to update the Huawei smartphone to a version with the fix. Huawei has released updates for the affected models, specifically versions earlier than 9.1.0.131(C432E6R1P5T8), 9.1.0.139(C636E6R1P5T8), 9.1.0.217(C00E15R3P2T8), 9.1.0.237(C432E1R3P2T8), 9.1.0.237(C636E2R4P1T8), 9.1.0.124(C00E112R2P10T8), 9.1.0.136(C636E5R1P5T8), 9.1.0.115(C00E113R1P6T8), 9.1.0.122(C636E4R1P4T8), and 9.1.0.248(C636E5R3P1). Users should navigate to Settings > System > Software update to check for and install the latest firmware. As an interim measure, users should be mindful of fully completing the applock authentication when locking and unlocking applications. Further details and the security advisory can be found at: https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191204-01-smartphone-en
4. Executive Summary
Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro) are affected by a vulnerability in the applock feature that could allow unauthorized access to locked applications. While the vulnerability requires a specific rare condition to be exploited, it poses a moderate risk to data confidentiality. An attacker with physical access to the device could bypass the applock and gain access to sensitive information within applications like banking or messaging. We recommend updating your Huawei smartphone to the latest firmware version to patch the vulnerability. This update is crucial for protecting sensitive data and ensuring the security of applications locked by the applock feature. The cost of patching is low compared to the potential business impact of a data breach or compromise.