The HiSilicon / Xiongmai Backdoor and 3rd Party Component Risk
Last week saw a flurry of news about a research report by Vladislav Yarmak describing a backdoor in the firmware of DVR/NVR devices built using the video surveillance chips from HiSilicon (a subsidiary of Huawei). The backdoor allowed an attacker to activate the built-in Telnet service and then use hardcoded passwords to get control over the device. The firmware in question is used in devices from dozens of brands.
Huawei issued a statement denying that the backdoor was introduced by HiSilicon in their SoCs or SDKs. Huawei conveniently pointed the finger at other downstream vendors whose software mistakenly left “debugging” access to the devices. This software was then utilized by many different brands.
Some observers noted that the affected software came from Xiongmai, a Chinese electronics manufacturer with a well known reputation for delivering insecure devices (as covered by Brian Krebs in October 2018).
Secure Your Supply Chain Now
Confusing? What’s not confusing is that devices continue to be brought to market with critical vulnerabilities as a result of poor security practices and unclear sourcing of software components in the cyber supply chain.
Our view is that if you put remote access into firmware for testing purposes–even if it’s disabled–it should be removed before the product is released.
This is another example of 3rd party binaries being introduced into network-connected devices without proper security vetting or validation. Whether vulnerabilities are malicious or caused by human error, companies need better visibility into the security of their supply chain components.
Detecting the Backdoor with Centrifuge Platform®
We’ve had a busy week at ReFirm Labs. First we released our analyzer to detect the CableHaunt cable modem vulnerability, which is another example of supply chain risk. Then we followed up with our newest detector to identify binary firmware images containing the HiSilicon / Xiongmai backdoor:
Let’s secure your supply chain. Contact us today.