It's a debug console on a busybox build. One would have to be on the same lan to exploit it.
Unfortunately Xiongmai is not an outlier for subpar security practices on IOT products, doesn't make it any less bad though
This isn't a court of law. We aren't morally obliged to feign naivety. If this wasn't meant to be a back door, they're free to explain their actions. But until they've done so to my satisfaction, I for one will assume malice.
Security people: Uhm...
For what it's worth, DNS rebinding attacks are commonly used against embedded devices, and remove this restriction.
This should be a huge scandal. For some reason we tend to give browsers a free pass when it comes to security.
People are worried when they find a raspberry pi sitting in the network rack - and rightfully so - but fail to realize that you can achieve pretty much the same thing by hiding in plain sight.
Imagine how much you could fit into a 6-port commodity surge protector.
You can already get USB cables that have a hidden mic and sim, so if powered you can phone up and listen in. Those a very cheap and google shows this, but this is more adventurous.
As for targeting hardware and security - how many people would question a fancy free mouse or keyboard arriving in the internal post as it happened to of been dropped of at reception. Great pentesting trick btw.
As for chips with `hidden/undocumented` remote activated features. If it was documented, would it be bad or something you can use or actively block off. When they are undocumented, well - hard not to think the worst. But then, CPU's today, not fully documented when you can't hack away at the microcode and management and whatever else is DRM'd out of your reach.
If Intel was a Chinese company instead of American - how would Americans feel about Intel chips? That is an interesting thought exercise.
Take a peek next time you're in a semi-public space if there's any that are suspiciously not-smelly.
If you want Fast Charging, short circuit protection or similar, then no, it has to have ICs and those could do a lot of things that are hard to detect.
My guess is, if there is a proof of malicious act, the governments should severely punish the originating company. To act as a deterrent, i.e.: "you can get away with this exactly once".
You can put the NVR behind a VPN as well, but one trustworthy enough to skip the VPN is much more convenient.
Plug: I'm developing a secure, reliable Free Software NVR, in Rust. Functionality is very limited now: embarrassingly, no motion detection yet, no live view, and a very "written by a backend engineer" UI. But it's slowly improving. I'd welcome help! https://github.com/scottlamb/moonfire-nvr
Open source isn't feasible for any of the mainstream systems anyway. It's not up to the camera makers. The silicon vendors would have to open-source license their chipset drivers and firmware source, which isn't going to happen any time soon.
But, yeah, I think you're right, you'd struggle to compete on cost and features with mass-market players.
You could offer open source firmware for some existing cameras.. I think some people do do this.
Not really. Plenty of people are willing to modify the technology they use, both professionally and as a hobby.
You don't need to be a developer to understand that you can update the camera firmware with a 3rd-party modification.
https://www.pine64.org/2020/02/03/fosdem-2020-and-hardware-a...
I doubt they have the marketing budget to eat into the general market for IP cameras though.
3. Chinese companies clone the hardware and copy the software, changing the cosmetics.
4. They sell their cameras for cheaper.
But maybe ...
You can find the clarification about the firmware maker (Xiongmai) towards the end of the article.
If Xiongmai firmware runs on HiSilicon SoCs, there must be some kind of connection, even if just via a third party that paid HiSilicon for the hardware and Xiongmai to write the firmware for it. Unfortunately, the writeup doesn't clearly identify who that could be.
The real title of the article is "0day vulnerability (backdoor) in firmware for HiSilicon-based DVRs, NVRs and IP cameras" and the word Huawei doesn't even appear in it.
If OP wants to claim that Huawei are involved, maybe they should write their own article. :/
[1]https://www.zdnet.com/article/cisco-weve-killed-another-crit...
Edit: the title changed. criticism retracted.
Everybody can buy HiSilicon SoCs and run a backdoored linux distro on them, the only relationship required is "customer".
You can buy a hisilicon-based devboard running linux for 100$: https://www.96boards.org/product/hikey/
Xiongmai is well known to do this sort of thing with firmware, at this point I tend to think that they have probably been asked to do this sort of thing.
Any competent person who installs their software on a device knows that they are installing CCP spyware (whether Xiongmai intends it that way or otherwise).
The article title is clickbait though, at least as far as I'm aware. Huawei does not own Xiongmai...
...but they share a common parent company. :^ )
Is this somehow presumed to be common knowledge? Because if I accept every claim like this that is conveyed by slapping a new title on someone else's article, I'm going to believe a lot of incorrect, if not crazy, stuff. I mean, I have no love for any of these companies, but is it too much to ask that if we go around accusing people of things we show our work?
citation needed!
The connection is that both firms are fully controlled by and reporting to the Chinese Communist Party.
2. put all IoT devices behind firewall/NAT router and never allow any traffic from WAN to the IoT. (Allow only South->North traffic)
3. Never allow east-west traffic between IoT devices.
2. hope you disabled upnp, the device doesn't have NAT hole punching, and doesn't "require" internet access for some reason like... cloud backup of logs or update checks
3. configuring firewalls and routers is hard. but plugging devices into power is easy. people always go the easy route.
Using these devices outside isolated VLAN with only RTSP tunneled to trusted client is just bad idea.
People want dirt cheap stuff that has a Bible's worth of advertised features. Amazon's Ring (which is an order of magnitude more expensive than the regular cheap Chinese crap) is a dumpster fire of security and privacy to rival any Chinese brand, yet it consistently gets 4/5 stars in any review, none of which even bothers to mention the litany of findings or the fact that for the price they are unacceptable. But they are acceptable because it's not Chinese.
It's the "Made in" label that counts. People will accept more garbage for a higher price if it has a local label, and will criticize foreign things more for the exact same issues. And that's valid basically almost everywhere in the world.
This pretty much happens with any equipment. If it's very cheap there's no reasonable expectation that they put too much effort into building and maintaining it. If it's expensive there may be other interests involved.
The difference is what your nationalism dictates: When you hear of a Huawei vulnerability you think "spying", and when you hear of a Cisco one (or five [0]) you think "bug". In the end the choice is to buy cheap and have all the careless bugs, or to buy expensive and only have the by design ones. And whether you think they are malicious or not depends on where you come from relative to the product.
[0] https://www.tomshardware.com/news/cisco-backdoor-hardcoded-a...
I understood that the Huawei threat is not "dumb shit" but "clever shit we don't notice until the cyber portion of the combined arms full scale attack is launched"
If we cannot trust one hardware company we cannot trust any of them. Open source hardware seems like the Nash Equilibrium for this problem - everyone finds a way to make sure everyone can verify the hardware in their network...
And why wouldn’t it be? Huawei is a large organization and, like all large organizations, will consist of a multitude of different groups all trying to achieve the same goal in different ways. Some will want to rob the bank by tunnelling quietly into the vault at night, some will want to walk through the front door with a sawn-off shotgun.
So long as the device does not utilize UPnP and get the gateway to forward traffic to it.
from the article: https://github.com/Snawoot/hisilicon-dvr-telnet
This was an interesting update, especially the last sentence.
Good thing they are not opening a connection to UDP port 9530. Imagine the horror...
