Security researchers have discovered a hidden backdoor in the firmware of DblTek GoIP GSM gateways that allows Telnet access to affected devices.

DblTek stands for DBL Technology, a Hong Kong-based company that manufactures IP phones, SIM servers, various types of VoIP equipment and cross-network gateways.

DblTek GoIP devices are GSM gateways used by telcos and VoIP providers to link GSM and classic IP networks.

GoIP devices provide hidden access via dbladm account

According to a report from cyber-security firm Trustware, GoIP GSM gateways allows hidden remote Telnet access via an account named "dbladm" that provides root-level access to the device.

Unlike the default "ctlcmd" and "limitsh" Telnet accounts, the "dbladm" account is not included in the product's documentation.

While the first two use user-set passwords, the backdoor account uses a challenge-response authentication scheme. This scheme presents users with a string, on which they can perform various operations and deduce the password.

Backdoor password can be easily computed

Trustwave researchers said this scheme is very easy to reverse engineer. An attacker can create automated scripts that read the challenge, compute the response, and authenticate on the device.

Once they log in, because users have root privileges, they can take full control of the device, listen to ongoing traffic, or use the equipment for other actions, such as DDoS attacks or for relaying malicious traffic.

Researchers say they tested GoIP 8-port GSM gateways, but they suspect that GoIP 1, 4, 16 and 32-port devices are affected as well since they use the same login binary in their firmware images.

Chinese firm misunderstands security problem

Trustwave researchers reached out to DBL Technology, but the company didn't reply in the way researchers expected.

Instead of removing the backdoor account, which Trustwave suspected was used during testing, DBL Technology simply made the challenge-response login system more complex, albeit still crackable.

The Chinese company completely failed to understand that the presence of a backdoor is the "security issue," and not the complexity of the login system.

Chinese companies and backdoors...

In February 2016, security researchers from Pen Test Partners have found similar hidden backdoors in the DVRs manufactured by MVPower, another Chinese company.

In the same week, security researchers from Risk Based Security discovered the same thing in the firmware of DVRs built by Chinese firm RaySharp.

Then there are the issues with backdoors and authentication bypasses in Dahua DVRs from November 2013.

If we include Taiwan as a part of China (even if Taiwan disagrees), then we also have backdoor accounts in AVer DVRs and Foxconn firmware used with Android devices.

And since we brought up Android devices, just this past fall security researchers found secret backdoors in Android component firmware manufactured by Shanghai Adups Technology and Ragentek Group, two Chinese companies.

Most of these issues looked like bad coding, production testing accounts, or intentional backdoors added to comply with recent Chinese regulations.

Back in 2012, a former Pentagon analyst told media that China had backdoors in the equipment of 80% of the world's telecoms.