"The hardcoded password is a deliberate backdoor."
Not a good look for a company wanting to have its kit accepted as secure and trustworthy with worldwide ambitions for its 5G kit.
Hardware video encoders from multiple suppliers contain several critical security bugs that allow a remote unauthenticated miscreant to run arbitrary code on the equipment. In a disclosure published this week, Alexei Kojenov, lead product security engineer at Salesforce, outlined a series of flaws affecting IPTV/H.264/H.265 …
@"from other manufactures that have had similar issues over the years." quite, windows codecs were IMHO always a dodgy idea, especially where windows askes if you want to download "correct" codec to play dodgy video.
The issue here is a shame as my HuaWei phone has had monthly android security updates, something that I never seen with Samsung or HTC. HTC in my case never provided an update for my phone and when I contacted them they obsessed about me wanting to unlock the phone rather than addressing the issue that the phone was selected because of their "reprutation for software maintenance", apparantly it didnt apply to my marketting package from CarPhone Warehouse ehcen HTC added to me Sh1tL1st.
I would generally say that if the phone is vulnerable then the manufacturer should address it.
That being said from what I have seen from HuaWei, relative to every other phone maker I have used, HuaWei "were" IMHO the most likely to actually bother with a fix. "were" here because in my case the UK sucking up to the American/Trump "we cant compete with China so they can't sell to our bitches, y'all" doesn't leave much of an incentive for HuaWei.
It is shit software that runs on top of them- as the article states not the chips and not the SDK.
No different from Intel, Microsoft, Oracle and everyone else running software on top of hardware with a variety of components in it.
What is missing from the article is an impact assessment - does any end user become less secure viewing these video’s ... or does that depend on the quality of the software - shall I say web browser, software ware or hardware enabled decoder - used to view it within your security realm at home or work.
Windows, OSX, Linux, Chrome, Firefox, IE, Safari, Edge, VLC Media Player, SmartTV’s, IOS, NVidia/AMD, Android, various shonky Linux based torrent streamers , !!!
All well known for their ‘robust software’ and wholesomeness.
"These devices are manufactured using components acquired from a complex supply chain and are often sold through common outlets such as retail stores and e-commerce websites. This makes it difficult to identify impacted devices and notify the appropriate stakeholders, thus illustrating the dire need for Software Bill of Materials SBOM in this growing and complex digital market." [CMU, IPTV encoder devices contain multiple vulnerabilities]
It's worth noting that this particular "software" (possibly plural) are anonymous, whereas the softwares you named have names, and can be name shamed - some level of accountability.
While it's true the system vendors have names (CMU lists 13 known system vendors, 3 affected, 1 not affected, and 9 undetermined) the relevant common software vendor remain anonymous. One might expect the vendors or even Huawei to identify the relevant vendor, to clear the air and show accountability, however, that has not happened. Why not?
Not necessarily. I've seen numerous instances of devs "innocently" setting hard coded passwords as a result of Dunning Kruger. There have even been instances of IoT vulnerabilities of this kind being due to devs copying and pasting example code fragments from chip vendors' data sheets directly into the production code without changing the example defaults (including the example passwords).
It only doesn't look good because the article is written as a hatchet job by an Author in America.
The title makes it looks like there are backdoors in Huawei chips. There isn't.
We all know chipsets get used in multiple hardware projects from different companies and they often use the same badly written software one company wrote which often has vulnerabilities. Think IP cameras/DVR's for example.
Totally different to all the American Cisco backdoors and vulnerabilities that we find month after month. hard coded credentials/keys and other backdoors before we we even get to the vulnerabilties.
This has sod all to do with Huawei really but its written to make them look bad. The registers lack of impartiality when it comes to stuff like Huawei is why it is becoming less trusted among peers.
I know for a fact some limited number of chips made or developed in the Pacific rim were deliberately changed at the manufacturing level to piggy back circuit design as a permanent back door, no matter what code was used. The person that witnessed this was thrown out of a laboratory when my friend asked what they were doing. They were so arrogant that they even screened in logos in the photolithography films. They may be more discreet now, but I'm not convinced it isn't still happening. I'd wager that they still at least salt shipments of random modifications from the foundry in every sale overseas.
"We all know chipsets get used in multiple hardware projects from different companies and they often use the same badly written software one company wrote which often has vulnerabilities. Think IP cameras/DVR's for example."
No one seems to have looked, or at least reported on looking, for any identifying text inside the binary code. Most seems to have some sort of copyright or similar embedded these days
Seems not Huawei's suppliers, but their customers. Behind the whole horrible China-based fly-by-night electronics hustle Huawei/HiSilicon just have the honour of being the only identifiable brand with some reputation to beat up on. If not for them would Arm be to blame?
The HiSilicon supplied SDKs are available here: https://dl.openipc.org/SDK/HiSilicon/
So it should be relatively straightforward to confirm their claim the bugs are indeed not theirs. Considering they describe the software as 'SDK' I'd assume all the Linux configuration issues aren't included.
Most likely some unknown 3rd party builds the SDK into a functioning OS and supplies minimally configurable firmware to a student working night-shift in a petrol station, who makes circuit diagrams and licenses those with the firmware to various solderers who in turn sell their bare boards to one of 40 different packaging shops all owned by three blokes who know the same dodgy geezer who knows where to get 'cheap plastic' (*wink* *wink*). From there they get branded by literally anyone capable of clicking the correct buttons on Alibaba to ask "I'd like 20 of these in red please with this logo on the side".
So to cut through the anti-Chinese crap, these IP TV boxes that play Airport signs and adverts on shop TVs have software running on them with a hardcoded password.
Account "admin" password "neworange88888888"
They have a web interface you log into to configure them with a web browser, you can use this hardcoded password to do that login. So if you have network access, you can do anything the web control panel can do, including upload new firmware.
"Arbitrary code execution by uploading malicious firmware"
No shit sherlock, you can run code by uploading new firmware.
Sloppy, fixed admin account should be disabled after first configuration. I don't see where the chipset comes in, this is a software bug.
The problem with bug reporting is that while its handy to quote references numbers like "CVE-2020-1234567" it doesn't tell us squat about what's actually going wrong. All I was able to glean from the article is that there's a telnet client in there that might have a hard coded password; since Telnet isn't exactly secure anyway this represents a significant security risk. But that's just a matter of including an unnecessary application with the end product. Once word about this gets out instead of people saying 'that's dumb, need to delete unnecessary code' or some such you end up with experts dogpiling on the OS (because we all know thanks to MSFT, Google, Apple et al that Operating Systems are huge, monolithic pieces of code).
As we progress further into a world where software is a product of curated development environments we're seeing more information but less knowledge. Inject politics into this and we end up with a huge mess. I'd guess that relatively few of us who read this have ever brought a board up, using or even developing a BSP ("Board Support Package") because if they did then they'd realize that what HiSilicon and Huawei say makes complete sense.
From the article,
all the vulnerabilities except for the telnet flaw resided in a single executable program that's part of the software on these devices. "I'm not sure the vendors who build and sell these devices have much control over it,"
It's like the intel driver of their chipset had a bug. The Intel driver SW only gets used when the chip is made into a PC by Dell.
The supply chain for devices isn't so one dimensional though, manufacturer A buys chips from supplier B to do a certain job, B takes chips from designer H and writes their own firmware to it to fulfil that job spec. H doesn't have anything to do with B's work, even though the flaw is on A's H-based device. Embedded software is a discipline that has long lagged behind best practices in more accessible and better-resourced software - a combination of efficiency, cargo-cult programming and lack of visibility could well lead to a common flaw in firmwares from several companies, built into many, varied hardware platforms, that share a chipset, through no fault of the chipset's desginers. Perhaps the fault existed in some unrelated codebase that's been repurposed because it's a good fit the the new hardware, perhaps it's from a lazily copied from example code snippet the chip designers provided just to show functionality, that's obviously not a comprehensive implementation. Either way, because embedded software devs get their coding practices from a common root, they all introduce similar faults into software for similar/identical chips.
Little wonder it was an anonymous coward that posited that.
I'd like to complain: I specifically asked for middle-eastern petrol when I filled up at a previously reputable petrol-station.
Yet they supplied me with Russian stuff - complete with post-ignition backfires. IT'S - A - DISGRACE !!!
I shall sue Saudi Arabia.
It doesn't surprise me that there is a lot of handy freeware floating around China to help Chinese industry get nice cheap stuff out there bringing in the foreign currency. And it doesn't surprise me when it is found to contain dodgy but potentially 'useful' code.
When the west moved virtually all the production to China about 20 years ago it seems that nobody ever thought that China would be able to do the sort of things that No Such Agency is good at - there were discussions about this risk at the time, but the cheaper production costs were far more important than security - it's still that case, we see all these complaints but nobody ever suggests a solution, or is made responsible because they drove the stock prices up nicely.
We're blaming the Chinese for our stupidity in creating this environment.
Spies gotta spy. Outrage that one country's state agencies are doing what everyone's state agencies are doing is naive. There's a certain level where I believe chinese society allows this to be more structurally embedded in the development process, buy you can't blame a chinese company for being chinese, that is their own biggest market - not like they could even establish a 100% independent, foreign offshoot that was good for the company but absolutely uninfluencable by the parent, and also ensure no other country has any influence over it's employees.
It's interesting the terms used, when talking about negatives from the "Middle Kingdom" the reference is made to the whole country. When talking about bad stuff in the "Land of The Free" then it is specific towards a certain agency or agencies.
Why the differentiation between the countries, one targeting the whole country and its population the other narrowing down to just a small faction.
Hopefully it isn't due to western racism.
Not defending, but as a Brit I could list exactly zero Chinese agencies. I have no idea what or who does the spying, and the large majority of Chinese media simply doesn't make it to the west...just some really over the top films like Wandering Earth.
Now for the Americans. How many agencies would you like me to list? Would you like to me to tell you where they're headquartered? All without popping over to Wikipedia.
So it might be something as simple as China being a nebulous black box, while we at least have some idea of where to point the finger when it comes to America.
Well saying the Chinese Government Agency or Chinese Security Services would at least allow you to focus your ire in a more targeted direction, even if you didn't know the name of the actual agency or military unit.
You could also go with the more nuanced journalistic friendly "State Sponsored Hackers".
when talking about negatives from the "Middle Kingdom" the reference is made to the whole country. When talking about bad stuff in the "Land of The Free" then it is specific towards a certain agency or agencies.
Isn't the reason obvious? China is a totalitarian dictatorship with extensive state control of supposedly private industry. Western countries are completely different, with substantial separation between private businesses and the government. Companies have legal protections, the ability to challenge legal orders, and the ability to refuse to comply with unlawful orders without being summarily executed.
" with substantial separation between private businesses and the government. Companies have legal protections, the ability to challenge legal orders, and the ability to refuse to comply with unlawful orders without being summarily executed." - Well, that is the idea anyway. In practice it is not always all that different.
Both in China and in the USA, the little guys are usually mostly left alone, while the big guys with political connections are a state on their own and the middle size Mafiosi live by the gun.
The old wild west telegram to HQ: "Send money, guns and lawyers!" still apply today and I have actually run into a situation like that - in Europe.
People who think that the old/new world is holier than thou, has some growing up to do.
The thing is, everyone makes such a huge fuss about it when "foreigners" do it, but who honestly thinks all of the Intel vulnerabilities were "discovered" rather than being put there deliberately for NSA, CIA etc to use to spy on US citizens and foreign powers?
Rather than claiming people "found" them I think its far more accurate to say they were EXPOSED, and intel moving chip manufacturing to Israel is on a par with asking a known child molester to watch your kids for a month while you are out of town lol
Wait a while and I will bet even ARM has them for MI6 to exploit
Biting the hand that feeds IT © 1998–2020