[HN Gopher] Huawei-owned company injects backdoor into their chi... ___________________________________________________________________ Huawei-owned company injects backdoor into their chips activated by TCP commands Author : mcsoft Score : 199 points Date : 2020-02-05 21:50 UTC (1 hours ago) (HTM) web link (habr.com) (TXT) w3m dump (habr.com) | inetknght wrote: | Is this Bloomberg and SuperMicro all over again? | gen3 wrote: | No, there is proof of concept code. | | from the article: https://github.com/Snawoot/hisilicon-dvr- | telnet | LatteLazy wrote: | Isn't this just telnet? Like last time people claimed huawei | "injected back doors", nothing is being injected by them, and | these are not backdoors, they are front doors, standard festures | etc? But dressed up in a way to make it look scarey to someone | non-technical? Sorry if I'm missing something here... | taneq wrote: | A hidden door that nobody but the installer of the door knows | about is generally referred to as a back door. If it was | without the knowledge of the main device manufacturer, then it | was injected. | lifeisstillgood wrote: | I know I am probably too forgiving (and generous and honest | https://www.pinterest.co.uk/pin/439593613603376622/) but dumb | companies have left backdoors in everything from heart monitors | to factory equipment. | | I understood that the Huawei threat is not "dumb shit" but | "clever shit we don't notice until the cyber portion of the | combined arms full scale attack is launched" | | If we cannot trust one hardware company we cannot trust any of | them. Open source hardware seems like the Nash Equilibrium for | this problem - everyone finds a way to make sure everyone can | verify the hardware in their network... | gnfargbl wrote: | It is _both_ of those things. | | And why wouldn't it be? Huawei is a large organization and, | like all large organizations, will consist of a multitude of | different groups all trying to achieve the same goal in | different ways. Some will want to rob the bank by tunnelling | quietly into the vault at night, some will want to walk through | the front door with a sawn-off shotgun. | lifeisstillgood wrote: | Fair enough - see my edit above. The only protection against | dumb or clever shit is some means to verify SoCs are what | they claim to be (yes very hard, but a future with Open | source SoCs, and supply chains where you can inspect enough | to be confident - that future can be glimpsed from here and | it's a future where everyone wins) | bitanarch wrote: | The title is misleading. HiSilicon is responsible for the SoC, | but the backdoor is part of the Linux-based device firmware made | by another company called Hangzhou Xiongmai Technology Co. There | is no clear connection between Huawei and Xiongmai. | | You can find the clarification about the firmware maker | (Xiongmai) towards the end of the article. | yorwba wrote: | > There is no clear connection between Huawei and Xiongmai. | | If Xiongmai firmware runs on HiSilicon SoCs, there must be some | kind of connection, even if just via a third party that paid | HiSilicon for the hardware and Xiongmai to write the firmware | for it. Unfortunately, the writeup doesn't clearly identify who | that could be. | microcolonel wrote: | For those struggling to read this comment, HiSilicon is Huawei. | | Xiongmai is well known to do this sort of thing with firmware, | at this point I tend to think that they have probably been | asked to do this sort of thing. | | Any competent person who installs their software on a device | knows that they are installing CCP spyware (whether Xiongmai | intends it that way or otherwise). | | The article title is clickbait though, at least as far as I'm | aware. Huawei does not own Xiongmai... | | ...but they share a common parent company. :^ ) | exabrial wrote: | > Full disclosure format for this report has been chosen due to | lack of trust to vendor. Proof of concept code is presented | below. | coliveira wrote: | The company in question, Xiongmai, is not owned by Huawei as | stated. This is probably a clickbait article trying to link | Huawei with some kind of backdoor. | derision wrote: | Thanks Sino. As we all know all Chinese companies are | completely independent and free from all communist party | influence | Trias11 wrote: | So if device is behind firewall - attacker cannot sent TCP | request to it? | [deleted] | whalesalad wrote: | When you see how small some of these devices are it makes you | realize how easy it would be for a malicious actor to bug just | about anything you own. A simple cell phone charger becomes a | listening device that could have an LTE modem hiding in it. | | People are worried when they find a raspberry pi sitting in the | network rack - and rightfully so - but fail to realize that you | can achieve pretty much the same thing by hiding in plain sight. | | Imagine how much you could fit into a 6-port commodity surge | protector. | r00fus wrote: | Without ruining the main use case - is there some way to | sterilize or nuke things like a basic cell phone charger when | it should have no radio-frequency capability? | Avamander wrote: | > is there some way to sterilize or nuke things like a basic | cell phone charger when it should have no radio-frequency | capability? | | If you want Fast Charging, short circuit protection or | similar, then no, it has to have ICs and those could do a lot | of things that are hard to detect. | Polylactic_acid wrote: | You have to open it up and inspect the hardware. | RL_Quine wrote: | Nope. Even USB cables now have active electronics and a | microprocessor in them. | yoz-y wrote: | My guess would be no, as even the basic use case of a modern | charger (for example) requires a functioning computer. | Shielding is only a temporary option too because the device | could just buffer the data and wait for the opportunity to | send. | | My guess is, if there is a proof of malicious act, the | governments should severely punish the originating company. | To act as a deterrent, i.e.: "you can get away with this | exactly once". | Zenst wrote: | > A simple cell phone charger becomes a listening device that | could have an LTE modem hiding in it. | | You can already get USB cables that have a hidden mic and sim, | so if powered you can phone up and listen in. Those a very | cheap and google shows this, but this is more adventurous. | | As for targeting hardware and security - how many people would | question a fancy free mouse or keyboard arriving in the | internal post as it happened to of been dropped of at | reception. Great pentesting trick btw. | | As for chips with `hidden/undocumented` remote activated | features. If it was documented, would it be bad or something | you can use or actively block off. When they are undocumented, | well - hard not to think the worst. But then, CPU's today, not | fully documented when you can't hack away at the microcode and | management and whatever else is DRM'd out of your reach. | | If Intel was a Chinese company instead of American - how would | Americans feel about Intel chips? That is an interesting | thought exercise. | adrianpike wrote: | Glade plug-ins are innocuous, roomy inside, and have convenient | constant 120v. | | Take a peek next time you're in a semi-public space if there's | any that are suspiciously not-smelly. | lifeisstillgood wrote: | And one could easily walk round many building just plugging | them in. I mean how many people would remove a glade-plug-in | just in case Dorothy from accounts likes the smell? Dorothy | might just replenish the scent dispenser every six weeks. | Polylactic_acid wrote: | I would unplug them to avoid creating air pollution. | lifeisstillgood wrote: | Dorothy would give you a hard stare. | | And defund your project. | Zenst wrote: | Which would save HR doing it and sending a memo about | health and safety and asthma can kill due to these, | possible.... Yeah, that is exactly how that would play | out in many companies. At least in the UK. | tryptophan wrote: | I wonder what the solution to this sort of thing is. Open source | hardware maybe? Force publication of firmware for all hardware | sold? | Avamander wrote: | FOSS firmware would be a nice, but unless someone verifies that | firmware (could be maliciously a spaghetti), then it doesn't | have much use. | somurzakov wrote: | 1. if the device name contains "smart" -> always assume it is | vulnerable. | | 2. put all IoT devices behind firewall/NAT router and never | allow any traffic from WAN to the IoT. (Allow only South->North | traffic) | | 3. Never allow east-west traffic between IoT devices. | easytiger wrote: | Why is the title sensationalised. There is no "injects backdoor | into their chips". | | It's a debug console on a busybox build. One would have to be on | the same lan to exploit it. | crooked-v wrote: | Though, "on the same LAN" becomes much more of a problem when | you consider insecure 'smart' lightbulbs and appliances | everywhere. | Polylactic_acid wrote: | Yep, how many people actually have a lan where every single | device that ever connects is fully secure and trusted. | jay_90 wrote: | The US Govt? | marta_morena wrote: | lmao | kevin_thibedeau wrote: | Their contractors. The government itself can't be | bothered to follow its own security policies. | kryogen1c wrote: | vLAN segmentation is a best practice for this exact reason | dahfizz wrote: | Everyone savvy enough to browse HN ought to, at the very | least... | colincooke wrote: | This "debug console" is on networked IP cameras (many of which | are open to the web) and available through a hardcoded | password. I don't see a convincing argument for malicious | intent, more so a dangerous level of incompetence from a | company who should know better. | | Unfortunately Xiongmai is not an outlier for subpar security | practices on IOT products, doesn't make it any less bad though | throwaway5752 wrote: | The old _" the 's' in IoT stands for 'security'"_ holds true. | Hanlon's razor has been dangerously stressed lately. | microcolonel wrote: | Xiongmai has a history of oopsies this big or bigger, going | back several years at least. Their software usually turns | out to be spyware, whatever their intent may be. | [deleted] | dahfizz wrote: | I would like to point out that this is not specific to IOT. | I deal with lots of servers and enterprise networking gear | at my job and many of them come with hardcoded passwords on | ipmi / networked admin consoles. | | The difference is that your average Joe doesn't even know | he has to configure these devices, let alone how to | configure them. | a_t48 wrote: | So...Hanlon's Razor? :) | cjbprime wrote: | > One would have to be on the same lan to exploit it. | | For what it's worth, DNS rebinding attacks are commonly used | against embedded devices, and remove this restriction. | qeternity wrote: | Had never heard of DNS rebinding before. Very cool. I presume | this is only useful for extremely target attacks given the | strict timing requirements? | dahfizz wrote: | Nope, it would be pretty straightforward to set up a | stateful dns server that serves the "real" ip on first | request from a new client, and then ever subsequent request | returns a local IP. That one dns server would enable an | attack on anyone who visits the malicious site. | corford wrote: | Speaking of rebinding attacks... does anyone know why | cloudflare's 1.1.1.1 resolver doesn't enforce this? It's the | only "big" public one I know of that happily resolves RFC1918 | IPs. | taneq wrote: | If a consumer device ships with a "debug console" that gives | the manufacturer (or any attacker who knew about it) root, | that's a vulnerability. If it happens on purpose, and they | don't tell you about it, then that's the very definition of a | backdoor. ___________________________________________________________________ (page generated 2020-02-05 23:00 UTC)