HiSilicon Backdoor

SouthernYankee

SouthernYankee

IPCT Contributor
Feb 15, 2018
5,175
5,335
Houston Tx
The HiSilicon chip used in NVRs, DVR, cameras has a backdoor.

www.zdnet.com

Researcher: Backdoor mechanism still active in many IoT products

Researcher says a backdoor mechanism in devices running Xiongmai firmware is still active years after first being discovered.
www.zdnet.com www.zdnet.com

habr.com

Full disclosure: 0day vulnerability (backdoor) in firmware for Xiaongmai-based DVRs, NVRs and IP cameras

This is a full disclosure of recent backdoor integrated into DVR/NVR devices built on top of HiSilicon SoC with Xiaongmai firmware. Described vulnerability allows attacker to gain root shell access...
habr.com habr.com
 
  • Like
  • Wow
Reactions: bigredfish, mat200, aristobrat and 2 others
Hello
This article is already a little outdated, moreover, this vulnerability has been known for a long time. But opening Telnet is a small problem, but the fact that you can connect to almost any XMEye camera without a password is a lot more fun)
 
SouthernYankee said:
The HiSilicon chip used in NVRs, DVR, cameras has a backdoor.
Click to expand...
Just to avoid any confusion (as the HiSilicon chips are extensively used) the vulnerability is in the Xiongmaitech firmware, not the chip itself.
The XM firmware is riddled with vulnerabilities that can be easily exploited, it's the least security-conscious firmware I've seen.

saniaowner said:
opening Telnet is a small problem
Click to expand...
Adding this at the built-in placeholder helps :
Code: 
extapp.sh holds this :
-----------------------------------------------------
#! /bin/sh
# An extra startup script to gain access to the internals of this DVR
# Need the delay to avoid dvrhelper killing telnetd when launching sofia
/sbin/getty -L ttyS000 115200 vt100 -l /bin/sh -I "Auto login as root ..." &
sleep 5
/bin/busybox telnetd -l /bin/sh &
exit 0
-----------------------------------------------------
Doesn't even need the hard-coded well-known hash.
 
I agree, but on new firmware they closed port 23, which was previously open. Now port 9530 is responsible for Telnet, but it only responds to certain commands, that is, if you just try to connect to the camera or NVR with this port, you will get an error. However, the XMEye firmware is very unstable and always surprises with new glitches
 
saniaowner said:
Now port 9530 is responsible for Telnet,
Click to expand...
Yeah - and they didn't do a great job of locking that change down either :

Trivial backdoor found in firmware for Chinese-built net-connected video recorders

Crap security in millions of cheap gadgets? Shocked, shocked, we tell you
www.theregister.co.uk www.theregister.co.uk

saniaowner said:
However, the XMEye firmware is very unstable and always surprises with new glitches
Click to expand...
Yes, it's all over the place.
Like their cameras.
 
You must log in or register to reply here.
Top Bottom