This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy (update in May 2018) >

Security Advisory - Bluetooth Unlock Bypassing Vulnerability in Some Huawei Mobile Phones

  • SA No:huawei-sa-20170323-01-smartphone
  • Initial Release Date: 2017-03-23
  • Last Release Date: 2018-06-21

Some Huawei mobile phones have a Bluetooth unlock bypassing vulnerability due to the lack of validation on Bluetooth devices. If a user has enabled the smart unlock function, an attacker can impersonate the user's Bluetooth device to unlock the user's mobile phone screen. (Vulnerability ID: HWPSIRT-2017-01088)
This vulnerability has been assigned a CVE ID: CVE-2017-2728.
Huawei has released software updates to fix this vulnerability. This advisory is available at the following link:
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170323-01-smartphone-en

Product Name

Affected Version

Resolved Product and Version

GT3

The versions before NMO-L23C605B350

NMO-L23C605B350

The versions before NMO-L31C10B351

NMO-L31C10B351

The versions before NMO-L31C185B352

NMO-L31C185B352

The versions before NMO-L31C432B350

NMO-L31C432B350

The versions before NMO-L31C464B350

NMO-L31C464B350

The versions before NMO-L31C636B351

NMO-L31C636B351

Honor 5A

The versions before CAM-L03C110B150

CAM-L03C110B150

The versions before CAM-L03C178B152

CAM-L03C178B152

The versions before CAM-L03C688B151

CAM-L03C688B151

The versions before CAM-L03DOMC109B125

CAM-L03DOMC109B125

The versions before CAM-L21C09B163

CAM-L21C09B163

The versions before CAM-L21C432B179

CAM-L21C432B179

The versions before CAM-L21C569B151

CAM-L21C569B151

The versions before CAM-L21C636B180

CAM-L21C636B180

The versions before CAM-L21ROUC150B131

CAM-L21ROUC150B131

Honor 5C

The versions before NEM-L21C432B351

NEM-L21C432B351

The versions before NEM-L22C636B351

NEM-L22C636B351

The versions before NEM-L51C10B351

NEM-L51C10B351

The versions before NEM-L51C432B350

NEM-L51C432B350

Honor 6X

The versions before BLL-L21C464B130

BLL-L21C464B130

The versions before Berlin-L21C10B360

Berlin-L21C10B360

The versions before Berlin-L21C185B360

Berlin-L21C185B360

The versions before Berlin-L21HNC10B360

Berlin-L21HNC10B360

The versions before Berlin-L21HNC185B360

Berlin-L21HNC185B360

The versions before Berlin-L21HNC432B360

Berlin-L21HNC432B360

The versions before Berlin-L22C636B150

Berlin-L22C636B160

The versions before Berlin-L22HNC636B360

Berlin-L22HNC636B360

The versions before Berlin-L23C605B141

Berlin-L23C605B141

Honor 7

The versions before PLK-AL10C00B388

PLK-AL10C00B388

The versions before PLK-L01C10B350

PLK-L01C10B350

The versions before PLK-L01C432B390

PLK-L01C432B390

The versions before PLK-L01C636B371

PLK-L01C636B371

Honor 8

The versions before FRD-L02C432B380

FRD-L02C432B380

The versions before FRD-L02C635B382

FRD-L02C635B382

The versions before FRD-L09C10B380

FRD-L09C10B380

The versions before FRD-L09C185B380

FRD-L09C185B380

The versions before FRD-L09C432B381

FRD-L09C432B381

The versions before FRD-L09C636B380

FRD-L09C636B380

The versions before FRD-L19C10B380

FRD-L19C10B380

The versions before FRD-L19C432B381

FRD-L19C432B381

The versions before FRD-L19C636B380

FRD-L19C636B380

MAIMANG 5

The versions before MLA-AL00C00B352

MLA-AL00C00B352

Mate 7

The versions before MT7-J1C635B593

MT7-J1C635B593

Mate 8

The versions before NXT-L09C185B580

NXT-L09C185B580

The versions before NXT-L09C432B570

NXT-L09C432B570

The versions before NXT-L09C605B585

NXT-L09C605B585

The versions before NXT-L09C636B580

NXT-L09C636B580

The versions before NXT-L29C10B580

NXT-L29C10B580

The versions before NXT-L29C185B580

NXT-L29C185B580

The versions before NXT-L29C432B581

NXT-L29C432B581

The versions before NXT-L29C605B585

NXT-L29C605B585

The versions before NXT-L29C636B580

NXT-L29C636B580

Mate S

The versions before CRR-L09C432B390

CRR-L09C432B390

The versions before CRR-UL00C636B361

CRR-UL00C636B361

The versions before CRR-UL20C432B390

CRR-UL20C432B390

Nova

The versions before Cannes-AL10C00B372

Cannes-AL10C00B372

P8

The versions before GRA-L09C432B394

GRA-L09C432B394

The versions before GRA-L09C605B365

GRA-L09C605B365

The versions before GRA-UL00C605B365

GRA-UL00C605B365

The versions before GRA-UL10C185B387

GRA-UL10C185B387

The versions before GRA-UL10C432B394

GRA-UL10C432B394

The versions before GRA-UL10C636B369

GRA-UL10C636B369

P8 Lite

The versions before ALE-L02C635B568

ALE-L02C635B568

The versions before ALE-L21C10B541

ALE-L21C10B541

The versions before ALE-L21C185B568

ALE-L21C185B568

The versions before ALE-L21C432B597

ALE-L21C432B597

The versions before ALE-L23C605B535

ALE-L23C605B535

P9

The versions before EVA-L09C185B385

EVA-L09C185B385

The versions before EVA-L09C432B383

EVA-L09C432B383

The versions before EVA-L09C605B385

EVA-L09C605B385

The versions before EVA-L09C635B380

EVA-L09C635B380

The versions before EVA-L09C636B380

EVA-L09C636B380

The versions before EVA-L19C10B380

EVA-L19C10B380

The versions before EVA-L19C185B385

EVA-L19C185B385

The versions before EVA-L19C432B383

EVA-L19C432B383

The versions before EVA-L19C605B385

EVA-L19C605B385

The versions before EVA-L19C636B381

EVA-L19C636B381

The versions before EVA-L29C20B386

EVA-L29C20B386

The versions before EVA-L29C636B380

EVA-L29C636B380

P9 Lite

The versions before VNS-L21C10B380

VNS-L21C10B380

The versions before VNS-L21C185B380

VNS-L21C185B380

The versions before VNS-L21C432B371

VNS-L21C432B371

The versions before VNS-L22C635B181

VNS-L22C635B181

The versions before VNS-L22C635B380

VNS-L22C635B380

The versions before VNS-L22C636B380

VNS-L22C636B380

The versions before VNS-L31C109B350

VNS-L31C109B350

The versions before VNS-L31C185B380

VNS-L31C185B380

The versions before VNS-L31C432B371

VNS-L31C432B371

The versions before VNS-L31C464B382

VNS-L31C464B382

The versions before VNS-L31C636B385

VNS-L31C636B385

P9 Plus

The versions before VIE-L09C318B182

VIE-L09C318B182

The versions before VIE-L09C432B370

VIE-L09C432B370

The versions before VIE-L09C605B361

VIE-L09C605B361

The versions before VIE-L29C10B381

VIE-L29C10B381

The versions before VIE-L29C185B380

VIE-L29C185B380

The versions before VIE-L29C605B361

VIE-L29C605B361

The versions before VIE-L29C636B370

VIE-L29C636B370

Successful exploit could allow an attacker to impersonate a user's Bluetooth device to unlock the user's mobile phone screen.

The vulnerability classification has been performed by using the CVSSv3 scoring system (http://www.first.org/cvss/specification-document).
Base Score: 6.4 (AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Temporal Score: 5.9 (E:F/RL:O/RC:C)
This vulnerability can be exploited only when the following conditions are present:
1. The attacker has obtained the user's mobile phone.
2. The attacker has obtained information about the user's Bluetooth device which has been paired to the user's mobile phone.
Vulnerability details:
If a user has enabled the smart unlock function, an attacker can impersonate the user's Bluetooth device to unlock the user's mobile phone screen.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

This vulnerability was reported to Huawei PSIRT by Nicky of Tencent Security Platform Department. Huawei would like to thank Nicky of Tencent Security Platform Department for working with us and coordinated vulnerability disclosure to protect our customers.

2018-06-21 V1.1 UPDATED Assigned a CVE ID(CVE-2017-2728) to the vulnerability; Updated the "Software Versions and Fixes" section;
2017-03-23 V1.0 INITIAL

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.