Menu
What's new

HiSilicon Backdoor

SouthernYankee

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
The HiSilicon chip used in NVRs, DVR, cameras has a backdoor.

www.zdnet.com

Researcher: Backdoor mechanism still active in many IoT products

Researcher says a backdoor mechanism in devices running Xiongmai firmware is still active years after first being discovered.
www.zdnet.com www.zdnet.com

habr.com

Full disclosure: 0day vulnerability (backdoor) in firmware for Xiaongmai-based DVRs, NVRs and IP cameras

This is a full disclosure of recent backdoor integrated into DVR/NVR devices built on top of HiSilicon SoC with Xiaongmai firmware. Described vulnerability allows attacker to gain root shell access...
habr.com habr.com
 
saniaowner

saniaowner

Young grasshopper
Joined
Sep 17, 2019
Messages
61
Reaction score
20
Location
World
Hello
This article is already a little outdated, moreover, this vulnerability has been known for a long time. But opening Telnet is a small problem, but the fact that you can connect to almost any XMEye camera without a password is a lot more fun)
 
alastairstevenson

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,963
Reaction score
6,794
Location
Scotland
SouthernYankee said:
The HiSilicon chip used in NVRs, DVR, cameras has a backdoor.
Click to expand...
Just to avoid any confusion (as the HiSilicon chips are extensively used) the vulnerability is in the Xiongmaitech firmware, not the chip itself.
The XM firmware is riddled with vulnerabilities that can be easily exploited, it's the least security-conscious firmware I've seen.

saniaowner said:
opening Telnet is a small problem
Click to expand...
Adding this at the built-in placeholder helps :
Code: 
extapp.sh holds this :
-----------------------------------------------------
#! /bin/sh
# An extra startup script to gain access to the internals of this DVR
# Need the delay to avoid dvrhelper killing telnetd when launching sofia
/sbin/getty -L ttyS000 115200 vt100 -l /bin/sh -I "Auto login as root ..." &
sleep 5
/bin/busybox telnetd -l /bin/sh &
exit 0
-----------------------------------------------------
Doesn't even need the hard-coded well-known hash.
 
saniaowner

saniaowner

Young grasshopper
Joined
Sep 17, 2019
Messages
61
Reaction score
20
Location
World
I agree, but on new firmware they closed port 23, which was previously open. Now port 9530 is responsible for Telnet, but it only responds to certain commands, that is, if you just try to connect to the camera or NVR with this port, you will get an error. However, the XMEye firmware is very unstable and always surprises with new glitches
 
alastairstevenson

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,963
Reaction score
6,794
Location
Scotland
saniaowner said:
Now port 9530 is responsible for Telnet,
Click to expand...
Yeah - and they didn't do a great job of locking that change down either :

Trivial backdoor found in firmware for Chinese-built net-connected video recorders

Crap security in millions of cheap gadgets? Shocked, shocked, we tell you
www.theregister.co.uk www.theregister.co.uk

saniaowner said:
However, the XMEye firmware is very unstable and always surprises with new glitches
Click to expand...
Yes, it's all over the place.
Like their cameras.
 
You must log in or register to reply here.
Top