When you see how small some of these devices are it makes you realize how easy it would be for a malicious actor to bug just about anything you own. A simple cell phone charger becomes a listening device that could have an LTE modem hiding in it.
People are worried when they find a raspberry pi sitting in the network rack - and rightfully so - but fail to realize that you can achieve pretty much the same thing by hiding in plain sight.
Imagine how much you could fit into a 6-port commodity surge protector.
> A simple cell phone charger becomes a listening device that could have an LTE modem hiding in it.
You can already get USB cables that have a hidden mic and sim, so if powered you can phone up and listen in. Those a very cheap and google shows this, but this is more adventurous.
As for targeting hardware and security - how many people would question a fancy free mouse or keyboard arriving in the internal post as it happened to of been dropped of at reception. Great pentesting trick btw.
As for chips with `hidden/undocumented` remote activated features. If it was documented, would it be bad or something you can use or actively block off. When they are undocumented, well - hard not to think the worst. But then, CPU's today, not fully documented when you can't hack away at the microcode and management and whatever else is DRM'd out of your reach.
If Intel was a Chinese company instead of American - how would Americans feel about Intel chips? That is an interesting thought exercise.
I don't think this is any better elsewhere. If anything, the higher concentration of tech in America might make some of her citizens better prepared. But most everyone doesn't care beyond "making the darn box work."
And one could easily walk round many building just plugging them in. I mean how many people would remove a glade-plug-in just in case Dorothy from accounts likes the smell? Dorothy might just replenish the scent dispenser every six weeks.
Which would save HR doing it and sending a memo about health and safety and asthma can kill due to these, possible.... Yeah, that is exactly how that would play out in many companies. At least in the UK.
So, unplug the device and leave it on Alice's Desk. if Dorothy gives you a hard stare, then you know she must have had access to the video feed in the plug-in, and so is the corporate spy.
But if Dorothy instead gives Alice a hard stare, Dorothy is innocent. But if you return that morning to find the device plugged back in, Alice must be the spy.
Without ruining the main use case - is there some way to sterilize or nuke things like a basic cell phone charger when it should have no radio-frequency capability?
> is there some way to sterilize or nuke things like a basic cell phone charger when it should have no radio-frequency capability?
If you want Fast Charging, short circuit protection or similar, then no, it has to have ICs and those could do a lot of things that are hard to detect.
My guess would be no, as even the basic use case of a modern charger (for example) requires a functioning computer. Shielding is only a temporary option too because the device could just buffer the data and wait for the opportunity to send.
My guess is, if there is a proof of malicious act, the governments should severely punish the originating company. To act as a deterrent, i.e.: "you can get away with this exactly once".
Yup -- these already exist. I can't find the 6-port commodity surge protector implant (I've seen it before), but these are the other relevant tools you're thinking of: https://shop.hak5.org/collections/network-implants
Nothing surprising about it. These cheap Chinese cameras are just like that: buggy, default telnet passwords, silly vulnerabilities, crashing ActiveX plugins. Dahua/Xiongmai/Herospeed/whatever doesn't matter, everything is awful.
Using these devices outside isolated VLAN with only RTSP tunneled to trusted client is just bad idea.
People want dirt cheap stuff that has a Bible's worth of advertised features. Amazon's Ring (which is an order of magnitude more expensive than the regular cheap Chinese crap) is a dumpster fire of security and privacy to rival any Chinese brand, yet it consistently gets 4/5 stars in any review, none of which even bothers to mention the litany of findings or the fact that for the price they are unacceptable. But they are acceptable because it's not Chinese.
It's the "Made in" label that counts. People will accept more garbage for a higher price if it has a local label, and will criticize foreign things more for the exact same issues. And that's valid basically almost everywhere in the world.
This pretty much happens with any equipment. If it's very cheap there's no reasonable expectation that they put too much effort into building and maintaining it. If it's expensive there may be other interests involved.
The difference is what your nationalism dictates: When you hear of a Huawei vulnerability you think "spying", and when you hear of a Cisco one (or five [0]) you think "bug". In the end the choice is to buy cheap and have all the careless bugs, or to buy expensive and only have the by design ones. And whether you think they are malicious or not depends on where you come from relative to the product.
Or the semi-third option; firewall the living hell out of everything with something you either wrote yourself or can read yourself. No guarantee there either but you can avoid the garbage fire that is a lot of this. I'm sure the NSA has exploits for everything tho.
And that third option is only technically available to at most 10 percent of the population, and most of them have neither the time ("day jobs") nor inclination to spend their time in that effort. And that is discounting the fact that the majority of the buggy appliances you encounter are developed by that very 10 percent in the first place.
I love these HiSilicon boxes, take a look at the OpenIPC project if you want to secure your device. It's open source firmware for these boxes, I want to give a big shoutout to Igor Zalatov and Flyrouter for all their support when working on these boxes http://openipc.org
I know I am probably too forgiving (and generous and honest https://www.pinterest.co.uk/pin/439593613603376622/) but dumb companies have left backdoors in everything from heart monitors to factory equipment.
I understood that the Huawei threat is not "dumb shit" but "clever shit we don't notice until the cyber portion of the combined arms full scale attack is launched"
If we cannot trust one hardware company we cannot trust any of them. Open source hardware seems like the Nash Equilibrium for this problem - everyone finds a way to make sure everyone can verify the hardware in their network...
And why wouldn’t it be? Huawei is a large organization and, like all large organizations, will consist of a multitude of different groups all trying to achieve the same goal in different ways. Some will want to rob the bank by tunnelling quietly into the vault at night, some will want to walk through the front door with a sawn-off shotgun.
Fair enough - see my edit above. The only protection against dumb or clever shit is some means to verify SoCs are what they claim to be (yes very hard, but a future with Open source SoCs, and supply chains where you can inspect enough to be confident - that future can be glimpsed from here and it's a future where everyone wins)
> The only protection against dumb or clever shit is some means to verify SoCs are what they claim to be
That's only protection from clever shit. Dumb shit will have security vulnerabilities due to being made by programmers who don't care, pushed to do it faster by managers who don't care.
Fortunately you normally only need to access the NVR from the Internet, not the cameras.
You can put the NVR behind a VPN as well, but one trustworthy enough to skip the VPN is much more convenient.
Plug: I'm developing a secure, reliable Free Software NVR, in Rust. Functionality is very limited now: embarrassingly, no motion detection yet, no live view, and a very "written by a backend engineer" UI. But it's slowly improving. I'd welcome help! https://github.com/scottlamb/moonfire-nvr
Open source has near-zero appeal outside of the hacker niche. The vast majority of people only care about price and maybe customer support.
Open source isn't feasible for any of the mainstream systems anyway. It's not up to the camera makers. The silicon vendors would have to open-source license their chipset drivers and firmware source, which isn't going to happen any time soon.
I think some Allwinner SOCs have blob-free mainline linux. If there are solid drivers for everything (camera, ISP etc.), not sure. V3s is even QFN with onboard ram, so easy to make a board for. Or use a board like this: https://licheepizero.us/
But, yeah, I think you're right, you'd struggle to compete on cost and features with mass-market players.
You could offer open source firmware for some existing cameras.. I think some people do do this.
They have reasonably good support in mainline Linux/etc, so you don't have to use the vendor BSPs. In addition, for Allwinner you can even run open source firmware on the power management processor (AR100, OpenRISC based).
I'm suggesting the chinese companies use open source software in the first place. Promoting privacy should be a great marketing tool in the current era. "Everyone else is streaming your home back to their unsecured servers, we're not, and we have made our code public so any bugs can easily be found and fixed"
> UPDATE (2020-02-05 17:28+00:00): Other researchers and habr users had pointed out such vulnerability is restricted to devices based on Xiongmai (Hangzhou Xiongmai Technology Co, XMtech) software, including products of other vendors which ship products based on such software. At this moment HiSilicon can't be held responsible for backdoor in dvrHelper/macGuarder binary.
This was an interesting update, especially the last sentence.
1. if the device has a name -> always assume it is vulnerable
2. hope you disabled upnp, the device doesn't have NAT hole punching, and doesn't "require" internet access for some reason like... cloud backup of logs or update checks
3. configuring firewalls and routers is hard. but plugging devices into power is easy. people always go the easy route.
Separate WIFI/network for IoT devices.
Do not route to the internet in any way (skip buying anything that requires it).
Connect to windows (or other OS) PC only, non-routable.
Disable all connections from that network to the PC.
You wish. People are not going to go to their local PC (if they even have one) to use their smart lights. Likewise people are not going to change wireless networks everytime they need to change a smart item.
The best combo I have found is non-cloud smart devices and a solid firewall. I'm confident enough that my lightbulb isn't going to hack my Mac/Windows machine, and I can still control it when I'm at home with my phone. If I want outside control, then it's vpn time.
Who says the hardware doesn't have a separate IC overriding the ostensibly clean firmware? So you need not only verified hardware schematics, but also verification that the hardware you're running is actually based on that verified design. For which there is currently no way of doing that, as far as I know. You need to either trust the vendor at some level, or treat every device as hostile - while still getting its intended use out of it.
True, but having to only trust hardware being correctly made is already an improvement over having to trust both software and hardware to be made correctly.
Being behind a nat, without any firewall, is more than enough to protect against this. In other words, you need to work hard to be affected by this "backdoor".
> Being behind a nat, without any firewall, is more than enough to protect against this. In other words, you need to work hard to be affected by this "backdoor".
So long as the device does not utilize UPnP and get the gateway to forward traffic to it.
The title is misleading. HiSilicon is responsible for the SoC, but the backdoor is part of the Linux-based device firmware made by another company called Hangzhou Xiongmai Technology Co. There is no clear connection between Huawei and Xiongmai.
You can find the clarification about the firmware maker (Xiongmai) towards the end of the article.
> There is no clear connection between Huawei and Xiongmai.
If Xiongmai firmware runs on HiSilicon SoCs, there must be some kind of connection, even if just via a third party that paid HiSilicon for the hardware and Xiongmai to write the firmware for it. Unfortunately, the writeup doesn't clearly identify who that could be.
This argument proves too much. By this reasoning, "Qualcomm-owned Cisco" is "injecting backdoors" into their chips as well.[1]
The real title of the article is "0day vulnerability (backdoor) in firmware for HiSilicon-based DVRs, NVRs and IP cameras" and the word Huawei doesn't even appear in it.
If OP wants to claim that Huawei are involved, maybe they should write their own article. :/
CISCO has not only a long history of creating backdoors, but have also been marketing them as features. They even wrote an IETF proposal (RFC 2804) for a LI backdoor:
Edit: Schneier wrote in 2018: "We don't know if this is error or deliberate action, but five backdoors have been discovered [in CISCO] already this year." and linking to this article: https://www.tomshardware.com/news/cisco-backdoor-hardcoded-a... (the final count went up to 7 actual backdoors discovered in 2018.
For those struggling to read this comment, HiSilicon is Huawei.
Xiongmai is well known to do this sort of thing with firmware, at this point I tend to think that they have probably been asked to do this sort of thing.
Any competent person who installs their software on a device knows that they are installing CCP spyware (whether Xiongmai intends it that way or otherwise).
The article title is clickbait though, at least as far as I'm aware. Huawei does not own Xiongmai...
I am definatley "struggling to read this comment." Is there some way authorative source that I can use to verify which company owns which?
Is this somehow presumed to be common knowledge? Because if I accept every claim like this that is conveyed by slapping a new title on someone else's article, I'm going to believe a lot of incorrect, if not crazy, stuff. I mean, I have no love for any of these companies, but is it too much to ask that if we go around accusing people of things we show our work?
"Is there some way authorative source that I can use to verify which company owns which?"
What do you mean by 'owns'? When answering, please keep into account that this is about Chinese companies, where 'corporate ownership' means something else than in the West (this is not China-bashing, I think it's established fact that cultural norms about what is "ownership" in pretty much every context are different between cultures).
Also I'm not not claiming one way or the other - I'm just asking, for your specific question, what sort of information would convince you of the veracity of the facts you're looking for?
How about we start with _any_? I won't believe an inflammatory claim based on heresay alone.
The claim in discussion was HiSilicon is "Huawei-owned", not "HiSilicon is Chineese." If the claimant meant something by "owned" other than it's dictionary denotation, he didn't say that. If the meaning of corporate ownership is undefined in China, the claim is not true because it is also undefined.
Edit: Ok, look. I think heinously insecure imported IoT stuff, which could possibly be meddled with by a foreign state is a very serious concern. If that's what you're driving at, I agree with you. But if we want people to take us seriously we need to be careful not to say stuff that isn't true, or go around accusing people of things if we can't back it up with evidence. This would undermine our goals.
I don't think it is inflammatory in isolation. I just wanted a citation for it. My objection had to do with the entire title, but that has now been changed to the actual article title. This conversation is confusing because it's happening between so many people, and the title changed.
With respect to the ownership of HiSilicon, I was looking for a citation. I accept that Huawei owns HiSilicon. Thank you.
This "debug console" is on networked IP cameras (many of which are open to the web) and available through a hardcoded password. I don't see a convincing argument for malicious intent, more so a dangerous level of incompetence from a company who should know better.
Unfortunately Xiongmai is not an outlier for subpar security practices on IOT products, doesn't make it any less bad though
I would like to point out that this is not specific to IOT. I deal with lots of servers and enterprise networking gear at my job and many of them come with hardcoded passwords on ipmi / networked admin consoles.
The difference is that your average Joe doesn't even know he has to configure these devices, let alone how to configure them.
Xiongmai has a history of oopsies this big or bigger, going back several years at least. Their software usually turns out to be spyware, whatever their intent may be.
Malice should be the default assumption in some scenarios. If a man with a covered face dressed in all black is discovered inside a bank vault, it should be assumed he was there to burglarize it. Maybe he was actually a ninja haplessly teleported through space and time by a powerful evil mage and landed in the bank vault through pure coincidence, but probably he's a burglar.
This isn't a court of law. We aren't morally obliged to feign naivety. If this wasn't meant to be a back door, they're free to explain their actions. But until they've done so to my satisfaction, I for one will assume malice.
If a consumer device ships with a “debug console” that gives the manufacturer (or any attacker who knew about it) root, that’s a vulnerability. If it happens on purpose, and they don’t tell you about it, then that’s the very definition of a backdoor.
I've worked on security for IoT devices, and "would have to be on the same lan" is not at all uncommon as an attack scenario. In fact at the company I worked at I worked hard to get our customers to understand that just because a network is "local" does not make it "secure".
Yeah, if you don't want to lose the protection provided by a firewall, then all you have to do is avoid running any web browsers on any devices on the LAN...
This should be a huge scandal. For some reason we tend to give browsers a free pass when it comes to security.
Speaking of rebinding attacks... does anyone know why cloudflare's 1.1.1.1 resolver doesn't enforce this? It's the only "big" public one I know of that happily resolves RFC1918 IPs.
That's a terrible idea. For one, RFC1918 addresses are perfectly fine IP addresses, and as such are perfectly fine to put into DNS, but also, if your security depends on this, you are not secure, because rebinding attacks work just as well with non-RFC1918 addresses if that's what you happen to be using on your local network, so devices and software have to be secured against rebinding attacks with a non-filtering DNS anyway.
Plus, it just breaks things. More than once have I had the problem of trying to serve files to other devices on a LAN I was visiting, only for their idiotic local resolver to helpfully refuse resolving the host name of my laptop because, oh surprise, it resolved to an address on that LAN!
Probably because things would break in subtle and confusing ways if they did.
E.g. you have a build server and chose to use live DNS to point at it artifacts on an internal network because it was simpler to just edit a single zone file.
Nope, it would be pretty straightforward to set up a stateful dns server that serves the "real" ip on first request from a new client, and then ever subsequent request returns a local IP. That one dns server would enable an attack on anyone who visits the malicious site.
Isn't this just telnet? Like last time people claimed huawei "injected back doors", nothing is being injected by them, and these are not backdoors, they are front doors, standard festures etc? But dressed up in a way to make it look scarey to someone non-technical? Sorry if I'm missing something here...
A hidden door that nobody but the installer of the door knows about is generally referred to as a back door. If it was without the knowledge of the main device manufacturer, then it was injected.
its a telnet but you need to activate it first. often backdoors are simple shells like telnet or such services. but it usually requires some 'magic packets' or such things to open the port to it or start the service. if you look at the POC you see it's not simply making a telnet connection to a port, but it does some other stuff first to prepare for it.
The company in question, Xiongmai, is not owned by Huawei as stated. This is probably a clickbait article trying to link Huawei with some kind of backdoor.
People are worried when they find a raspberry pi sitting in the network rack - and rightfully so - but fail to realize that you can achieve pretty much the same thing by hiding in plain sight.
Imagine how much you could fit into a 6-port commodity surge protector.