This security blunder could be exploited over the local network to inject commands into vulnerable equipment.A hardware probester going by the name of Vladislav Yarmak explained on Monday how the tech giant left a remote debugging and management tool in its firmware used in network-connected video recorders and security cameras.
To be clear, this security vulnerability is said to be present in the software HiSilicon provides with its system-on-chips to customers. These components, backdoor and all, are then used by an untold number of manufacturers in network-connected recorders and cameras.
The backdoor, as described by Yarmak, is pretty simple. The firmware opens a service on TCP port 9530. You connect to this port, and exchange some data to agree upon a randomly generated session key that's used to encrypt the rest of your communications with the software. You then send a request, Telnet:OpenOnce, to the device to tell it to open a Telnet service. If all goes to plan, a Telnet daemon starts on TCP port 9527. You then connect to that remote service with the username root and password 123456 – there are in fact six possible root passwords – and you're in as the superuser, able to debug and control the gizmo, and issue shell commands to the underlying Busybox-based Linux operating system. One of the passwords suggests this affects at least devices using HiSilicon's Arm-based hi3518 system-on-chip. The full client-server exchange is detailed by Yarmak in the above link. A crucial point is that although both sides agree on a session key, it relies on a pre-shared key that is present in plaintext in the firmware for anyone to find and extract and use. It doesn't appear this port 9530 service is open to the internet, rather just the local network.
It's not a major threat, or anything people need to fret about, it's just another indicator of Huawei's piss-poor approach to security.
HiSilicon and Huawei did not respond to requests for comment.
There are already Chinese components in your pocket – so why fret about 5G gear?
We're told these backdoor shenanigans are nothing new for HiSilicon, as the manufacturer has been accused of enabling remote access in its firmware on purpose going back as far as 2013. The Telnet daemon used to be enabled by default in earlier versions of the firmware; since 2017, it seems, you have to unlock it by knocking on the software stack in a particular way.
"Devices with vulnerable firmware has the macGuarder or dvrHelper process running and accepting connections on TCP port 9530," wrote Yarmak.
"More recent firmware versions had Telnet access and debug port (9527/tcp) disabled by default. Instead they had open port 9530/tcp which was used to accept special command to start telnet daemon and enable shell access with static password which is the same for all devices."Yarmak claims hundreds of thousands of devices may be open to this kind of issue, although a Shodan.io scan revealed just 13 with that magic port 9530 open. Then again, there may be many more open on local networks. This is a zero-day vulnerability because it seems Huawei wasn't warned about it before this week's public disclosure. Here's how Yarmak put it:
It is not practical to expect security fixes for the firmware from the vendor. Owners of such devices should consider switching to alternatives.
However, if a replacement is not possible, device owners should completely restrict network access to these devices to trusted users. Ports involved in this vulnerability is 23/tcp, 9530/tcp, 9527/tcp, but earlier researches indicate there is no confidence other services implementation is solid and doesn't contain RCE [remote code execution] vulnerabilities.
Chalk this up as yet another blow against Huawei as the Chinese telecoms giant tries to fight off allegations its gear can be remotely bugged by China's government. ®
Sponsored: Harnessing the value of data