People are worried when they find a raspberry pi sitting in the network rack - and rightfully so - but fail to realize that you can achieve pretty much the same thing by hiding in plain sight.
Imagine how much you could fit into a 6-port commodity surge protector.
You can already get USB cables that have a hidden mic and sim, so if powered you can phone up and listen in. Those a very cheap and google shows this, but this is more adventurous.
As for targeting hardware and security - how many people would question a fancy free mouse or keyboard arriving in the internal post as it happened to of been dropped of at reception. Great pentesting trick btw.
As for chips with `hidden/undocumented` remote activated features. If it was documented, would it be bad or something you can use or actively block off. When they are undocumented, well - hard not to think the worst. But then, CPU's today, not fully documented when you can't hack away at the microcode and management and whatever else is DRM'd out of your reach.
If Intel was a Chinese company instead of American - how would Americans feel about Intel chips? That is an interesting thought exercise.
I don't think this is any better elsewhere. If anything, the higher concentration of tech in America might make some of her citizens better prepared. But most everyone doesn't care beyond "making the darn box work."
Take a peek next time you're in a semi-public space if there's any that are suspiciously not-smelly.
And defund your project.
Which, incidentally, is how Dorothy the corporate spy might have installed the device without anybody noticing her be the one to do it.
But if Dorothy instead gives Alice a hard stare, Dorothy is innocent. But if you return that morning to find the device plugged back in, Alice must be the spy.
Unless Bob from HR got in early that morning ...
If you want Fast Charging, short circuit protection or similar, then no, it has to have ICs and those could do a lot of things that are hard to detect.
My guess is, if there is a proof of malicious act, the governments should severely punish the originating company. To act as a deterrent, i.e.: "you can get away with this exactly once".
Using these devices outside isolated VLAN with only RTSP tunneled to trusted client is just bad idea.
People want dirt cheap stuff that has a Bible's worth of advertised features. Amazon's Ring (which is an order of magnitude more expensive than the regular cheap Chinese crap) is a dumpster fire of security and privacy to rival any Chinese brand, yet it consistently gets 4/5 stars in any review, none of which even bothers to mention the litany of findings or the fact that for the price they are unacceptable. But they are acceptable because it's not Chinese.
It's the "Made in" label that counts. People will accept more garbage for a higher price if it has a local label, and will criticize foreign things more for the exact same issues. And that's valid basically almost everywhere in the world.
This pretty much happens with any equipment. If it's very cheap there's no reasonable expectation that they put too much effort into building and maintaining it. If it's expensive there may be other interests involved.
The difference is what your nationalism dictates: When you hear of a Huawei vulnerability you think "spying", and when you hear of a Cisco one (or five ) you think "bug". In the end the choice is to buy cheap and have all the careless bugs, or to buy expensive and only have the by design ones. And whether you think they are malicious or not depends on where you come from relative to the product.
I understood that the Huawei threat is not "dumb shit" but "clever shit we don't notice until the cyber portion of the combined arms full scale attack is launched"
If we cannot trust one hardware company we cannot trust any of them. Open source hardware seems like the Nash Equilibrium for this problem - everyone finds a way to make sure everyone can verify the hardware in their network...
And why wouldn’t it be? Huawei is a large organization and, like all large organizations, will consist of a multitude of different groups all trying to achieve the same goal in different ways. Some will want to rob the bank by tunnelling quietly into the vault at night, some will want to walk through the front door with a sawn-off shotgun.
That's only protection from clever shit. Dumb shit will have security vulnerabilities due to being made by programmers who don't care, pushed to do it faster by managers who don't care.
You can put the NVR behind a VPN as well, but one trustworthy enough to skip the VPN is much more convenient.
Plug: I'm developing a secure, reliable Free Software NVR, in Rust. Functionality is very limited now: embarrassingly, no motion detection yet, no live view, and a very "written by a backend engineer" UI. But it's slowly improving. I'd welcome help! https://github.com/scottlamb/moonfire-nvr
Open source isn't feasible for any of the mainstream systems anyway. It's not up to the camera makers. The silicon vendors would have to open-source license their chipset drivers and firmware source, which isn't going to happen any time soon.
But, yeah, I think you're right, you'd struggle to compete on cost and features with mass-market players.
You could offer open source firmware for some existing cameras.. I think some people do do this.
Have they finally stopped doing all the GPL violations and published the code?
If no: then it is still a blob, only a linux kernel blob with unknown changes.
Not really. Plenty of people are willing to modify the technology they use, both professionally and as a hobby.
You don't need to be a developer to understand that you can update the camera firmware with a 3rd-party modification.
I doubt they have the marketing budget to eat into the general market for IP cameras though.
3. Chinese companies clone the hardware and copy the software, changing the cosmetics.
4. They sell their cameras for cheaper.
But maybe ...
This was an interesting update, especially the last sentence.
2. put all IoT devices behind firewall/NAT router and never allow any traffic from WAN to the IoT. (Allow only South->North traffic)
3. Never allow east-west traffic between IoT devices.
2. hope you disabled upnp, the device doesn't have NAT hole punching, and doesn't "require" internet access for some reason like... cloud backup of logs or update checks
3. configuring firewalls and routers is hard. but plugging devices into power is easy. people always go the easy route.
The best combo I have found is non-cloud smart devices and a solid firewall. I'm confident enough that my lightbulb isn't going to hack my Mac/Windows machine, and I can still control it when I'm at home with my phone. If I want outside control, then it's vpn time.
Cost, space on the PCB or on the die, additional complexity, and it's a very big thing to keep secret.
And if it's found it becomes impossible to deny or chalk up as an innocent mistake.
So long as the device does not utilize UPnP and get the gateway to forward traffic to it.
Good thing they are not opening a connection to UDP port 9530. Imagine the horror...
from the article: https://github.com/Snawoot/hisilicon-dvr-telnet
You can find the clarification about the firmware maker (Xiongmai) towards the end of the article.
If Xiongmai firmware runs on HiSilicon SoCs, there must be some kind of connection, even if just via a third party that paid HiSilicon for the hardware and Xiongmai to write the firmware for it. Unfortunately, the writeup doesn't clearly identify who that could be.
The real title of the article is "0day vulnerability (backdoor) in firmware for HiSilicon-based DVRs, NVRs and IP cameras" and the word Huawei doesn't even appear in it.
If OP wants to claim that Huawei are involved, maybe they should write their own article. :/
Edit: the title changed. criticism retracted.
I would not consider this to be past my belief ...
Edit: Schneier wrote in 2018: "We don't know if this is error or deliberate action, but five backdoors have been discovered [in CISCO] already this year." and linking to this article: https://www.tomshardware.com/news/cisco-backdoor-hardcoded-a... (the final count went up to 7 actual backdoors discovered in 2018.
From May 2019: https://www.scmagazineuk.com/cisco-firewalls-routers-switche...
i.e. It states that whether a standard includes a wiretap or not is irrelevant to it being an IETF standard.
Edit: hey, while we're on the subject, what ever happened with that supermicro thing? Check's in the mail?
Everybody can buy HiSilicon SoCs and run a backdoored linux distro on them, the only relationship required is "customer".
You can buy a hisilicon-based devboard running linux for 100$: https://www.96boards.org/product/hikey/
That's what I meant by "third party". Do you have an idea who that is in this case?
Xiongmai is well known to do this sort of thing with firmware, at this point I tend to think that they have probably been asked to do this sort of thing.
Any competent person who installs their software on a device knows that they are installing CCP spyware (whether Xiongmai intends it that way or otherwise).
The article title is clickbait though, at least as far as I'm aware. Huawei does not own Xiongmai...
...but they share a common parent company. :^ )
Is this somehow presumed to be common knowledge? Because if I accept every claim like this that is conveyed by slapping a new title on someone else's article, I'm going to believe a lot of incorrect, if not crazy, stuff. I mean, I have no love for any of these companies, but is it too much to ask that if we go around accusing people of things we show our work?
What do you mean by 'owns'? When answering, please keep into account that this is about Chinese companies, where 'corporate ownership' means something else than in the West (this is not China-bashing, I think it's established fact that cultural norms about what is "ownership" in pretty much every context are different between cultures).
Also I'm not not claiming one way or the other - I'm just asking, for your specific question, what sort of information would convince you of the veracity of the facts you're looking for?
The claim in discussion was HiSilicon is "Huawei-owned", not "HiSilicon is Chineese." If the claimant meant something by "owned" other than it's dictionary denotation, he didn't say that. If the meaning of corporate ownership is undefined in China, the claim is not true because it is also undefined.
Edit: Ok, look. I think heinously insecure imported IoT stuff, which could possibly be meddled with by a foreign state is a very serious concern. If that's what you're driving at, I agree with you. But if we want people to take us seriously we need to be careful not to say stuff that isn't true, or go around accusing people of things if we can't back it up with evidence. This would undermine our goals.
I don't understand though why you think that's such an inflammatory claim.
With respect to the ownership of HiSilicon, I was looking for a citation. I accept that Huawei owns HiSilicon. Thank you.
The connection is that both firms are fully controlled by and reporting to the Chinese Communist Party.
It's a debug console on a busybox build. One would have to be on the same lan to exploit it.
Unfortunately Xiongmai is not an outlier for subpar security practices on IOT products, doesn't make it any less bad though
The difference is that your average Joe doesn't even know he has to configure these devices, let alone how to configure them.
This isn't a court of law. We aren't morally obliged to feign naivety. If this wasn't meant to be a back door, they're free to explain their actions. But until they've done so to my satisfaction, I for one will assume malice.
Security people: Uhm...
For what it's worth, DNS rebinding attacks are commonly used against embedded devices, and remove this restriction.
This should be a huge scandal. For some reason we tend to give browsers a free pass when it comes to security.
Plus, it just breaks things. More than once have I had the problem of trying to serve files to other devices on a LAN I was visiting, only for their idiotic local resolver to helpfully refuse resolving the host name of my laptop because, oh surprise, it resolved to an address on that LAN!
E.g. you have a build server and chose to use live DNS to point at it artifacts on an internal network because it was simpler to just edit a single zone file.