China DVR/NVR Backdoor Discovered, Huawei Refutes

By: Sean Patton and John Scanlan, Published on Feb 07, 2020

A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei (HiSilicon), Huawei subsequently refuted their involvement.

Inside this report, we explain:

  • How the backdoor works
  • Who the backdoor impacts and who it does not
  • Why it is a concern
  • But why it is unlikely to be widely exploited
  • How Huawei refuted it
  • The claimed source of the backdoor
  • Risks for other recorders to be exploited

How the Backdoor Works

The backdoor uses port knocking via the management port of vulnerable equipment. A series of commands are sent to the device via the management port, TCP 9530, which in turn opens telnet. When telnet is enabled the attacker can use one of six hardcoded root credentials to gain full control of the vulnerable device.

The skill level needed to exploit this is low and similar to the skill level needed to exploit the Dahua Wiretapping Vulnerability from last year, requiring a limited working knowledge of python. A proof of concept is available here, which is used to:

  • Send a command to open Telnet on the target device (OpenTelnet:OpenOnce)
  • Use a pre-shared key for access (2wj9fsa2)
  • Receive an 8 character number / respond with that number + PSK
  • Open a Telnet session with the device
  • Login with 1 of 6 hardcoded root accounts

Major Chinese Manufacturer Impact Unlikely

Major China manufacturers like Dahua, Hikvision, Uniview are not impacted, from everything we have seen. We executed the proof of concept code from the disclosure on multiple devices and were unable to gain access using the backdoor.

Who The Backdoor Impacts - Mostly Small OEM Manufacturer

The backdoor primarily impacts devices using HiSilicon SOC with Xiongmai software, which is dozens of small OEM manufacturers, using minimally modified OEM firmware, Open Source OS and drivers, and enabling telnet on port 9530.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Why It Is A Concern

There is no doubt that whoever put this in did this on purpose since such an obscure series of steps leading to gain control of the device could not be placed on accident, which is a significant trust issue.

Backdoor access allows the devices to be compromised and used within botnets, which is what was seen with Mirai. These vulnerable devices may cause severe disruption to not only specific targets but entire regions or even nations.

Unlikely Widely Exploited

However, the backdoor requires equipment using a Hisilicon SoC, Xiongmai firmware, and port 9530 open. This configuration is less likely to accidentally happen because those ports are not required for external viewing of cameras.

IPVM spoke with the researcher, Vladislov Yarmak, who told us that there are likely hundreds of thousands but less than a million affected devices publicly available online adding that it will be difficult to locate these using sites like shodan.

How Huawei Refuted It

Huawei issued a detailed refutation: Security Notice - Technical Analysis Report on the Suspected Security Issue of HiSilicon Video Surveillance Chips Reported by Some Media

In the release, Huawei says that the vulnerability source is not their chips or SDK, explaining the while their SDK contains Telnet interfaces, they are disabled by default (as of 2017) and they advise SDK developers to delete Telnet unless needed:

SDK versions contains development and debugging interfaces commonly used in the industry, for example, the serial port, Telnet, and JTAG interfaces,... ....Telnet is disabled by default, and there is no default user password. In addition, HiSilicon provides the Cyber Security Precautions for Secondary Development to equipment vendors along with the software package. The Cyber Security Precautions for Secondary Development strongly advises customers to delete the Telnet function and other functions concerning risky services..

Additionally, Huawei declared that they will never place backdoors, or allow anyone else to:

Huawei (and its affiliates worldwide, including HiSilicon) has long committed that it has not and will never place backdoors nor allow anyone else to do so.

Claimed Source Of The Backdoor

The claimed source is XiongMai, also known as XM. XM is famous for the 2017 Mirai botnet attacks and has a very poor track record:

Despite this poor track record, XiongMai is not banned in the US, and has a long list of (generally smaller, lower-end) OEM customers:

However, most companies are not commonly sold in Western commercial installations, and this will directly impact the lowest of low budget consumers.

Risks For Others

Still many recorders require the opening of a control port for remote viewing / operation. Other manufacturers could implement similar backdoors unbeknownst to users.

While companies like Bosch, Genetec, and Milestone self-disclose and patch vulnerabilities it is uncommon for Chinese manufacturers to do so. Some even deny the vulnerabilities or try to explain away hardcoded backdoors. Unless security researchers discover and disclose other manufacturers' backdoors equipment will remain vulnerable.

To see how other vulnerabilities have affected the security industry check out IPVM's Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits.

2 reports cite this report:

Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated...
Comments (14) : Members only. Login. or Join.

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Dynamic vs Static IP Addresses Tutorial on Apr 16, 2020
While many cameras default to DHCP out of the box, that does not mean you...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
UK ICO Approves Unconsented Facial Recognition At Security Conferences on Feb 05, 2020
The UK's data protection agency has declined IPVM's GDPR complaint against...
Hikvision Hides Xinjiang R&D Activities on Apr 22, 2020
Hikvision has systematically deleted evidence showing their R&D base and...
How Mobile Access Control Can and Cannot Help With Coronavirus on Mar 23, 2020
With coronavirus concerns continuing to rise, many access control companies...
Uniview Heat-Tracker Temperature Screening Series Examined on Apr 22, 2020
Uniview is marketing #UNVagainstCOVID19 with their Heat-Tracker series,...
Delayed Egress Access Control Tutorial on Feb 04, 2020
Delayed Egress marks one of the few times locking people into a building is...
Vehicle Gate Access Control Guide on Mar 19, 2020
Vehicle gate access control demands integrating various systems to keep...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...

Recent Reports

Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...
US Startup Fever Inspect Examined on Aug 03, 2020
Undoubtedly late to fever cameras, this US company, Fever Inspect, led by a...
Motorola Solutions Acquires Pelco on Aug 03, 2020
Motorola Solutions has acquired Pelco, pledging to bring blue back and make...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Access Control Online Show July 2020 - On-Demand Recording of 45+ Manufacturers Presentations on Jul 30, 2020
The show featured 48 Access Control presentations, all now recorded and...
Face Detection Shootout - Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jul 30, 2020
Face detection analytics are available from a number of manufactures...
Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020
Most China manufacturers are going to be impacted by the NDAA 'Blacklist...
Ink Labs Relabels China YCX Fever Camera And Steals Dahua's Marketing on Jul 30, 2020
A US company marketed a 'thermal temperature scanner' as its own, selling...
Genetec and Dahua-Backed Intelbras Split Examined on Jul 29, 2020
China is the cause of the breakup between Canada's and Brazil's largest video...
This YouTuber is Now Selling ThermoHealth Temperature Screening on Jul 29, 2020
An enterprising 20-year old is mass marketing medical devices on Facebook and...
Hikvision Returns To Growth Driven By Overseas Fever Cameras on Jul 29, 2020
While Hikvision's revenue fell in Q1 2020, it rebounded in Q2 attributed to...
Brazil's Biggest Domestic Surveillance Company Intelbras Profile on Jul 29, 2020
While Intelbras is not widely known outside of Latin America, Intelbras is a...
The Kiosk Market Pivots To Temperature Screening (Interviewed) on Jul 28, 2020
Video surveillance is not the only market that has pivoted to medical device...
Integrator Acquisitions 'A Good Market' During COVID-19, Says Greybeards on Jul 28, 2020
Industry broker Ron Davis of the "Greybeards" says that the integrator and...