Comments 15
Initial research performed against firmware for some Xiong Mai «HI3518C_50H10L»-based device. I hadn't physical access, only network one. I'll be provided with more specific information about that device tomorrow.

Once vulnerability was discovered it was tested on a variety of other devices, without knowledge of their model or brand attribution. One of recent devices was branded as «H264dvr» and had «AHB7804R-MH-V2» string in it's ProductDefinition file.

Why do you accuse HiSilicon?


Apparently, all these years HiSilicon was unwilling or incapable to provide adequate security fixes for same backdoor which, by the way, was implemented intentionally.

The software you are talking about is supposed to be made by Xiongmai (Hangzhou Xiongmai Technology Co, XMtech).
Sofia binary supported by custom busybox and dvrHelper.
A lot of chinese noname companies just burn this stuff into their camera modules, because it just works.


HiSilicon SoC itself and compliment software (Linux Kernel and Kernel modules from HiSilicon SDK) does not have this vulnerability.


I've made firmware for HiSilicon-based camera by myself using only Kernel and modules from HiSilicon SDK and it has no backdoors of any kind.


For example, AXIS does use HiSilicon chips in some cameras — are they at risk? No.

This is more clear now from your updating and comments above, that HiSilicon is the Victim !however, i noticed that some IT/security media website already use your wording and research information try to mix those responsiblity with HiSilicon, even accuse Huawei that "Huawei effectively built a poorly hidden, insecure backdoor into potentially millions of surveillance devices that use its HiSilicon subsidiary's chips". Did those Medias respect your original creation intention or ask your permission or authorization?


Wording from the Register:
https://www.theregister.co.uk/2020/02/04/hisilicon_camera_backdoor/
"Huawei effectively built a poorly hidden, insecure backdoor into potentially millions of surveillance devices that use its HiSilicon subsidiary's chips, it appears.


This security blunder could be exploited over the local network to inject commands into vulnerable equipment."


Wording from ZDNET:
https://www.zdnet.com/article/researcher-backdoor-mechanism-discovered-in-devices-using-hisilicon-chips/


"Russian security researcher Vladislav Yarmak has published today details about a backdoor mechanism he discovered in HiSilicon chips, used by millions of smart devices across the globe, such as security cameras, DVRs, NVRs, and others.


A firmware fix is not currently available as Yarmak did not report the issue to HiSilicon citing a lack of trust in the vendor to properly fix the issue."

Did those Medias respect your original creation intention or ask your permission or authorization?
This report is supposed to be widely disseminated, so I'm glad media works how it works.

That particular article on The Register has many inaccuracies like lame analysis based on Shodan output and so on. However, article does what intended and notifies users: action required!
There are several issues on these SoCs and I've complained to Huawei Europe on several occasions about the GPL violations in HiSilicon devices without much effect

Running «strings» on the Sofia binary is «educational» — there are even RSA private keys in there! — along with other stuff that shows XiongMai's complaints about «software piracy» are extremely hypocritical.

Perhaps a project to reverse engineer and replace Sofia might be worthwhile. This is a Monolithic «thing» that seems to be stripped, but at the same time appears not to be — and it would be worth seeing what it is doing as well as removing the nasty «activeX» stuff and the insistence on using the XMeye tunnel that quite effectively backdoors your private network if you are not careful.

For what it's worth: The information I've been able to find is that XiongMai were contracted to write this DVR software by Huawei/HiSilicon, so it is probably correct to blame them both for this mess — however one of the biggest problems is that whils the code is very poor (so are Huawei's switches) they are too «proud» to listen to suggestions from «outsiders»

One way of solving that would be to rewrite the implementation to be secure, much smaller/faster and GPL (which will embarrass them)

Great work! The improvement was that you have decrypted challenge/responce required to open telnet sesion, was it?
That's correct
BTW, have you been interviewed by Cnews? They state that vulenrability built-in in HiSilicon CPUs (based on interview). Is it correct statement?
I had interview with them. During the interview I've outlined vulnerability is restricted to DVR-specific software. Statement in article about processors is likely a misconception inferred from common trait of those devices.

there are already some uppdating on history vulnarability which mentioned in your articles.


Here I also found some declarations uppdating for your reference for history vulnarability which mentioned in your articles from internet.


we may need to take some efforts to disminish the unproper negative impact and harm, both on vendors and End users as a security research. i also realize the consequence and harm may be more serious as the vunarability after the media misconception and dissemination.


https://blog.netlab.360.com/the-new-developments-of-the-fbot/


(original blog with chinese was translated by google translation)


New progress on FBot
[Update: December 4, 2019] Recently we have received many inquiries about this blog. We decided to add some facts as follows:
-Kenneth Crurrin Schuchman, nicknamed Nexus-Zeta, a 21-year-old young man, has pleaded guilty to the US District Court for Alaska on September 3, 2019. Schuchman's confession shows that Schuchman and his co-conspirators created a series of botnets, including Satori, Okiru, Masuta, Tsunami, and Fbot, by infecting a large number of devices, and used these botnets' DDoS destructive power to make a profit;-in
this blog The vulnerability involved does not occur at Hisilicon. Through follow-up analysis and communication with the security community, we confirmed that the vulnerability occurred at the downstream suppliers of Huawei Hisilicon's supply chain. In order to protect the interests of the end customers, we have decided not to disclose the details of the vulnerability, the payload used by the attacker or the specific manufacturer's name;
-Huawei PSIRT responded responsibly to the security incidents we disclosed;


Readers should continue to read this blog, it should be clear that the word Hisilicon appears in the blog and samples, which originated from the misjudgment of Schuchman and his co-conspirators. In fact, the entire IoT industry chain is complex, and its volume far exceeds the scope that an attacker or any single practitioner can understand. Only the cooperation of the industry and the security community can enhance the security of the industry chain.


(more information refer to the original blog...)

I mean, we may need to take some efforts to diminish the improper negative impact and harm, both on vendors and End users as a security research community as i also realize the consequence and harm may be more serious as the vulnerability does exist and may still not be patched or very difficult be patched one by one for different version. especially after the media misconception and dissemination.
Only those users with full accounts are able to leave comments. Log in, please.