Researcher: Backdoor mechanism still active in devices using HiSilicon chips


Image: Magnus Engø

Russian security researcher Vladislav Yarmak has published today details about a backdoor mechanism he discovered in HiSilicon chips, used by millions of smart devices across the globe, such as security cameras, DVRs, NVRs, and others.

A firmware fix is not currently available as Yarmak did not report the issue to HiSilicon citing a lack of trust in the vendor to properly fix the issue.

In a detailed technical rundown that Yarmak published on Habr earlier today, the security researcher says the backdoor mechanism is actually a mash-up of four older security bugs/backdoors that were initially discovered and made public in March 2013, March 2017, July 2017, and September 2017.

“Apparently, all these years HiSilicon was unwilling or incapable to provide adequate security fixes for [the] same backdoor which, by the way, was implemented intentionally,” Yarmak said.

How the backdoor works

According to Yarmak, the backdoor can be exploited by sending a series of commands over TCP port 9530 to devices that use HiSilicon chips.

The commands will enable the Telnet service on a vulnerable device.

Yarmak says that once the Telnet service is up and running, the attacker can log in with one of the six Telnet credentials listed below, and gain access to a root account that grants them complete control over a vulnerable device.


Image: Vladislav Yarmak

These Telnet logins have been found in previous years as being hardcoded in the HiSilicon chip firmware, but despite the public reports, Yarmak says the vendor chose to leave them intact and disable the Telnet daemon instead.

Proof-of-concept code

Because Yarmak did not intend to report the vulnerability to HiSilicon, firmware patches are not available. Instead, the security researcher has created proof-of-concept (PoC) code that can be used to test if a “smart” device is running on top of HiSilicon system-on-chip (SoC), and if that SoC is vulnerable to attacks that can enable its Telnet service.

If a device is found to be vulnerable, in his Habr write-up the Russian researcher is adamant that device owners should ditch and replace the equipment.

“Taking into account earlier bogus fixes for that vulnerability (backdoor, actually) it is not practical to expect security fixes for firmware from [the] vendor,” Yarmak said. “Owners of such devices should consider switching to alternatives.”

In the case that device owners can’t afford the price of new equipment, Yarmak recommends that users “should completely restrict network access to these devices to trusted users,” especially on device ports 23/tcp, 9530/tcp, 9527/tcp — the ports that can be exploited in attacks.

The proof-of-concept code is available on GitHub. Build and usage instructions for the PoC are available in the Habr post.

As for the impact, Yarmak says that the vulnerable HiSilicon chips most likely ship with devices from countless of white-label vendors, under numerous brands and labels. Here, he cited the work of another researcher who in September 2017 tracked down a similar backdoor mechanism in HiSilicon firmware that was being used by DVRs sold by tens of vendors.


Image: tothi on GitHub

ZDNet could not reach HiSilicon for comment as the Shenzhen-based company does not list a contact method on its official website.

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *