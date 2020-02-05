Affiliate commissions can be paid for this website via the links on this page. Terms of Use.

One problem that is worrying US companies and customers is that Chinese companies are creating hard-wired back doors to the various networking and 5G products they sell in Western markets. Such back doors could then be used for corporate espionage or government surveillance.

So far, the evidence for this type of conscious back door has been mixed. A damn Bloomberg report from last year that I initially thought was confused as to whether the company had reported the situation correctly, as well as disagreements as to whether the back door described was technically possible at all. A British report on Huawei’s security practices last year found numerous indications of incorrect coding and poor version control, but showed no signs of back doors from companies or government agencies aimed at enabling a coordinated surveillance campaign.

A new report by Vladislav Yarmak now explains how the Huawei subsidiary HiSilicon has integrated a firmware backdoor into the SoCs that are sold to various companies, digital video cameras (DVRs), network-compatible video recorders (NVRs) and other various devices produce. The backdoor is built into the SoC firmware, which means that it is deployed wherever the SoC is located. According to Yarmak, this backdoor has been provided in at least three different versions since 2013.

Here is Yarmak:

In the earliest known versions, Telnet access was activated with a static root password, which can be restored from the firmware image with (relatively) little computing effort. Telnet access and the debug port (9527 / tcp) were deactivated by default in newer firmware versions. Instead, they had the open port 9530 / tcp, which was used to accept a special command to start the Telnet daemon and allow shell access with a static password that is the same for all devices.

With the latest firmware versions, the open port 9530 / tcp is waiting for special commands, but a cryptographic challenge-response authentication is required to commit them.

In other words, backdoor implementation has become more complex over time. A number of logins and passwords are known that the hardware accepts for authentication. This bug affects a variety of hardware brands and models. So far it all sounds pretty bad.

Is this an intentional attempt to attack?

There are reasons to believe that this issue indicates poor security practices at Huawei rather than an intentional attempt to install backdoor hardware. For one thing, the attack only works over a local network. In an update at the end of his post, Yarmak writes:

Other researchers and habr users had indicated that this vulnerability is limited to devices based on Xiongmai software (Hangzhou Xiongmai Technology Co., XMtech), including products from other vendors that provide products based on this software. HiSilicon cannot currently be held responsible for the back door in dvrHelper / macGuarder binary.

And that undermines the idea that this is something that Huawei or HiSilicon have specifically and particularly tried. This does not leave them stunned – vendors should check the code they provide, and Huawei is particularly concerned with the view that this is already working too closely with the Chinese government.

It is very difficult to tell the difference between poor security practices and the deliberate attempt to build a back door. As Yarmak explains, the problem is not the first or even the second time that it has been reported to Huawei. The reason why he released a zero-day report is because Huawei has not previously responded to fixing the problem.

From the customer’s point of view, it makes sense to give Huawei devices a wide berth, regardless of whether the company is spying for the Chinese government or not.

