These HiSilicon-Based Security Cams And DVRs Are Vulnerable To Sneaky Firmware Backdoor

On By tech-tutorials
Security Camera
Well, this is disturbing. Russian security researcher Vladislav Yarmak is warning of a backdoor that exists in firmware for digital video recorder (DVR) and network video recorder (NVR) powered by HiSilicon system-on-chip (SoC) hardware. This is a zero-day vulnerability that could allow an attacker to gain root access to a compromised device, thereby giving them full control of the gadget.

Yarmak says he discovered the vulnerability in firmware made by Hangzhou Xiongmai Technology, a Chinese firm based in Hangzhou. This is an unsettling trend with Xiongmai—back in late 2018, it was reported that over 9 million cameras and DVRs built by Xiongmail (and rebranded by several other companies) were similarly susceptible to hacks.

According to Yarmak, the backdoor he discovered combines several previous vulnerabilities that he made public dating as far back as 2013.

“Apparently, all these years HiSilicon was unwilling or incapable to provide adequate security fixes for same backdoor which, by the way, was implemented intentionally,” Yarmak says.

Devices that are vulnerable process and accept connections on TCP port 9530. By sending strings of commands over the port on devices that are powered by HiSilcon SoCs, an attacker can log in with one of half a dozen Telnet credentials and gain access to a root account. This gives them unfettered access to the compromised device.

Unfortunately, there are no patches for affected devices. Given the spotty history, Yarmak says users shouldn’t expect this to be resolved in a satisfactory manner, and instead should consider replacing their hardware.

“Taking into account earlier bogus fixes for that vulnerability (backdoor, actually) it is not practical to expect security fixes for firmware from [the] vendor. Owners of such devices should consider switching to alternatives,” Yarmak said.

To be clear, this is not the fault the HiSilcon, which is owned by Huawei. It is the firmware by Xiongmai for certain devices with HiSilicon chips that is the problem.
“Any part of the supply chain may introduce vulnerabilities, which increases the difficulty in vulnerability response. Coordinated vulnerability disclosure is the best practice in the industry in this scenario. As an important part of the supply chain of video surveillance devices, HiSilicon is willing to cooperate with stakeholders in the industry to cope with cyber security risks through coordinated vulnerability disclosure and protect the interests of end users,” Huawei said in a statement.
Regardless of where the fault lies, a lot of products are affected. There is an extensive list on GitHub, with the following image of brands…
Brands Affected By DVR Firmware Backdoor
Source: tothi (via GitHub)

There are nearly 100 brands in the image above, and it may not even be a complete list. According to Yarmak, hundreds of thousands of devices could potentially be affected by this zero day vulnerability.

This is a bad look for Huawei, especially considering the US government has repeatedly raised security and spying concerns about the company (much to Huawei’s chagrin). Even though Huawei claims this was not intentional on the company’s part, and rightfully points out that exploits can be introduced at various at various points in the supply chain, it will not likely instill confidence by those who are skeptical of company.

‘).insertAfter(jQuery(‘#initdisqus’));
}
loadDisqus(jQuery(‘#initdisqus’), disqus_identifier, url);

}
else {
setTimeout(function () { disqusDefer(); }, 50);
}
}

disqusDefer();

function loadDisqus(source, identifier, url) {

if (jQuery(“#disqus_thread”).length) {
jQuery(“#disqus_thread”).remove();
}
jQuery(‘

‘).insertAfter(source);

if (window.DISQUS) {

DISQUS.reset({
reload: true,
config: function () {
this.page.identifier = identifier;
this.page.url = url;
}
});

} else {

//insert a wrapper in HTML after the relevant “show comments” link

disqus_identifier = identifier; //set the identifier argument
disqus_url = url; //set the permalink argument

//append the Disqus embed script to HTML
var dsq = document.createElement(‘script’); dsq.type = ‘text/javascript’; dsq.async = true;
dsq.src = ‘https://’ + disqus_shortname + ‘.disqus.com/embed.js’;
jQuery(‘head’).append(dsq);

}

jQuery(‘.show-disqus’).show();
source.hide();
};

function disqusEvent()
{
idleTime = 0;
}

Leave a Reply

Your email address will not be published. Required fields are marked *