Huawei Subsidiary Distributes 0-Day Backdoor in DVRs, NVRs, IoT Cameras

Huawei Subsidiary Distributes 0-Day Backdoor in DVRs, NVRs, IoT Cameras

One issue that’s been of increasing concern to US companies and customers is the fear that Chinese companies will create hard-wired backdoors into the various networking and 5G products they sell in Western markets. Such backdoors could then be exploited for corporate espionage or government surveillance.

Thus far, the evidence for this kind of deliberate backdooring has been mixed. A damning report by Bloomberg last year — one that I initially believed — faded into confused questions over whether the company had accurately reported the situation, along with disagreements over whether the backdoor as described was even technologically possible. A UK report on Huawei’s security practices last year found ample evidence of sloppy coding and poor version control, but turned up no sign of corporate or government backdoors aimed at allowing a coordinated surveillance campaign.

Now, a new report by Vladislav Yarmak explains how Huawei subsidiary HiSilicon has integrated a firmware backdoor into the SoCs it sells to various companies that build digital video cameras (DVRs), network-connected video recorders (NVRs), and other various devices. The backdoor is integrated into the SoC firmware, which means it gets deployed anywhere the SoC is. According to Yarmak, this backdoor has been deployed in at least three different versions since 2013.

Here’s Yarmak:

Earliest known versions of it had telnet access enabled with a static root password which can be recovered from firmware image with (relatively) little computation effort… More recent firmware versions had telnet access and debug port (9527/tcp) disabled by default. Instead they had open port 9530/tcp which was used to accept special command to start telnet daemon and enable shell access with static password which is the same for all devices…

Most recent firmware versions have open port 9530/tcp listening for special commands, but require cryptographic challenge-response authentication for them to be committed.

In other words, the backdoor implementation has become more sophisticated over time. There is a known set of logins and passwords that the hardware will accept for authentication. This bug affects a wide number of brands and models of hardware. So far, all of this sounds pretty bad.

Is This a Deliberate Attack Attempt?

There are reasons to believe this issue is more indicative of bad security practices at Huawei than a deliberate attempt to backdoor hardware. For one thing, the attack only works over a local network. In an update at the end of his post, Yarmak writes:

Other researchers and habr users had pointed out such vulnerability is restricted to devices based on Xiongmai (Hangzhou Xiongmai Technology Co, XMtech) software, including products of other vendors which ship products based on such software. At this moment HiSilicon can’t be held responsible for backdoor in dvrHelper/macGuarder binary.

And that undercuts the idea that this is something Huawei or HiSilicon was specifically and particularly trying to do. It doesn’t let them off the hook — vendors should conduct audits of the code they ship, and Huawei is specifically dealing with perceptions that it works too closely with the Chinese government already.

It’s very difficult to tell the difference between bad security practices and deliberate efforts to build a backdoor. What’s more serious, as Yarmak discusses, is that this isn’t the first or even second time this issue has been reported to Huawei. The entire reason he issued a zero-day report is that Huawei hasn’t previously been responsive to fixing the problem.

From a customer perspective, it seems wise to give Huawei equipment a wide berth, whether the company is spying for the Chinese government or not.