Welcome to IoTForums.com Community
Register now to participate in discussions, ask questions and share your knowledge on internet of things and automation! Feel free to sign up today.
Register Now

Millions of IoT and surveillance devices with HiSilicon chips have a backdoor

WebMaster

Administrator
Staff member
Dec 12, 2019
70
3
16
0day vulnerability (backdoor) in firmware for HiSilicon-based DVRs, NVRs and IP cameras

This is a full disclosure of recent backdoor integrated into DVR/NVR devices built on top of HiSilicon SoC. Described vulnerability allows attacker to gain root shell access and full control of device. Full disclosure format for this report has been chosen due to lack of trust to vendor. Proof of concept code is presented below.

Previous work and historical context

HiSilicon has a long track record of implementing backdoor access on their devices.

Earliest known versions of it had telnet access enabled with a static root password which can be recovered from firmware image with (relatively) little computation effort. This vulnerability was covered by previous author's article (in Russian) in 2013. In 2017 Istvan Toth did a most comprehensive analysis of HiSilicon firmware. He also discovered remote code execution vulnerability in the built-in webserver and many other vulnerabilities. It's worth noting that disclosure was ignored by vendor.

More recent firmware versions had telnet access and debug port (9527/tcp) disabled by default. Instead they had open port 9530/tcp which was used to accept special command to start telnet daemon and enable shell access with static password which is the same for all devices.


Please, Log in or Register to view URLs content!
 

WebMaster

Administrator
Staff member
Dec 12, 2019
70
3
16
  • Thread Starter Thread Starter
  • #2
I think this would be around 90% of the the products made in china...

Here is list of brands affected
brands_affected.png
Please, Log in or Register to view URLs content!
 

Log in

or Log in using