Breaking the Trust Circle in HarmonyOS by Chaining Multiple Vulnerabilities

Huawei's 1+8+N strategy is a popular solution for the Internet of Everything. With the introduction of its trust circle authentication mechanism, the security of device- to-device communication is guaranteed to some degree. Despite many security measures adopted in the protocols related to the trust circle service, we still find 0day vulnerabilities. In this work, we conduct a thorough security analysis of the implementation and workflow of Huawei's trust circle service. As a result, we find four 0day vulnerabilities in each of its stages and propose an exploit chain to bypass the "same account" check in the latest HarmonyOS at that time. These vulnerabilities are reported to the vendors, acknowledged and fixed by them in their subsequent releases.