Researcher Found Backdoor Vulnerability in Firmware for HiSilicon-based DVRs, NVRs and IP cameras
Russian security researcher Vladislav Yarmak disclosed a recent backdoor integrated into DVR/NVR devices built on top of HiSilicon SoC.
The vulnerability allows attacker to gain root shell access and full control of device.
Yarmak says it did not report the issue to HiSilicon citing a lack of trust in the vendor to properly fix the issue.
The security researcher says the backdoor mechanism is actually a combination of four older security bugs/backdoors that were initially discovered and made public in March 2013, March 2017, July 2017, and September 2017.
"Apparently, all these years HiSilicon was unwilling or incapable to provide adequate security fixes for [the] same backdoor which, by the way, was implemented intentionally," Yarmak said.
According to Yarmak, the backdoor can be exploited by sending a series of commands over TCP port 9530 to devices that use HiSilicon chips.
The commands will enable the Telnet service on a vulnerable device.
Yarmak says that once the Telnet service is up and running, the attacker can log in with one of the six Telnet credentials listed below, and gain access to a root account that grants them complete control over a vulnerable device.
Since firmware patches are not available, the security researcher has created proof-of-concept (PoC) code that can be used to test if a "smart" device is running on top of HiSilicon system-on-chip (SoC), and if that SoC is vulnerable to attacks that can enable its Telnet service.
If a device is found to be vulnerable, the Russian researcher advises that device owners should ditch and replace the equipment.
Yarmak also recommends that users "should completely restrict network access to these devices to trusted users," especially on device ports 23/tcp, 9530/tcp, 9527/tcp -- the ports that can be exploited in attacks.