Huawei Subsidiary Distributes 0-Day Backdoor in DVRs, NVRs, IoT Cameras

Huawei Subsidiary Distributes 0-Day Backdoor in DVRs, NVRs, IoT Cameras

One issue that’s been of increasing concern to US companies and customers is the fear that Chinese companies will create hard-wired backdoors into the various networking and 5G products they sell in Western markets. Such backdoors could then be exploited for corporate espionage or government surveillance.

Thus far, the evidence for this kind of deliberate backdooring has been mixed. A damning report by Bloomberg last year — one that I initially believed — faded into confused questions over whether the company had accurately reported the situation, along with disagreements over whether the backdoor as described was even technologically possible. A UK report on Huawei’s security practices last year found ample evidence of sloppy coding and poor version control, but turned up no sign of corporate or government backdoors aimed at allowing a coordinated surveillance campaign.

Now, a new report by Vladislav Yarmak explains how Huawei subsidiary HiSilicon has integrated a firmware backdoor into the SoCs it sells to various companies that build digital video cameras (DVRs), network-connected video recorders (NVRs), and other various devices. The backdoor is integrated into the SoC firmware, which means it gets deployed anywhere the SoC is. According to Yarmak, this backdoor has been deployed in at least three different versions since 2013.

Here’s Yarmak:

Earliest known versions of it had telnet access enabled with a static root password which can be recovered from firmware image with (relatively) little computation effort… More recent firmware versions had telnet access and debug port (9527/tcp) disabled by default. Instead they had open port 9530/tcp which was used to accept special command to start telnet daemon and enable shell access with static password which is the same for all devices…

Most recent firmware versions have open port 9530/tcp listening for special commands, but require cryptographic challenge-response authentication for them to be committed.

In other words, the backdoor implementation has become more sophisticated over time. There is a known set of logins and passwords that the hardware will accept for authentication. This bug affects a wide number of brands and models of hardware. So far, all of this sounds pretty bad.

Is This a Deliberate Attack Attempt?

There are reasons to believe this issue is more indicative of bad security practices at Huawei than a deliberate attempt to backdoor hardware. For one thing, the attack only works over a local network. In an update at the end of his post, Yarmak writes:

Other researchers and habr users had pointed out such vulnerability is restricted to devices based on Xiongmai (Hangzhou Xiongmai Technology Co, XMtech) software, including products of other vendors which ship products based on such software. At this moment HiSilicon can’t be held responsible for backdoor in dvrHelper/macGuarder binary.

And that undercuts the idea that this is something Huawei or HiSilicon was specifically and particularly trying to do. It doesn’t let them off the hook — vendors should conduct audits of the code they ship, and Huawei is specifically dealing with perceptions that it works too closely with the Chinese government already.

It’s very difficult to tell the difference between bad security practices and deliberate efforts to build a backdoor. What’s more serious, as Yarmak discusses, is that this isn’t the first or even second time this issue has been reported to Huawei. The entire reason he issued a zero-day report is that Huawei hasn’t previously been responsive to fixing the problem.

From a customer perspective, it seems wise to give Huawei equipment a wide berth, whether the company is spying for the Chinese government or not.

Continue reading

Huawei Sells Honor Brand Amid Tightening Trade Restrictions
Huawei Sells Honor Brand Amid Tightening Trade Restrictions

(Credit: Kevin Frayer/Getty Images)Huawei has been battered by US trade restrictions in the last few years, and it’s taking a toll on the company’s long-term stability. Experts don’t expect a radical change when the new US administration comes to power next year, so Huawei is beginning to take drastic action. It has sold its Honor…

It Turns Out Huawei’s HarmonyOS Is Still Just Android
It Turns Out Huawei’s HarmonyOS Is Still Just Android

Following the Commerce Department's actions against the Chinese megafirm, Huawei has been unable to use Google services on its new phones. The company's solution was to develop HarmonyOS, but now that we've gotten our first real look at it, one thing is clear: this is just Android with a skin.

Huawei 2.0: Invading Ukraine Could Cost Russia the Modern Semiconductor Market
Huawei 2.0: Invading Ukraine Could Cost Russia the Modern Semiconductor Market

The United States is threatening to use export controls to sanction Russia if it invades Ukraine. The Biden Administration would presumably use some of the same tools the Trump Administration previously deployed against Huawei.The Ultimate BanhammerThe United States maintains a list of individuals, corporations, governments, and non-governmental organizations (NGOs) that are subject to export restrictions.…

Canada Bans ZTE and Huawei Network Infrastructure Citing National Security Concerns
Canada Bans ZTE and Huawei Network Infrastructure Citing National Security Concerns

Telecom companies in Canada will no longer be able to purchase infrastructure from the companies, and they will have to remove what they have in the coming years.