[HN Gopher] Huawei-owned company injects backdoor into their chi...
___________________________________________________________________
Huawei-owned company injects backdoor into their chips activated by
TCP commands
Author : mcsoft
Score : 199 points
Date : 2020-02-05 21:50 UTC (1 hours ago)
(HTM) web link (habr.com)
(TXT) w3m dump (habr.com)
| inetknght wrote:
| Is this Bloomberg and SuperMicro all over again?
| gen3 wrote:
| No, there is proof of concept code.
|
| from the article: https://github.com/Snawoot/hisilicon-dvr-
| telnet
| LatteLazy wrote:
| Isn't this just telnet? Like last time people claimed huawei
| "injected back doors", nothing is being injected by them, and
| these are not backdoors, they are front doors, standard festures
| etc? But dressed up in a way to make it look scarey to someone
| non-technical? Sorry if I'm missing something here...
| taneq wrote:
| A hidden door that nobody but the installer of the door knows
| about is generally referred to as a back door. If it was
| without the knowledge of the main device manufacturer, then it
| was injected.
| lifeisstillgood wrote:
| I know I am probably too forgiving (and generous and honest
| https://www.pinterest.co.uk/pin/439593613603376622/) but dumb
| companies have left backdoors in everything from heart monitors
| to factory equipment.
|
| I understood that the Huawei threat is not "dumb shit" but
| "clever shit we don't notice until the cyber portion of the
| combined arms full scale attack is launched"
|
| If we cannot trust one hardware company we cannot trust any of
| them. Open source hardware seems like the Nash Equilibrium for
| this problem - everyone finds a way to make sure everyone can
| verify the hardware in their network...
| gnfargbl wrote:
| It is _both_ of those things.
|
| And why wouldn't it be? Huawei is a large organization and,
| like all large organizations, will consist of a multitude of
| different groups all trying to achieve the same goal in
| different ways. Some will want to rob the bank by tunnelling
| quietly into the vault at night, some will want to walk through
| the front door with a sawn-off shotgun.
| lifeisstillgood wrote:
| Fair enough - see my edit above. The only protection against
| dumb or clever shit is some means to verify SoCs are what
| they claim to be (yes very hard, but a future with Open
| source SoCs, and supply chains where you can inspect enough
| to be confident - that future can be glimpsed from here and
| it's a future where everyone wins)
| bitanarch wrote:
| The title is misleading. HiSilicon is responsible for the SoC,
| but the backdoor is part of the Linux-based device firmware made
| by another company called Hangzhou Xiongmai Technology Co. There
| is no clear connection between Huawei and Xiongmai.
|
| You can find the clarification about the firmware maker
| (Xiongmai) towards the end of the article.
| yorwba wrote:
| > There is no clear connection between Huawei and Xiongmai.
|
| If Xiongmai firmware runs on HiSilicon SoCs, there must be some
| kind of connection, even if just via a third party that paid
| HiSilicon for the hardware and Xiongmai to write the firmware
| for it. Unfortunately, the writeup doesn't clearly identify who
| that could be.
| microcolonel wrote:
| For those struggling to read this comment, HiSilicon is Huawei.
|
| Xiongmai is well known to do this sort of thing with firmware,
| at this point I tend to think that they have probably been
| asked to do this sort of thing.
|
| Any competent person who installs their software on a device
| knows that they are installing CCP spyware (whether Xiongmai
| intends it that way or otherwise).
|
| The article title is clickbait though, at least as far as I'm
| aware. Huawei does not own Xiongmai...
|
| ...but they share a common parent company. :^ )
| exabrial wrote:
| > Full disclosure format for this report has been chosen due to
| lack of trust to vendor. Proof of concept code is presented
| below.
| coliveira wrote:
| The company in question, Xiongmai, is not owned by Huawei as
| stated. This is probably a clickbait article trying to link
| Huawei with some kind of backdoor.
| derision wrote:
| Thanks Sino. As we all know all Chinese companies are
| completely independent and free from all communist party
| influence
| Trias11 wrote:
| So if device is behind firewall - attacker cannot sent TCP
| request to it?
| [deleted]
| whalesalad wrote:
| When you see how small some of these devices are it makes you
| realize how easy it would be for a malicious actor to bug just
| about anything you own. A simple cell phone charger becomes a
| listening device that could have an LTE modem hiding in it.
|
| People are worried when they find a raspberry pi sitting in the
| network rack - and rightfully so - but fail to realize that you
| can achieve pretty much the same thing by hiding in plain sight.
|
| Imagine how much you could fit into a 6-port commodity surge
| protector.
| r00fus wrote:
| Without ruining the main use case - is there some way to
| sterilize or nuke things like a basic cell phone charger when
| it should have no radio-frequency capability?
| Avamander wrote:
| > is there some way to sterilize or nuke things like a basic
| cell phone charger when it should have no radio-frequency
| capability?
|
| If you want Fast Charging, short circuit protection or
| similar, then no, it has to have ICs and those could do a lot
| of things that are hard to detect.
| Polylactic_acid wrote:
| You have to open it up and inspect the hardware.
| RL_Quine wrote:
| Nope. Even USB cables now have active electronics and a
| microprocessor in them.
| yoz-y wrote:
| My guess would be no, as even the basic use case of a modern
| charger (for example) requires a functioning computer.
| Shielding is only a temporary option too because the device
| could just buffer the data and wait for the opportunity to
| send.
|
| My guess is, if there is a proof of malicious act, the
| governments should severely punish the originating company.
| To act as a deterrent, i.e.: "you can get away with this
| exactly once".
| Zenst wrote:
| > A simple cell phone charger becomes a listening device that
| could have an LTE modem hiding in it.
|
| You can already get USB cables that have a hidden mic and sim,
| so if powered you can phone up and listen in. Those a very
| cheap and google shows this, but this is more adventurous.
|
| As for targeting hardware and security - how many people would
| question a fancy free mouse or keyboard arriving in the
| internal post as it happened to of been dropped of at
| reception. Great pentesting trick btw.
|
| As for chips with `hidden/undocumented` remote activated
| features. If it was documented, would it be bad or something
| you can use or actively block off. When they are undocumented,
| well - hard not to think the worst. But then, CPU's today, not
| fully documented when you can't hack away at the microcode and
| management and whatever else is DRM'd out of your reach.
|
| If Intel was a Chinese company instead of American - how would
| Americans feel about Intel chips? That is an interesting
| thought exercise.
| adrianpike wrote:
| Glade plug-ins are innocuous, roomy inside, and have convenient
| constant 120v.
|
| Take a peek next time you're in a semi-public space if there's
| any that are suspiciously not-smelly.
| lifeisstillgood wrote:
| And one could easily walk round many building just plugging
| them in. I mean how many people would remove a glade-plug-in
| just in case Dorothy from accounts likes the smell? Dorothy
| might just replenish the scent dispenser every six weeks.
| Polylactic_acid wrote:
| I would unplug them to avoid creating air pollution.
| lifeisstillgood wrote:
| Dorothy would give you a hard stare.
|
| And defund your project.
| Zenst wrote:
| Which would save HR doing it and sending a memo about
| health and safety and asthma can kill due to these,
| possible.... Yeah, that is exactly how that would play
| out in many companies. At least in the UK.
| tryptophan wrote:
| I wonder what the solution to this sort of thing is. Open source
| hardware maybe? Force publication of firmware for all hardware
| sold?
| Avamander wrote:
| FOSS firmware would be a nice, but unless someone verifies that
| firmware (could be maliciously a spaghetti), then it doesn't
| have much use.
| somurzakov wrote:
| 1. if the device name contains "smart" -> always assume it is
| vulnerable.
|
| 2. put all IoT devices behind firewall/NAT router and never
| allow any traffic from WAN to the IoT. (Allow only South->North
| traffic)
|
| 3. Never allow east-west traffic between IoT devices.
| easytiger wrote:
| Why is the title sensationalised. There is no "injects backdoor
| into their chips".
|
| It's a debug console on a busybox build. One would have to be on
| the same lan to exploit it.
| crooked-v wrote:
| Though, "on the same LAN" becomes much more of a problem when
| you consider insecure 'smart' lightbulbs and appliances
| everywhere.
| Polylactic_acid wrote:
| Yep, how many people actually have a lan where every single
| device that ever connects is fully secure and trusted.
| jay_90 wrote:
| The US Govt?
| marta_morena wrote:
| lmao
| kevin_thibedeau wrote:
| Their contractors. The government itself can't be
| bothered to follow its own security policies.
| kryogen1c wrote:
| vLAN segmentation is a best practice for this exact reason
| dahfizz wrote:
| Everyone savvy enough to browse HN ought to, at the very
| least...
| colincooke wrote:
| This "debug console" is on networked IP cameras (many of which
| are open to the web) and available through a hardcoded
| password. I don't see a convincing argument for malicious
| intent, more so a dangerous level of incompetence from a
| company who should know better.
|
| Unfortunately Xiongmai is not an outlier for subpar security
| practices on IOT products, doesn't make it any less bad though
| throwaway5752 wrote:
| The old _" the 's' in IoT stands for 'security'"_ holds true.
| Hanlon's razor has been dangerously stressed lately.
| microcolonel wrote:
| Xiongmai has a history of oopsies this big or bigger, going
| back several years at least. Their software usually turns
| out to be spyware, whatever their intent may be.
| [deleted]
| dahfizz wrote:
| I would like to point out that this is not specific to IOT.
| I deal with lots of servers and enterprise networking gear
| at my job and many of them come with hardcoded passwords on
| ipmi / networked admin consoles.
|
| The difference is that your average Joe doesn't even know
| he has to configure these devices, let alone how to
| configure them.
| a_t48 wrote:
| So...Hanlon's Razor? :)
| cjbprime wrote:
| > One would have to be on the same lan to exploit it.
|
| For what it's worth, DNS rebinding attacks are commonly used
| against embedded devices, and remove this restriction.
| qeternity wrote:
| Had never heard of DNS rebinding before. Very cool. I presume
| this is only useful for extremely target attacks given the
| strict timing requirements?
| dahfizz wrote:
| Nope, it would be pretty straightforward to set up a
| stateful dns server that serves the "real" ip on first
| request from a new client, and then ever subsequent request
| returns a local IP. That one dns server would enable an
| attack on anyone who visits the malicious site.
| corford wrote:
| Speaking of rebinding attacks... does anyone know why
| cloudflare's 1.1.1.1 resolver doesn't enforce this? It's the
| only "big" public one I know of that happily resolves RFC1918
| IPs.
| taneq wrote:
| If a consumer device ships with a "debug console" that gives
| the manufacturer (or any attacker who knew about it) root,
| that's a vulnerability. If it happens on purpose, and they
| don't tell you about it, then that's the very definition of a
| backdoor.
___________________________________________________________________
(page generated 2020-02-05 23:00 UTC)