Image: Magnus Engø

Russian security researcher Vladislav Yarmak has published today details about a backdoor mechanism he discovered in Xiongmai firmware, used by millions of smart devices across the globe, such as security cameras, DVRs, NVRs, and others.

A firmware fix is not currently available as Yarmak did not report the issue to the company, citing a lack of trust in the vendor to properly fix the issue.

SEE: 5G: What it means for IoT (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

In a detailed technical rundown that Yarmak published on Habr earlier today, the security researcher says the backdoor mechanism is a mash-up of four older security bugs/backdoors that were initially discovered and made public in March 2013, March 2017, July 2017, and September 2017 -- and which the vendor failed to adequately fix.

How the backdoor works

According to Yarmak, the backdoor can be exploited by sending a series of commands over TCP port 9530 to devices that use HiSilicon chips and Xiongmai firmware.

The commands -- the equivalent of a secret knock -- will enable the Telnet service on a vulnerable device.

Yarmak says that once the Telnet service is up and running, the attacker can log in with one of six Telnet credentials listed below, and gain access to a root account that grants them complete control over a vulnerable device.

Image: Vladislav Yarmak

These Telnet logins have been found in previous years as being hardcoded in the firmware, but despite public disclosures and their abuse by Mirai botnets, Yarmak says the hardcoded credentials were left in place, while the vendor chose to disable the Telnet daemon instead.

Proof-of-concept code

Because Yarmak did not intend to report the vulnerability, firmware patches are not available. Instead, the security researcher has created proof-of-concept (PoC) code that can be used to test if a "smart" device runs on the vulnerable firmware.

If a device is found to be vulnerable, in his Habr write-up the Russian researcher is adamant that device owners should ditch and replace the equipment.

"Taking into account earlier bogus fixes for that vulnerability (backdoor, actually) it is not practical to expect security fixes for firmware from [the] vendor," Yarmak said. "Owners of such devices should consider switching to alternatives."

In the case that device owners can't afford the price of new equipment, Yarmak recommends that users "should completely restrict network access to these devices to trusted users," especially on device ports 23/tcp, 9530/tcp, 9527/tcp -- the ports that can be exploited in attacks.

The proof-of-concept code is available on GitHub. Build and usage instructions for the PoC are available in the Habr post.

As for the impact, Yarmak says that the backdoor is most likely found in contless of devices, as the vendor is a known seller of white-label products, sold under tens of other brands. Here, he cited the work of another researcher who in September 2017 tracked down the same backdoor mechanism in firmware that was being used by DVRs sold by tens of vendors.

Image: tothi on GitHub

Update [February 6, 08:30am ET]: The initial version of this article claimed the backdoor mechanism was in HiSilicon chips. We have updated the article's title and content to reflect post-publication updates to the original research, which was updated to specify that the backdoor was located in decices using HiSilicon chips and Xiongmai (Hangzhou Xiongmai Technology Co, XMtech) firmware.

Huawei, which owns HiSilicon, also published a clarification on Yarmak's research. The company said the backdoor mechanism is not in the HiSilicon chips or any of its official software development kits (SDKs), but in the add-on firmware that's usually added by each vendor who choose to use its system-on-chip (SoC) boards as part of their products.

