Trivial backdoor found in firmware for Chinese-built net-connected video recorders

Corrected CCTV equipment maker Xiongmai effectively built a poorly hidden, insecure backdoor into potentially millions of surveillance devices, it is claimed.

If true, this security blunder could be exploited over the local network to inject commands into vulnerable gear.

A hardware probester going by the name of Vladislav Yarmak alleged this week that China-based Xiongmai – best known for its wide-open security cameras – left a remote debugging and management tool in its firmware, which is used in network-connected surveillance video recorders.

The backdoor, as described by Yarmak, is pretty simple. The firmware opens a service on TCP port 9530. You connect to this port, and exchange some data to agree upon a randomly generated session key that's used to encrypt the rest of your communications with the software. You then send a request, Telnet:OpenOnce, to the device to tell it to open a Telnet service. If all goes to plan, a Telnet daemon starts on TCP port 9527.

You then connect to that remote service with the username root and password 123456 – there are in fact six possible root passwords – and you're in as the superuser, able to debug and control the gizmo, and issue shell commands to the underlying Busybox-based Linux operating system.

The full client-server exchange is detailed by Yarmak in the above link. A crucial point is that although both sides agree on a session key, it relies on a pre-shared key that is present in plaintext in the firmware for anyone to find and extract and use. It doesn't appear this port 9530 service is open to the internet, rather just the local network.

Xiongmai did not respond to requests for comment.

There are already Chinese components in your pocket – so why fret about 5G gear?

READ MORE

"Devices with vulnerable firmware has the macGuarder or dvrHelper process running and accepting connections on TCP port 9530," wrote Yarmak.

"More recent firmware versions had Telnet access and debug port (9527/tcp) disabled by default. Instead they had open port 9530/tcp which was used to accept special command to start telnet daemon and enable shell access with static password which is the same for all devices."

Yarmak claims hundreds of thousands of devices may be open to this kind of issue, although a Shodan.io scan revealed just 13 with that magic port 9530 open. Then again, there may be many more open on local networks. This is a zero-day vulnerability because it seems Huawei wasn't warned about it before this week's public disclosure. Here's how Yarmak put it:

"It is not practical to expect security fixes for the firmware from the vendor. Owners of such devices should consider switching to alternatives. However, if a replacement is not possible, device owners should completely restrict network access to these devices to trusted users. Ports involved in this vulnerability is 23/tcp, 9530/tcp, 9527/tcp, but earlier researches indicate there is no confidence other services implementation is solid and doesn't contain RCE [remote code execution] vulnerabilities." ®

Correction

This article was revised after publication to make clear the vulnerable firmware was allegedly provided by Xiongmai and shipped with its devices.

We are happy to clarify that, although Xiongmai's products used a chipset provided by Huawei's HiSilicon subsidiary, Huawei said it had no involvement with the vulnerable software and did not supply or ship it in any form. For more details, see Huawei's statement on the matter.