Hacker News new | past | comments | ask | show | jobs | submit login
0day vulnerability in firmware for HiSilicon-based DVRs, NVRs and IP cameras (habr.com)
347 points by mcsoft 12 days ago | hide | past | web | favorite | 118 comments

When you see how small some of these devices are it makes you realize how easy it would be for a malicious actor to bug just about anything you own. A simple cell phone charger becomes a listening device that could have an LTE modem hiding in it.

People are worried when they find a raspberry pi sitting in the network rack - and rightfully so - but fail to realize that you can achieve pretty much the same thing by hiding in plain sight.

Imagine how much you could fit into a 6-port commodity surge protector.

> A simple cell phone charger becomes a listening device that could have an LTE modem hiding in it.

You can already get USB cables that have a hidden mic and sim, so if powered you can phone up and listen in. Those a very cheap and google shows this, but this is more adventurous.

As for targeting hardware and security - how many people would question a fancy free mouse or keyboard arriving in the internal post as it happened to of been dropped of at reception. Great pentesting trick btw.

As for chips with `hidden/undocumented` remote activated features. If it was documented, would it be bad or something you can use or actively block off. When they are undocumented, well - hard not to think the worst. But then, CPU's today, not fully documented when you can't hack away at the microcode and management and whatever else is DRM'd out of your reach.

If Intel was a Chinese company instead of American - how would Americans feel about Intel chips? That is an interesting thought exercise.

Exactly the same, because citizens in US don't understand technology - just enough to do the books.

> citizens in US

I don't think this is any better elsewhere. If anything, the higher concentration of tech in America might make some of her citizens better prepared. But most everyone doesn't care beyond "making the darn box work."

Agreed. People in the US are generally more tech aware than most other nations on Earth.

Glade plug-ins are innocuous, roomy inside, and have convenient constant 120v.

Take a peek next time you're in a semi-public space if there's any that are suspiciously not-smelly.

And one could easily walk round many building just plugging them in. I mean how many people would remove a glade-plug-in just in case Dorothy from accounts likes the smell? Dorothy might just replenish the scent dispenser every six weeks.

I would unplug them to avoid creating air pollution.

Which would save HR doing it and sending a memo about health and safety and asthma can kill due to these, possible.... Yeah, that is exactly how that would play out in many companies. At least in the UK.

Dorothy would give you a hard stare.

And defund your project.

Dorothy doesn't have to see you do it. Do it earlier in the morning or later in the evening, or during lunch.

Which, incidentally, is how Dorothy the corporate spy might have installed the device without anybody noticing her be the one to do it.

So, unplug the device and leave it on Alice's Desk. if Dorothy gives you a hard stare, then you know she must have had access to the video feed in the plug-in, and so is the corporate spy.

But if Dorothy instead gives Alice a hard stare, Dorothy is innocent. But if you return that morning to find the device plugged back in, Alice must be the spy.

Unless Bob from HR got in early that morning ...

No, no, no, Alice and Bob are just trying to talk. Eve is the spy.

For those who might be confused: https://en.m.wikipedia.org/wiki/Alice_and_Bob

Hey, Eve is my main squeeze. I gave her an Apple.

Without ruining the main use case - is there some way to sterilize or nuke things like a basic cell phone charger when it should have no radio-frequency capability?

> is there some way to sterilize or nuke things like a basic cell phone charger when it should have no radio-frequency capability?

If you want Fast Charging, short circuit protection or similar, then no, it has to have ICs and those could do a lot of things that are hard to detect.

My guess would be no, as even the basic use case of a modern charger (for example) requires a functioning computer. Shielding is only a temporary option too because the device could just buffer the data and wait for the opportunity to send.

My guess is, if there is a proof of malicious act, the governments should severely punish the originating company. To act as a deterrent, i.e.: "you can get away with this exactly once".

Shielding would not be effective because the device could just use mains wiring as antenna.

Nope. Even USB cables now have active electronics and a microprocessor in them.

They don't have to. USB is four wires.

...and 500 mA maximum. Anything above that, and things get Complicated.

USB-C is not 4 wires.

Batteries too.

You have to open it up and inspect the hardware.

Including de-capping the chips and having a look at the floorplans.

Yup -- these already exist. I can't find the 6-port commodity surge protector implant (I've seen it before), but these are the other relevant tools you're thinking of: https://shop.hak5.org/collections/network-implants

Do you have links to any of the devices? There are no pictures in the article.

Nothing surprising about it. These cheap Chinese cameras are just like that: buggy, default telnet passwords, silly vulnerabilities, crashing ActiveX plugins. Dahua/Xiongmai/Herospeed/whatever doesn't matter, everything is awful.

Using these devices outside isolated VLAN with only RTSP tunneled to trusted client is just bad idea.

> These cheap Chinese cameras

People want dirt cheap stuff that has a Bible's worth of advertised features. Amazon's Ring (which is an order of magnitude more expensive than the regular cheap Chinese crap) is a dumpster fire of security and privacy to rival any Chinese brand, yet it consistently gets 4/5 stars in any review, none of which even bothers to mention the litany of findings or the fact that for the price they are unacceptable. But they are acceptable because it's not Chinese.

It's the "Made in" label that counts. People will accept more garbage for a higher price if it has a local label, and will criticize foreign things more for the exact same issues. And that's valid basically almost everywhere in the world.

> buggy, default telnet passwords, silly vulnerabilities, crashing ActiveX plugins

This pretty much happens with any equipment. If it's very cheap there's no reasonable expectation that they put too much effort into building and maintaining it. If it's expensive there may be other interests involved.

The difference is what your nationalism dictates: When you hear of a Huawei vulnerability you think "spying", and when you hear of a Cisco one (or five [0]) you think "bug". In the end the choice is to buy cheap and have all the careless bugs, or to buy expensive and only have the by design ones. And whether you think they are malicious or not depends on where you come from relative to the product.

[0] https://www.tomshardware.com/news/cisco-backdoor-hardcoded-a...

Or the semi-third option; firewall the living hell out of everything with something you either wrote yourself or can read yourself. No guarantee there either but you can avoid the garbage fire that is a lot of this. I'm sure the NSA has exploits for everything tho.

And that third option is only technically available to at most 10 percent of the population, and most of them have neither the time ("day jobs") nor inclination to spend their time in that effort. And that is discounting the fact that the majority of the buggy appliances you encounter are developed by that very 10 percent in the first place.

I love these HiSilicon boxes, take a look at the OpenIPC project if you want to secure your device. It's open source firmware for these boxes, I want to give a big shoutout to Igor Zalatov and Flyrouter for all their support when working on these boxes http://openipc.org

I know I am probably too forgiving (and generous and honest https://www.pinterest.co.uk/pin/439593613603376622/) but dumb companies have left backdoors in everything from heart monitors to factory equipment.

I understood that the Huawei threat is not "dumb shit" but "clever shit we don't notice until the cyber portion of the combined arms full scale attack is launched"

If we cannot trust one hardware company we cannot trust any of them. Open source hardware seems like the Nash Equilibrium for this problem - everyone finds a way to make sure everyone can verify the hardware in their network...

It is both of those things.

And why wouldn’t it be? Huawei is a large organization and, like all large organizations, will consist of a multitude of different groups all trying to achieve the same goal in different ways. Some will want to rob the bank by tunnelling quietly into the vault at night, some will want to walk through the front door with a sawn-off shotgun.

Fair enough - see my edit above. The only protection against dumb or clever shit is some means to verify SoCs are what they claim to be (yes very hard, but a future with Open source SoCs, and supply chains where you can inspect enough to be confident - that future can be glimpsed from here and it's a future where everyone wins)

> The only protection against dumb or clever shit is some means to verify SoCs are what they claim to be

That's only protection from clever shit. Dumb shit will have security vulnerabilities due to being made by programmers who don't care, pushed to do it faster by managers who don't care.

I disagree; have you not seen the obfuscated C contest? Any smart malicious actor will do what they want, given minor access.

Someone should just sell a camera and make the code open source, they'd quickly eat all the market

Fortunately you normally only need to access the NVR from the Internet, not the cameras.

You can put the NVR behind a VPN as well, but one trustworthy enough to skip the VPN is much more convenient.

Plug: I'm developing a secure, reliable Free Software NVR, in Rust. Functionality is very limited now: embarrassingly, no motion detection yet, no live view, and a very "written by a backend engineer" UI. But it's slowly improving. I'd welcome help! https://github.com/scottlamb/moonfire-nvr

Open source has near-zero appeal outside of the hacker niche. The vast majority of people only care about price and maybe customer support.

Open source isn't feasible for any of the mainstream systems anyway. It's not up to the camera makers. The silicon vendors would have to open-source license their chipset drivers and firmware source, which isn't going to happen any time soon.

I think some Allwinner SOCs have blob-free mainline linux. If there are solid drivers for everything (camera, ISP etc.), not sure. V3s is even QFN with onboard ram, so easy to make a board for. Or use a board like this: https://licheepizero.us/

But, yeah, I think you're right, you'd struggle to compete on cost and features with mass-market players.

You could offer open source firmware for some existing cameras.. I think some people do do this.

> I think some Allwinner SOCs have blob-free mainline linux.

Have they finally stopped doing all the GPL violations and published the code?

If no: then it is still a blob, only a linux kernel blob with unknown changes.

What blobs did you find in mainline Linux?

> Open source has near-zero appeal outside of the hacker niche

Not really. Plenty of people are willing to modify the technology they use, both professionally and as a hobby.

You don't need to be a developer to understand that you can update the camera firmware with a 3rd-party modification.

Pine64 recently mentioned they are making an IP camera (search for "CUBE FOSS IP camera", seems to be Sony based):


I doubt they have the marketing budget to eat into the general market for IP cameras though.

Rockchip and Allwinner don't sound safe.

They have reasonably good support in mainline Linux/etc, so you don't have to use the vendor BSPs. In addition, for Allwinner you can even run open source firmware on the power management processor (AR100, OpenRISC based).

http://linux-rockchip.org/ https://linux-sunxi.org/ https://linux-sunxi.org/AR100

M5Camera: https://m5stack.com/products/fish-eye-camera-module-ov2640?_... It's not the most high quality camera module but mostly open source and very flexible...

But... Steps after those 2 steps above are:

3. Chinese companies clone the hardware and copy the software, changing the cosmetics.

4. They sell their cameras for cheaper.

I'm suggesting the chinese companies use open source software in the first place. Promoting privacy should be a great marketing tool in the current era. "Everyone else is streaming your home back to their unsecured servers, we're not, and we have made our code public so any bugs can easily be found and fixed"

I wish. In hacker circles they definitely would, but to reach a broader audience they'd definitely have to do some education.

But maybe ...

> UPDATE (2020-02-05 17:28+00:00): Other researchers and habr users had pointed out such vulnerability is restricted to devices based on Xiongmai (Hangzhou Xiongmai Technology Co, XMtech) software, including products of other vendors which ship products based on such software. At this moment HiSilicon can't be held responsible for backdoor in dvrHelper/macGuarder binary.

This was an interesting update, especially the last sentence.

I wonder what the solution to this sort of thing is. Open source hardware maybe? Force publication of firmware for all hardware sold?

1. if the device name contains "smart" -> always assume it is vulnerable.

2. put all IoT devices behind firewall/NAT router and never allow any traffic from WAN to the IoT. (Allow only South->North traffic)

3. Never allow east-west traffic between IoT devices.

1. if the device has a name -> always assume it is vulnerable

2. hope you disabled upnp, the device doesn't have NAT hole punching, and doesn't "require" internet access for some reason like... cloud backup of logs or update checks

3. configuring firewalls and routers is hard. but plugging devices into power is easy. people always go the easy route.

OK but what does the general public do?

Separate WIFI/network for IoT devices. Do not route to the internet in any way (skip buying anything that requires it). Connect to windows (or other OS) PC only, non-routable. Disable all connections from that network to the PC.

You wish. People are not going to go to their local PC (if they even have one) to use their smart lights. Likewise people are not going to change wireless networks everytime they need to change a smart item.

The best combo I have found is non-cloud smart devices and a solid firewall. I'm confident enough that my lightbulb isn't going to hack my Mac/Windows machine, and I can still control it when I'm at home with my phone. If I want outside control, then it's vpn time.

FOSS firmware would be a nice, but unless someone verifies that firmware (could be maliciously a spaghetti), then it doesn't have much use.

Who says the hardware doesn't have a separate IC overriding the ostensibly clean firmware? So you need not only verified hardware schematics, but also verification that the hardware you're running is actually based on that verified design. For which there is currently no way of doing that, as far as I know. You need to either trust the vendor at some level, or treat every device as hostile - while still getting its intended use out of it.

> Who says the hardware doesn't have a separate IC overriding the ostensibly clean firmware?

Cost, space on the PCB or on the die, additional complexity, and it's a very big thing to keep secret.

And if it's found it becomes impossible to deny or chalk up as an innocent mistake.

True, but having to only trust hardware being correctly made is already an improvement over having to trust both software and hardware to be made correctly.

No. FOSS firmware immediately makes backdoors thousand times more risky to implement.

So if device is behind firewall - attacker cannot sent TCP request to it?

Being behind a nat, without any firewall, is more than enough to protect against this. In other words, you need to work hard to be affected by this "backdoor".

> Being behind a nat, without any firewall, is more than enough to protect against this. In other words, you need to work hard to be affected by this "backdoor".

So long as the device does not utilize UPnP and get the gateway to forward traffic to it.

> Full disclosure format for this report has been chosen due to lack of trust to vendor. Proof of concept code is presented below.

> Client opens connection to port TCP port 9530...

Good thing they are not opening a connection to UDP port 9530. Imagine the horror...

Flagged for misleading title.

Is this Bloomberg and SuperMicro all over again?

No, there is proof of concept code.

from the article: https://github.com/Snawoot/hisilicon-dvr-telnet

The title is misleading. HiSilicon is responsible for the SoC, but the backdoor is part of the Linux-based device firmware made by another company called Hangzhou Xiongmai Technology Co. There is no clear connection between Huawei and Xiongmai.

You can find the clarification about the firmware maker (Xiongmai) towards the end of the article.

> There is no clear connection between Huawei and Xiongmai.

If Xiongmai firmware runs on HiSilicon SoCs, there must be some kind of connection, even if just via a third party that paid HiSilicon for the hardware and Xiongmai to write the firmware for it. Unfortunately, the writeup doesn't clearly identify who that could be.

This argument proves too much. By this reasoning, "Qualcomm-owned Cisco" is "injecting backdoors" into their chips as well.[1]

The real title of the article is "0day vulnerability (backdoor) in firmware for HiSilicon-based DVRs, NVRs and IP cameras" and the word Huawei doesn't even appear in it.

If OP wants to claim that Huawei are involved, maybe they should write their own article. :/


Edit: the title changed. criticism retracted.

> This argument proves too much. By this reasoning, "Qualcomm-owned Cisco" is "injecting backdoors" into their chips as well.[1]

I would not consider this to be past my belief ...

CISCO has not only a long history of creating backdoors, but have also been marketing them as features. They even wrote an IETF proposal (RFC 2804) for a LI backdoor:



Edit: Schneier wrote in 2018: "We don't know if this is error or deliberate action, but five backdoors have been discovered [in CISCO] already this year." and linking to this article: https://www.tomshardware.com/news/cisco-backdoor-hardcoded-a... (the final count went up to 7 actual backdoors discovered in 2018.

From May 2019: https://www.scmagazineuk.com/cisco-firewalls-routers-switche...

The IETF proposal you linked is not for a backdoor. It's IETF refusing to set rules on future IETF standards including, or not including wiretapping.

i.e. It states that whether a standard includes a wiretap or not is irrelevant to it being an IETF standard.

I wouldn't either, but I'm gonna hold out for some evidence before I start telling people they are :)

Edit: hey, while we're on the subject, what ever happened with that supermicro thing? Check's in the mail?

> If Xiongmai firmware runs on HiSilicon SoCs there must be some kind of connection.

Everybody can buy HiSilicon SoCs and run a backdoored linux distro on them, the only relationship required is "customer".

You can buy a hisilicon-based devboard running linux for 100$: https://www.96boards.org/product/hikey/

> the only relationship required is "customer"

That's what I meant by "third party". Do you have an idea who that is in this case?

For those struggling to read this comment, HiSilicon is Huawei.

Xiongmai is well known to do this sort of thing with firmware, at this point I tend to think that they have probably been asked to do this sort of thing.

Any competent person who installs their software on a device knows that they are installing CCP spyware (whether Xiongmai intends it that way or otherwise).

The article title is clickbait though, at least as far as I'm aware. Huawei does not own Xiongmai...

...but they share a common parent company. :^ )

I am definatley "struggling to read this comment." Is there some way authorative source that I can use to verify which company owns which?

Is this somehow presumed to be common knowledge? Because if I accept every claim like this that is conveyed by slapping a new title on someone else's article, I'm going to believe a lot of incorrect, if not crazy, stuff. I mean, I have no love for any of these companies, but is it too much to ask that if we go around accusing people of things we show our work?

"Is there some way authorative source that I can use to verify which company owns which?"

What do you mean by 'owns'? When answering, please keep into account that this is about Chinese companies, where 'corporate ownership' means something else than in the West (this is not China-bashing, I think it's established fact that cultural norms about what is "ownership" in pretty much every context are different between cultures).

Also I'm not not claiming one way or the other - I'm just asking, for your specific question, what sort of information would convince you of the veracity of the facts you're looking for?

How about we start with _any_? I won't believe an inflammatory claim based on heresay alone.

The claim in discussion was HiSilicon is "Huawei-owned", not "HiSilicon is Chineese." If the claimant meant something by "owned" other than it's dictionary denotation, he didn't say that. If the meaning of corporate ownership is undefined in China, the claim is not true because it is also undefined.

Edit: Ok, look. I think heinously insecure imported IoT stuff, which could possibly be meddled with by a foreign state is a very serious concern. If that's what you're driving at, I agree with you. But if we want people to take us seriously we need to be careful not to say stuff that isn't true, or go around accusing people of things if we can't back it up with evidence. This would undermine our goals.

On page 124 of their 2018 annual report (page 126 of the PDF) Huawei lists their ownership of HiSilicon as 100%: https://www-file.huawei.com/-/media/corporate/pdf/annual-rep...

I don't understand though why you think that's such an inflammatory claim.

I don't think it is inflammatory in isolation. I just wanted a citation for it. My objection had to do with the entire title, but that has now been changed to the actual article title. This conversation is confusing because it's happening between so many people, and the title changed.

With respect to the ownership of HiSilicon, I was looking for a citation. I accept that Huawei owns HiSilicon. Thank you.

> ...but they share a common parent company. :^ )

citation needed!

> There is no clear connection between Huawei and Xiongmai.

The connection is that both firms are fully controlled by and reporting to the Chinese Communist Party.

Why is the title sensationalised. There is no "injects backdoor into their chips".

It's a debug console on a busybox build. One would have to be on the same lan to exploit it.

This "debug console" is on networked IP cameras (many of which are open to the web) and available through a hardcoded password. I don't see a convincing argument for malicious intent, more so a dangerous level of incompetence from a company who should know better.

Unfortunately Xiongmai is not an outlier for subpar security practices on IOT products, doesn't make it any less bad though

The old "the 's' in IoT stands for 'security'" holds true. Hanlon's razor has been dangerously stressed lately.

I would like to point out that this is not specific to IOT. I deal with lots of servers and enterprise networking gear at my job and many of them come with hardcoded passwords on ipmi / networked admin consoles.

The difference is that your average Joe doesn't even know he has to configure these devices, let alone how to configure them.

Xiongmai has a history of oopsies this big or bigger, going back several years at least. Their software usually turns out to be spyware, whatever their intent may be.

Malice should be the default assumption in some scenarios. If a man with a covered face dressed in all black is discovered inside a bank vault, it should be assumed he was there to burglarize it. Maybe he was actually a ninja haplessly teleported through space and time by a powerful evil mage and landed in the bank vault through pure coincidence, but probably he's a burglar.

This isn't a court of law. We aren't morally obliged to feign naivety. If this wasn't meant to be a back door, they're free to explain their actions. But until they've done so to my satisfaction, I for one will assume malice.

Though, "on the same LAN" becomes much more of a problem when you consider insecure 'smart' lightbulbs and appliances everywhere.

Yep, how many people actually have a lan where every single device that ever connects is fully secure and trusted.

vLAN segmentation is a best practice for this exact reason

Everyone savvy enough to browse HN ought to, at the very least...

The US Govt?

Their contractors. The government itself can't be bothered to follow its own security policies.

IT laypeople: LAN segmentation is a security feature

Security people: Uhm...

If a consumer device ships with a “debug console” that gives the manufacturer (or any attacker who knew about it) root, that’s a vulnerability. If it happens on purpose, and they don’t tell you about it, then that’s the very definition of a backdoor.

I've worked on security for IoT devices, and "would have to be on the same lan" is not at all uncommon as an attack scenario. In fact at the company I worked at I worked hard to get our customers to understand that just because a network is "local" does not make it "secure".

> One would have to be on the same lan to exploit it.

For what it's worth, DNS rebinding attacks are commonly used against embedded devices, and remove this restriction.

Yeah, if you don't want to lose the protection provided by a firewall, then all you have to do is avoid running any web browsers on any devices on the LAN...

This should be a huge scandal. For some reason we tend to give browsers a free pass when it comes to security.

Speaking of rebinding attacks... does anyone know why cloudflare's resolver doesn't enforce this? It's the only "big" public one I know of that happily resolves RFC1918 IPs.

That's a terrible idea. For one, RFC1918 addresses are perfectly fine IP addresses, and as such are perfectly fine to put into DNS, but also, if your security depends on this, you are not secure, because rebinding attacks work just as well with non-RFC1918 addresses if that's what you happen to be using on your local network, so devices and software have to be secured against rebinding attacks with a non-filtering DNS anyway.

Plus, it just breaks things. More than once have I had the problem of trying to serve files to other devices on a LAN I was visiting, only for their idiotic local resolver to helpfully refuse resolving the host name of my laptop because, oh surprise, it resolved to an address on that LAN!

Probably because things would break in subtle and confusing ways if they did.

E.g. you have a build server and chose to use live DNS to point at it artifacts on an internal network because it was simpler to just edit a single zone file.

Had never heard of DNS rebinding before. Very cool. I presume this is only useful for extremely target attacks given the strict timing requirements?

Nope, it would be pretty straightforward to set up a stateful dns server that serves the "real" ip on first request from a new client, and then ever subsequent request returns a local IP. That one dns server would enable an attack on anyone who visits the malicious site.

No, people use it to scan entire LANs from the outside, untargeted exploration.

So...Hanlon’s Razor? :)

Isn't this just telnet? Like last time people claimed huawei "injected back doors", nothing is being injected by them, and these are not backdoors, they are front doors, standard festures etc? But dressed up in a way to make it look scarey to someone non-technical? Sorry if I'm missing something here...

A hidden door that nobody but the installer of the door knows about is generally referred to as a back door. If it was without the knowledge of the main device manufacturer, then it was injected.

its a telnet but you need to activate it first. often backdoors are simple shells like telnet or such services. but it usually requires some 'magic packets' or such things to open the port to it or start the service. if you look at the POC you see it's not simply making a telnet connection to a port, but it does some other stuff first to prepare for it.

The company in question, Xiongmai, is not owned by Huawei as stated. This is probably a clickbait article trying to link Huawei with some kind of backdoor.

Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact