Huawei Subsidiary Distributes 0-Day Backdoor in DVRs, NVRs, IoT Cameras

Huawei Subsidiary Distributes 0-Day Backdoor in DVRs, NVRs, IoT Cameras

One issue that’s been of increasing concern to US companies and customers is the fear that Chinese companies will create hard-wired backdoors into the various networking and 5G products they sell in Western markets. Such backdoors could then be exploited for corporate espionage or government surveillance.

Thus far, the evidence for this kind of deliberate backdooring has been mixed. A damning report by Bloomberg last year — one that I initially believed — faded into confused questions over whether the company had accurately reported the situation, along with disagreements over whether the backdoor as described was even technologically possible. A UK report on Huawei’s security practices last year found ample evidence of sloppy coding and poor version control, but turned up no sign of corporate or government backdoors aimed at allowing a coordinated surveillance campaign.

Now, a new report by Vladislav Yarmak explains how Huawei subsidiary HiSilicon has integrated a firmware backdoor into the SoCs it sells to various companies that build digital video cameras (DVRs), network-connected video recorders (NVRs), and other various devices. The backdoor is integrated into the SoC firmware, which means it gets deployed anywhere the SoC is. According to Yarmak, this backdoor has been deployed in at least three different versions since 2013.

Here’s Yarmak:

Earliest known versions of it had telnet access enabled with a static root password which can be recovered from firmware image with (relatively) little computation effort… More recent firmware versions had telnet access and debug port (9527/tcp) disabled by default. Instead they had open port 9530/tcp which was used to accept special command to start telnet daemon and enable shell access with static password which is the same for all devices…

Most recent firmware versions have open port 9530/tcp listening for special commands, but require cryptographic challenge-response authentication for them to be committed.

In other words, the backdoor implementation has become more sophisticated over time. There is a known set of logins and passwords that the hardware will accept for authentication. This bug affects a wide number of brands and models of hardware. So far, all of this sounds pretty bad.

Is This a Deliberate Attack Attempt?

There are reasons to believe this issue is more indicative of bad security practices at Huawei than a deliberate attempt to backdoor hardware. For one thing, the attack only works over a local network. In an update at the end of his post, Yarmak writes:

Other researchers and habr users had pointed out such vulnerability is restricted to devices based on Xiongmai (Hangzhou Xiongmai Technology Co, XMtech) software, including products of other vendors which ship products based on such software. At this moment HiSilicon can’t be held responsible for backdoor in dvrHelper/macGuarder binary.

And that undercuts the idea that this is something Huawei or HiSilicon was specifically and particularly trying to do. It doesn’t let them off the hook — vendors should conduct audits of the code they ship, and Huawei is specifically dealing with perceptions that it works too closely with the Chinese government already.

It’s very difficult to tell the difference between bad security practices and deliberate efforts to build a backdoor. What’s more serious, as Yarmak discusses, is that this isn’t the first or even second time this issue has been reported to Huawei. The entire reason he issued a zero-day report is that Huawei hasn’t previously been responsive to fixing the problem.

From a customer perspective, it seems wise to give Huawei equipment a wide berth, whether the company is spying for the Chinese government or not.

Continue reading

Google Warns of Sophisticated Malware Distributed With The Help of ISPs
Google Warns of Sophisticated Malware Distributed With The Help of ISPs

According to Google's Threat Analysis Group (TAG), this spyware was developed by an Italian company called RCS Labs. The firm claims to be on the right side of the law, but that doesn't change the fact its software is being used to breach user privacy.

Hackers Distributed a Trojanized Build of Windows 10 to Infiltrate Ukrainian Targets
Hackers Distributed a Trojanized Build of Windows 10 to Infiltrate Ukrainian Targets

While there are no clear fingerprints on the malicious ISO, Mandiant notes the targets overlap with previous operations from Russia's security services.

Game Mod Developer Caught Deliberately Distributing Malware
Game Mod Developer Caught Deliberately Distributing Malware

While the company has since apologized, comments by the studio head suggest he still doesn't understand the magnitude of his own screw-up.

Microsoft Distributing Spectre, Meltdown, Antivirus Updates
Microsoft Distributing Spectre, Meltdown, Antivirus Updates

Microsoft is pushing new updates for Meltdown and Spectre out via Intel microcode patches. Also, some AV software should be compatible with Windows 10 once again and updates on those systems should resume.