China DVR/NVR Backdoor Discovered, Huawei Refutes

By: Sean Patton and John Scanlan, Published on Feb 07, 2020

A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei (HiSilicon), Huawei subsequently refuted their involvement.

Inside this report, we explain:

  • How the backdoor works
  • Who the backdoor impacts and who it does not
  • Why it is a concern
  • But why it is unlikely to be widely exploited
  • How Huawei refuted it
  • The claimed source of the backdoor
  • Risks for other recorders to be exploited

How the Backdoor Works

The backdoor uses port knocking via the management port of vulnerable equipment. A series of commands are sent to the device via the management port, TCP 9530, which in turn opens telnet. When telnet is enabled the attacker can use one of six hardcoded root credentials to gain full control of the vulnerable device.

The skill level needed to exploit this is low and similar to the skill level needed to exploit the Dahua Wiretapping Vulnerability from last year, requiring a limited working knowledge of python. A proof of concept is available here, which is used to:

  • Send a command to open Telnet on the target device (OpenTelnet:OpenOnce)
  • Use a pre-shared key for access (2wj9fsa2)
  • Receive an 8 character number / respond with that number + PSK
  • Open a Telnet session with the device
  • Login with 1 of 6 hardcoded root accounts

Major Chinese Manufacturer Impact Unlikely

Major China manufacturers like Dahua, Hikvision, Uniview are not impacted, from everything we have seen. We executed the proof of concept code from the disclosure on multiple devices and were unable to gain access using the backdoor.

Who The Backdoor Impacts - Mostly Small OEM Manufacturer

The backdoor primarily impacts devices using HiSilicon SOC with Xiongmai software, which is dozens of small OEM manufacturers, using minimally modified OEM firmware, Open Source OS and drivers, and enabling telnet on port 9530.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Why It Is A Concern

There is no doubt that whoever put this in did this on purpose since such an obscure series of steps leading to gain control of the device could not be placed on accident, which is a significant trust issue.

Backdoor access allows the devices to be compromised and used within botnets, which is what was seen with Mirai. These vulnerable devices may cause severe disruption to not only specific targets but entire regions or even nations.

Unlikely Widely Exploited

However, the backdoor requires equipment using a Hisilicon SoC, Xiongmai firmware, and port 9530 open. This configuration is less likely to accidentally happen because those ports are not required for external viewing of cameras.

IPVM spoke with the researcher, Vladislov Yarmak, who told us that there are likely hundreds of thousands but less than a million affected devices publicly available online adding that it will be difficult to locate these using sites like shodan.

How Huawei Refuted It

Huawei issued a detailed refutation: Security Notice - Technical Analysis Report on the Suspected Security Issue of HiSilicon Video Surveillance Chips Reported by Some Media

In the release, Huawei says that the vulnerability source is not their chips or SDK, explaining the while their SDK contains Telnet interfaces, they are disabled by default (as of 2017) and they advise SDK developers to delete Telnet unless needed:

SDK versions contains development and debugging interfaces commonly used in the industry, for example, the serial port, Telnet, and JTAG interfaces,... ....Telnet is disabled by default, and there is no default user password. In addition, HiSilicon provides the Cyber Security Precautions for Secondary Development to equipment vendors along with the software package. The Cyber Security Precautions for Secondary Development strongly advises customers to delete the Telnet function and other functions concerning risky services..

Additionally, Huawei declared that they will never place backdoors, or allow anyone else to:

Huawei (and its affiliates worldwide, including HiSilicon) has long committed that it has not and will never place backdoors nor allow anyone else to do so.

Claimed Source Of The Backdoor

The claimed source is XiongMai, also known as XM. XM is famous for the 2017 Mirai botnet attacks and has a very poor track record:

Despite this poor track record, XiongMai is not banned in the US, and has a long list of (generally smaller, lower-end) OEM customers:

However, most companies are not commonly sold in Western commercial installations, and this will directly impact the lowest of low budget consumers.

Risks For Others

Still many recorders require the opening of a control port for remote viewing / operation. Other manufacturers could implement similar backdoors unbeknownst to users.

While companies like Bosch, Genetec, and Milestone self-disclose and patch vulnerabilities it is uncommon for Chinese manufacturers to do so. Some even deny the vulnerabilities or try to explain away hardcoded backdoors. Unless security researchers discover and disclose other manufacturers' backdoors equipment will remain vulnerable.

To see how other vulnerabilities have affected the security industry check out IPVM's Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits.

1 report cite this report:

Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated regularly. We have summarized exploits by date and by manufacturer,...
Comments (14) : Members only. Login. or Join.

Related Reports

Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Warning: Windows 7 Update Crashing NVRs on Aug 26, 2019
Windows 7 updates are causing VMS servers to fail to boot. After running the update, impacted systems do not boot as normal, instead display this...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Dahua OEM Directory on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...
Hikvision OEM Directory on Aug 13, 2019
The Chinese government-owned and US-government banned Hikvision has become the world's largest video surveillance manufacturer and generally hidden...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Subnetting for Video Surveillance on Apr 30, 2019
This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range,...

Most Recent Industry Reports

Viakoo Presents Cyber Hygiene for Cameras on May 28, 2020
Viakoo presented its 'Cyber Hygiene' and 'Service Assurance' products at the April 2020 IPVM New Products show. Inside this report: A...
Seek Scan Thermal Temperature Screening System ReTested on May 28, 2020
Now that IPVM has tested Dahua, Hikvision, and Sunell, we are returning to Seek, the first blackbody system we tested and retested it with our...
Directory of 106 "Fever" Camera Suppliers on May 28, 2020
This directory provides a list of "Fever" scanning thermal camera providers to help you see and research what options are available. There are...
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers use. The US FDA clearly categorizes them as medical devices and...
Wyze Raises $10 Million And Seeks Services Expansion on May 27, 2020
Wyze has raised $10 million, the company's first disclosed raise since the $20 million announced at the beginning of 2019. Inside this note,...
Startup Videoloft Presents Cloud Storage on May 27, 2020
Videoloft presented offsite cloud storage at the May 2020 IPVM Startups show. A 30-minute video from Videoloft including IPVM...
Directory of 300+ Fever Camera News Reports Globally on May 27, 2020
This global directory tracks 300+ articles about thermal cameras used to detect fevers in response to the coronavirus pandemic. Articles are...
Integrators Rising Against Coronavirus on May 27, 2020
IPVM integrator statistics make it clear - Coronavirus's impact on business is lessening and many are anticipating even better news in weeks...
Netposa Stock Surges 46% After US Human Rights Abuse Sanctions on May 27, 2020
Last Friday, the US government announced it would sanction PRC video management provider NetPosa for being "complicit in human rights violations...
LILIN Presents NDAA-Compliant P2 Cameras on May 26, 2020
Merit LILIN presented its NDAA-compliant P2 camera series at the April 2020 IPVM New Products show. Inside this report: A 30-minute video...