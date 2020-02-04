Image: Magnus Engø

Russian security researcher Vladislav Yarmak today published details about a back door mechanism he discovered in HiSilicon chips, used by millions of smart devices around the world, such as security cameras, DVRs, NVRs and others.

A firmware fix is ​​currently unavailable because Yarmak did not report the problem to HiSilicon due to a lack of trust in the supplier to resolve the problem correctly.

In a detailed technical review that Yarmak published on Habr earlier today, the security researcher says the backdoor mechanism is actually a mash-up of four older security bugs / backdoors that were initially discovered and made public in March 2013, March 2017, July 2017, and September 2017.

“Apparently HiSilicon was unwilling or unable to provide adequate security solutions for (the same) back door over the years that was intentionally implemented,” Yarmak said.

How the back door works

According to Yarmak, the back door can be exploited by sending a series of commands via TCP port 9530 to devices that use HiSilicon chips.

The commands enable the Telnet service on a vulnerable device.

Yarmak says that once the Telnet service is running, the attacker can log on with one of the six Telnet credentials listed below and gain access to a root account that gives him full control over a vulnerable device.

Image: Vladislav Yarmak

These Telnet logins have been found as hard code in the HiSilicon chip firmware in previous years, but despite public reports, Yarmak says that the seller has chosen to keep them intact and to disable the Telnet daemon instead.

Proof of concept code

Because Yarmak did not intend to report the vulnerability to HiSilicon, firmware patches are not available. Instead, the security researcher has created proof-of-concept (PoC) code that can be used to test whether a “smart” device is running on top of HiSilicon system-on-chip (SoC) and whether that SoC is vulnerable to attacks that enable the Telnet service.

If a device is found to be vulnerable, the Russian investigator is keen in his Habr letter that device owners should discard and replace the equipment.

“Taking into account previous fake fixes for that vulnerability (back door, actually), it is not practical to expect security fixes for firmware from (the) supplier,” Yarmak said. “Owners of such devices should consider switching to alternatives.”

In the event that device owners are unable to pay the price of new equipment, Yarmak recommends that users “fully limit network access to these devices to trusted users”, especially on device ports 23 / tcp, 9530 / tcp, 9527 / tcp – – the ports that can be exploited by attacks.

The proof-of-concept code is available on GitHub. Build and use instructions for the PoC are available in the Habr post.

Regarding the impact, Yarmak says that the vulnerable HiSilicon chips are likely to be delivered with devices from numerous white-label suppliers, under different brands and labels. Here he quoted the work of another researcher who discovered a similar back door mechanism in HiSilicon firmware in September 2017 that was used by DVRs sold by dozens of suppliers.

Image: tothi on GitHub

ZDNet was unable to reach HiSilicon for comment because the Shenzhen-based company does not mention a contact method on its official website.