I mean, we may need to take some efforts to diminish the improper negative impact and harm, both on vendors and End users as a security research community as i also realize the consequence and harm may be more serious as the vulnerability does exist and may still not be patched or very difficult be patched one by one for different version. especially after the media misconception and dissemination.
there are already some uppdating on history vulnarability which mentioned in your articles.
Here I also found some declarations uppdating for your reference for history vulnarability which mentioned in your articles from internet.
we may need to take some efforts to disminish the unproper negative impact and harm, both on vendors and End users as a security research. i also realize the consequence and harm may be more serious as the vunarability after the media misconception and dissemination.
(original blog with chinese was translated by google translation)
New progress on FBot
[Update: December 4, 2019] Recently we have received many inquiries about this blog. We decided to add some facts as follows:
-Kenneth Crurrin Schuchman, nicknamed Nexus-Zeta, a 21-year-old young man, has pleaded guilty to the US District Court for Alaska on September 3, 2019. Schuchman's confession shows that Schuchman and his co-conspirators created a series of botnets, including Satori, Okiru, Masuta, Tsunami, and Fbot, by infecting a large number of devices, and used these botnets' DDoS destructive power to make a profit;-in
this blog The vulnerability involved does not occur at Hisilicon. Through follow-up analysis and communication with the security community, we confirmed that the vulnerability occurred at the downstream suppliers of Huawei Hisilicon's supply chain. In order to protect the interests of the end customers, we have decided not to disclose the details of the vulnerability, the payload used by the attacker or the specific manufacturer's name;
-Huawei PSIRT responded responsibly to the security incidents we disclosed;
Readers should continue to read this blog, it should be clear that the word Hisilicon appears in the blog and samples, which originated from the misjudgment of Schuchman and his co-conspirators. In fact, the entire IoT industry chain is complex, and its volume far exceeds the scope that an attacker or any single practitioner can understand. Only the cooperation of the industry and the security community can enhance the security of the industry chain.
This is more clear now from your updating and comments above, that HiSilicon is the Victim !however, i noticed that some IT/security media website already use your wording and research information try to mix those responsiblity with HiSilicon, even accuse Huawei that "Huawei effectively built a poorly hidden, insecure backdoor into potentially millions of surveillance devices that use its HiSilicon subsidiary's chips". Did those Medias respect your original creation intention or ask your permission or authorization?
"Russian security researcher Vladislav Yarmak has published today details about a backdoor mechanism he discovered in HiSilicon chips, used by millions of smart devices across the globe, such as security cameras, DVRs, NVRs, and others.
A firmware fix is not currently available as Yarmak did not report the issue to HiSilicon citing a lack of trust in the vendor to properly fix the issue."
there are already some uppdating on history vulnarability which mentioned in your articles.
Here I also found some declarations uppdating for your reference for history vulnarability which mentioned in your articles from internet.
we may need to take some efforts to disminish the unproper negative impact and harm, both on vendors and End users as a security research. i also realize the consequence and harm may be more serious as the vunarability after the media misconception and dissemination.
https://blog.netlab.360.com/the-new-developments-of-the-fbot/
(original blog with chinese was translated by google translation)
New progress on FBot
[Update: December 4, 2019] Recently we have received many inquiries about this blog. We decided to add some facts as follows:
-Kenneth Crurrin Schuchman, nicknamed Nexus-Zeta, a 21-year-old young man, has pleaded guilty to the US District Court for Alaska on September 3, 2019. Schuchman's confession shows that Schuchman and his co-conspirators created a series of botnets, including Satori, Okiru, Masuta, Tsunami, and Fbot, by infecting a large number of devices, and used these botnets' DDoS destructive power to make a profit;-in
this blog The vulnerability involved does not occur at Hisilicon. Through follow-up analysis and communication with the security community, we confirmed that the vulnerability occurred at the downstream suppliers of Huawei Hisilicon's supply chain. In order to protect the interests of the end customers, we have decided not to disclose the details of the vulnerability, the payload used by the attacker or the specific manufacturer's name;
-Huawei PSIRT responded responsibly to the security incidents we disclosed;
Readers should continue to read this blog, it should be clear that the word Hisilicon appears in the blog and samples, which originated from the misjudgment of Schuchman and his co-conspirators. In fact, the entire IoT industry chain is complex, and its volume far exceeds the scope that an attacker or any single practitioner can understand. Only the cooperation of the industry and the security community can enhance the security of the industry chain.
(more information refer to the original blog...)
This is more clear now from your updating and comments above, that HiSilicon is the Victim !however, i noticed that some IT/security media website already use your wording and research information try to mix those responsiblity with HiSilicon, even accuse Huawei that "Huawei effectively built a poorly hidden, insecure backdoor into potentially millions of surveillance devices that use its HiSilicon subsidiary's chips". Did those Medias respect your original creation intention or ask your permission or authorization?
Wording from the Register:
https://www.theregister.co.uk/2020/02/04/hisilicon_camera_backdoor/
"Huawei effectively built a poorly hidden, insecure backdoor into potentially millions of surveillance devices that use its HiSilicon subsidiary's chips, it appears.
This security blunder could be exploited over the local network to inject commands into vulnerable equipment."
Wording from ZDNET:
https://www.zdnet.com/article/researcher-backdoor-mechanism-discovered-in-devices-using-hisilicon-chips/
"Russian security researcher Vladislav Yarmak has published today details about a backdoor mechanism he discovered in HiSilicon chips, used by millions of smart devices across the globe, such as security cameras, DVRs, NVRs, and others.
A firmware fix is not currently available as Yarmak did not report the issue to HiSilicon citing a lack of trust in the vendor to properly fix the issue."