- The backdoor mechanism is essentially a mix of four older security bugs/backdoors discovered earlier and made public.
- The researcher did not report the issue to HiSilicon as he lacked trust in the vendor’s intention about fixing it.
A Russian security researcher divulged the details about a backdoor mechanism for devices containing HiSilicon chips.
Vladislav Yarmak, the Russian researcher, published about the backdoor mechanism he discovered in HiSilicon chips.
- He said that millions of smart devices across the globe, such as security cameras, DVRs, NVRs, and others use these chips.
- The backdoor mechanism is essentially a mix of four older security bugs/backdoors discovered earlier and made public, the security researcher said.
- "Apparently, all these years HiSilicon was unwilling or incapable to provide adequate security fixes for [the] same backdoor which, by the way, was implemented intentionally," Yarmak remarked.
The researcher did not report the issue to HiSilicon as he lacked trust in the vendor’s intention about fixing it.
How the backdoor works?
The backdoor can be exploited by sending a series of commands over TCP port 9530 to the vulnerable devices.
- The commands enable the Telnet service on the device.
- Once the Telnet service is up and running, the attacker can log in with the Telnet credentials logins found in previous years disclosures.
- Now, the attacker can gain access to a root account that grants them complete control over the device.
Vladislav Yarmak has scripted a Proof-of-Concept (PoC) code for users to test if their smart device is supported by HiSilicon system-on-chip (SoC), or not. If that SoC is vulnerable to attacks, it can enable its Telnet service.
In case a device is found to be vulnerable, the Russian researcher strongly suggested to replace the device equipment immediately.
To those who cannot afford a new device, the researcher has a suggestion for them as well. They "should completely restrict network access to these devices to trusted users," especially on device ports 23/tcp, 9530/tcp, 9527/tcp—the exploitable ports.
Further, the PoC code is also available on GitHub.