back to article Video encoders using Huawei chips have backdoors and bad bugs – and Chinese giant says it's not to blame

Hardware video encoders from multiple suppliers contain several critical security bugs that allow a remote unauthenticated miscreant to run arbitrary code on the equipment. In a disclosure published this week, Alexei Kojenov, lead product security engineer at Salesforce, outlined a series of flaws affecting IPTV/H.264/H.265 …

  1. Andy Non Silver badge

    "The hardcoded password is a deliberate backdoor."

    Not a good look for a company wanting to have its kit accepted as secure and trustworthy with worldwide ambitions for its 5G kit.

    1. Anonymous Coward
      Anonymous Coward

      Re: "The hardcoded password is a deliberate backdoor."

      True - and there have been quite a few other products from other manufactures that have had similar issues over the years.

      1. Anonymous Coward
        Anonymous Coward

        Re: "The hardcoded password is a deliberate backdoor."

        @"from other manufactures that have had similar issues over the years." quite, windows codecs were IMHO always a dodgy idea, especially where windows askes if you want to download "correct" codec to play dodgy video.

        The issue here is a shame as my HuaWei phone has had monthly android security updates, something that I never seen with Samsung or HTC. HTC in my case never provided an update for my phone and when I contacted them they obsessed about me wanting to unlock the phone rather than addressing the issue that the phone was selected because of their "reprutation for software maintenance", apparantly it didnt apply to my marketting package from CarPhone Warehouse ehcen HTC added to me Sh1tL1st.

        I would generally say that if the phone is vulnerable then the manufacturer should address it.

        That being said from what I have seen from HuaWei, relative to every other phone maker I have used, HuaWei "were" IMHO the most likely to actually bother with a fix. "were" here because in my case the UK sucking up to the American/Trump "we cant compete with China so they can't sell to our bitches, y'all" doesn't leave much of an incentive for HuaWei.

    2. NeilPost Bronze badge

      Re: "The hardcoded password is a deliberate backdoor."

      It is shit software that runs on top of them- as the article states not the chips and not the SDK.

      No different from Intel, Microsoft, Oracle and everyone else running software on top of hardware with a variety of components in it.

      What is missing from the article is an impact assessment - does any end user become less secure viewing these video’s ... or does that depend on the quality of the software - shall I say web browser, software ware or hardware enabled decoder - used to view it within your security realm at home or work.

      Windows, OSX, Linux, Chrome, Firefox, IE, Safari, Edge, VLC Media Player, SmartTV’s, IOS, NVidia/AMD, Android, various shonky Linux based torrent streamers , !!!

      All well known for their ‘robust software’ and wholesomeness.

      1. CrackedNoggin

        Re: "The hardcoded password is a deliberate backdoor."

        "These devices are manufactured using components acquired from a complex supply chain and are often sold through common outlets such as retail stores and e-commerce websites. This makes it difficult to identify impacted devices and notify the appropriate stakeholders, thus illustrating the dire need for Software Bill of Materials SBOM in this growing and complex digital market." [CMU, IPTV encoder devices contain multiple vulnerabilities]

        It's worth noting that this particular "software" (possibly plural) are anonymous, whereas the softwares you named have names, and can be name shamed - some level of accountability.

        While it's true the system vendors have names (CMU lists 13 known system vendors, 3 affected, 1 not affected, and 9 undetermined) the relevant common software vendor remain anonymous. One might expect the vendors or even Huawei to identify the relevant vendor, to clear the air and show accountability, however, that has not happened. Why not?

    3. big_D Silver badge

      Re: "The hardcoded password is a deliberate backdoor."

      Why not? It is the tactic Cisco has followed with great success for years. They've spent the last 2 years or so removing one backdoor after another from their kit.

      1. Mike 137 Silver badge

        Re: "The hardcoded password is a deliberate backdoor."

        Not necessarily. I've seen numerous instances of devs "innocently" setting hard coded passwords as a result of Dunning Kruger. There have even been instances of IoT vulnerabilities of this kind being due to devs copying and pasting example code fragments from chip vendors' data sheets directly into the production code without changing the example defaults (including the example passwords).

    4. NonSSL-Login
      Thumb Down

      Re: "The hardcoded password is a deliberate backdoor."

      It only doesn't look good because the article is written as a hatchet job by an Author in America.

      The title makes it looks like there are backdoors in Huawei chips. There isn't.

      We all know chipsets get used in multiple hardware projects from different companies and they often use the same badly written software one company wrote which often has vulnerabilities. Think IP cameras/DVR's for example.

      Totally different to all the American Cisco backdoors and vulnerabilities that we find month after month. hard coded credentials/keys and other backdoors before we we even get to the vulnerabilties.

      This has sod all to do with Huawei really but its written to make them look bad. The registers lack of impartiality when it comes to stuff like Huawei is why it is becoming less trusted among peers.

      1. JCitizen Bronze badge
        Megaphone

        Re: "The hardcoded password is a deliberate backdoor."

        I know for a fact some limited number of chips made or developed in the Pacific rim were deliberately changed at the manufacturing level to piggy back circuit design as a permanent back door, no matter what code was used. The person that witnessed this was thrown out of a laboratory when my friend asked what they were doing. They were so arrogant that they even screened in logos in the photolithography films. They may be more discreet now, but I'm not convinced it isn't still happening. I'd wager that they still at least salt shipments of random modifications from the foundry in every sale overseas.

      2. John Brown (no body) Silver badge

        Re: "The hardcoded password is a deliberate backdoor."

        "We all know chipsets get used in multiple hardware projects from different companies and they often use the same badly written software one company wrote which often has vulnerabilities. Think IP cameras/DVR's for example."

        No one seems to have looked, or at least reported on looking, for any identifying text inside the binary code. Most seems to have some sort of copyright or similar embedded these days

  2. Anonymous Coward
    Anonymous Coward

    Dear Huawei,

    You get what you pay for so don't blame your suppliers. You chose them and the buck stop there.

    Own your actions.

    (And get another PR firm, the current PR supplier you've chosen also has "bugs" if this lame ass response is anything to go by)

    1. idiottaxpayerhere previously ishtiaq/theghostdeejay

      @A/C

      "Own your actions" you said, whilst posting as a anonymous coward.

      Just saying.

      Cheers… Ishy

      1. Anonymous Coward
        Anonymous Coward

        "Own your actions" you said, whilst posting as a anonymous coward.

        Yeah, I'm owning my anonymity.

        1. Anonymous Coward
          Anonymous Coward

          No I'm owning my anonymity. Also I'm Spartacus.

          1. Radio Wales
            Flame

            No you're not. I'm Spartacus.

            1. Louis Schreurs Bronze badge

              You all can be Spartacus all over the place, I am Socrates !!

    2. Blazde

      Seems not Huawei's suppliers, but their customers. Behind the whole horrible China-based fly-by-night electronics hustle Huawei/HiSilicon just have the honour of being the only identifiable brand with some reputation to beat up on. If not for them would Arm be to blame?

      The HiSilicon supplied SDKs are available here: https://dl.openipc.org/SDK/HiSilicon/

      So it should be relatively straightforward to confirm their claim the bugs are indeed not theirs. Considering they describe the software as 'SDK' I'd assume all the Linux configuration issues aren't included.

      Most likely some unknown 3rd party builds the SDK into a functioning OS and supplies minimally configurable firmware to a student working night-shift in a petrol station, who makes circuit diagrams and licenses those with the firmware to various solderers who in turn sell their bare boards to one of 40 different packaging shops all owned by three blokes who know the same dodgy geezer who knows where to get 'cheap plastic' (*wink* *wink*). From there they get branded by literally anyone capable of clicking the correct buttons on Alibaba to ask "I'd like 20 of these in red please with this logo on the side".

    3. Anonymous Coward
      Anonymous Coward

      neworange88888888

      So to cut through the anti-Chinese crap, these IP TV boxes that play Airport signs and adverts on shop TVs have software running on them with a hardcoded password.

      Account "admin" password "neworange88888888"

      They have a web interface you log into to configure them with a web browser, you can use this hardcoded password to do that login. So if you have network access, you can do anything the web control panel can do, including upload new firmware.

      "Arbitrary code execution by uploading malicious firmware"

      No shit sherlock, you can run code by uploading new firmware.

      Sloppy, fixed admin account should be disabled after first configuration. I don't see where the chipset comes in, this is a software bug.

      1. Robert Carnegie Silver badge

        Re: neworange88888888

        Do we now know Donald Trump's password that got hacked and that he still uses?

        neworange88888888

        "My God, he's full of tweets!"

        1. Anonymous Coward
          Anonymous Coward

          Re: neworange88888888

          It was "yourefired"

        2. Anonymous Coward
          Anonymous Coward

          Re: neworange88888888

          nice 2001 reference thank you for that

      2. martinusher Silver badge

        Re: neworange88888888

        The problem with bug reporting is that while its handy to quote references numbers like "CVE-2020-1234567" it doesn't tell us squat about what's actually going wrong. All I was able to glean from the article is that there's a telnet client in there that might have a hard coded password; since Telnet isn't exactly secure anyway this represents a significant security risk. But that's just a matter of including an unnecessary application with the end product. Once word about this gets out instead of people saying 'that's dumb, need to delete unnecessary code' or some such you end up with experts dogpiling on the OS (because we all know thanks to MSFT, Google, Apple et al that Operating Systems are huge, monolithic pieces of code).

        As we progress further into a world where software is a product of curated development environments we're seeing more information but less knowledge. Inject politics into this and we end up with a huge mess. I'd guess that relatively few of us who read this have ever brought a board up, using or even developing a BSP ("Board Support Package") because if they did then they'd realize that what HiSilicon and Huawei say makes complete sense.

    4. big_D Silver badge

      It isn't their suppliers, it is their customers building the bugs in.

      It is like blaming Intel for faults in Dell BIOS code or Windows. Well, other than Spectre and Heartbleed...

      1. Anonymous Coward
        Anonymous Coward

        @big_D

        From the article,

        all the vulnerabilities except for the telnet flaw resided in a single executable program that's part of the software on these devices. "I'm not sure the vendors who build and sell these devices have much control over it,"

        It's like the intel driver of their chipset had a bug. The Intel driver SW only gets used when the chip is made into a PC by Dell.

        1. big_D Silver badge

          Or the devices are all OEMed and all using badged versions of the same application software provided by the OEM manufacturer.

        2. the hatter

          The supply chain for devices isn't so one dimensional though, manufacturer A buys chips from supplier B to do a certain job, B takes chips from designer H and writes their own firmware to it to fulfil that job spec. H doesn't have anything to do with B's work, even though the flaw is on A's H-based device. Embedded software is a discipline that has long lagged behind best practices in more accessible and better-resourced software - a combination of efficiency, cargo-cult programming and lack of visibility could well lead to a common flaw in firmwares from several companies, built into many, varied hardware platforms, that share a chipset, through no fault of the chipset's desginers. Perhaps the fault existed in some unrelated codebase that's been repurposed because it's a good fit the the new hardware, perhaps it's from a lazily copied from example code snippet the chip designers provided just to show functionality, that's obviously not a comprehensive implementation. Either way, because embedded software devs get their coding practices from a common root, they all introduce similar faults into software for similar/identical chips.

          1. Louis Schreurs Bronze badge

            My guess is that B or H have a sweet relationship with Chinese govmnent?

    5. Roland6 Silver badge

      >You get what you pay for so don't blame your suppliers. You chose them and the buck stop there.

      Didn't comprehend the article?

      Huawei SOLD the chips that others have used and added poorly secured application code from unknown third-party(s).

      1. Radio Wales

        Sub-Prime confusion

        Little wonder it was an anonymous coward that posited that.

        I'd like to complain: I specifically asked for middle-eastern petrol when I filled up at a previously reputable petrol-station.

        Yet they supplied me with Russian stuff - complete with post-ignition backfires. IT'S - A - DISGRACE !!!

        I shall sue Saudi Arabia.

  3. Anonymous Coward
    Anonymous Coward

    State Sponsored Industrial Sabotage

    I wonder if someone infiltrated the supply chain to muck it up a bit, thereby solidifying their position that, "Huawei is bad, mmmkay."

    1. DoctorNine

      Re: State Sponsored Industrial Sabotage

      Occam's Razor suggests that the simplest explanation is likely the correct one.

      Have you ever ridden a Chinese motorcycle?

      1. Sin2x

        Re: State Sponsored Industrial Sabotage

        Hanlon's razor is also apt here.

      2. NeilPost Bronze badge

        Re: State Sponsored Industrial Sabotage

        No but there are many Chinese vehicles in the UK.

        MG GS for example. Very popular in Thailand in amongst most Japanese vehicles.

        Reviews worse than a Dacia Duster. Not anything you would chose... but both are cheap.

      3. Stumpy Silver badge

        Re: State Sponsored Industrial Sabotage

        Yes. once. And never again...

    2. Uffish

      Re: State Sponsored Industrial Sabotage

      It doesn't surprise me that there is a lot of handy freeware floating around China to help Chinese industry get nice cheap stuff out there bringing in the foreign currency. And it doesn't surprise me when it is found to contain dodgy but potentially 'useful' code.

  4. Kevin McMurtrie Silver badge

    Supply chain?

    Let me guess: Huawei stole the software from Hikvision and Hikvision can't even remember where their buggy pile of crap came from. The mystery software in Hikvision cameras is partially written in English so it must be a Western problem.

    1. NeilPost Bronze badge

      Re: Supply chain?

      ... any evidence ??

      Not like Apple/Microsoft etc have not been ever found guilty of using other peoples software and had to pay compensation.

      1. gnasher729 Silver badge

        Re: Supply chain?

        Any examples of that?

        1. NeilPost Bronze badge

          Re: Supply chain?

          https://en.wikipedia.org/wiki/Apple_Inc._litigation

          https://en.wikipedia.org/wiki/Microsoft_litigation

          https://en.wikipedia.org/wiki/Google_litigation

          https://en.wikipedia.org/wiki/Open_source_license_litigation

          Will that do for now.

        2. NeilPost Bronze badge

          Re: Supply chain?

          https://appleinsider.com/articles/20/01/09/masimo-sues-apple-over-apple-watch-patents-alleged-theft-of-trade-secrets

  5. Version 1.0 Silver badge
    Unhappy

    Corporate Sponsored Industrial Sabotage

    When the west moved virtually all the production to China about 20 years ago it seems that nobody ever thought that China would be able to do the sort of things that No Such Agency is good at - there were discussions about this risk at the time, but the cheaper production costs were far more important than security - it's still that case, we see all these complaints but nobody ever suggests a solution, or is made responsible because they drove the stock prices up nicely.

    We're blaming the Chinese for our stupidity in creating this environment.

    1. rcxb Silver badge

      Re: Corporate Sponsored Industrial Sabotage

      We're blaming the Chinese for our stupidity in creating this environment.

      While this situation was predictable, that doesn't absolve China of its responsibility.

      1. the hatter

        Re: Corporate Sponsored Industrial Sabotage

        Spies gotta spy. Outrage that one country's state agencies are doing what everyone's state agencies are doing is naive. There's a certain level where I believe chinese society allows this to be more structurally embedded in the development process, buy you can't blame a chinese company for being chinese, that is their own biggest market - not like they could even establish a 100% independent, foreign offshoot that was good for the company but absolutely uninfluencable by the parent, and also ensure no other country has any influence over it's employees.

      2. Anonymous Coward
        Anonymous Coward

        Re: Corporate Sponsored Industrial Sabotage

        It's interesting the terms used, when talking about negatives from the "Middle Kingdom" the reference is made to the whole country. When talking about bad stuff in the "Land of The Free" then it is specific towards a certain agency or agencies.

        Why the differentiation between the countries, one targeting the whole country and its population the other narrowing down to just a small faction.

        Hopefully it isn't due to western racism.

        再見

        1. heyrick Silver badge

          Re: Corporate Sponsored Industrial Sabotage

          Not defending, but as a Brit I could list exactly zero Chinese agencies. I have no idea what or who does the spying, and the large majority of Chinese media simply doesn't make it to the west...just some really over the top films like Wandering Earth.

          Now for the Americans. How many agencies would you like me to list? Would you like to me to tell you where they're headquartered? All without popping over to Wikipedia.

          So it might be something as simple as China being a nebulous black box, while we at least have some idea of where to point the finger when it comes to America.

          1. Anonymous Coward
            Anonymous Coward

            Re: Corporate Sponsored Industrial Sabotage

            Well saying the Chinese Government Agency or Chinese Security Services would at least allow you to focus your ire in a more targeted direction, even if you didn't know the name of the actual agency or military unit.

            You could also go with the more nuanced journalistic friendly "State Sponsored Hackers".

        2. rcxb Silver badge

          Re: Corporate Sponsored Industrial Sabotage

          when talking about negatives from the "Middle Kingdom" the reference is made to the whole country. When talking about bad stuff in the "Land of The Free" then it is specific towards a certain agency or agencies.

          Isn't the reason obvious? China is a totalitarian dictatorship with extensive state control of supposedly private industry. Western countries are completely different, with substantial separation between private businesses and the government. Companies have legal protections, the ability to challenge legal orders, and the ability to refuse to comply with unlawful orders without being summarily executed.

          1. Louis Schreurs Bronze badge

            with substantial separation between private businesses and the government

            Butt tied together in a never before seen way by the $$$$$$$$$$$

            $$$$$

            $ $ $ $$$ $$$ $$$ $ $ $

          2. herman Silver badge

            Re: Corporate Sponsored Industrial Sabotage

            " with substantial separation between private businesses and the government. Companies have legal protections, the ability to challenge legal orders, and the ability to refuse to comply with unlawful orders without being summarily executed." - Well, that is the idea anyway. In practice it is not always all that different.

            Both in China and in the USA, the little guys are usually mostly left alone, while the big guys with political connections are a state on their own and the middle size Mafiosi live by the gun.

            The old wild west telegram to HQ: "Send money, guns and lawyers!" still apply today and I have actually run into a situation like that - in Europe.

            People who think that the old/new world is holier than thou, has some growing up to do.

  6. Ubermik

    The thing is, everyone makes such a huge fuss about it when "foreigners" do it, but who honestly thinks all of the Intel vulnerabilities were "discovered" rather than being put there deliberately for NSA, CIA etc to use to spy on US citizens and foreign powers?

    Rather than claiming people "found" them I think its far more accurate to say they were EXPOSED, and intel moving chip manufacturing to Israel is on a par with asking a known child molester to watch your kids for a month while you are out of town lol

    Wait a while and I will bet even ARM has them for MI6 to exploit

  7. Ubermik

    Is there a list of manufacturers that use the suspect silicon BTW?

    I install CCTV but to be honest have never really paid much attention to the actual silicon used plus much of it has heatsinks covering them anyway

    1. Steve Davies 3 Silver badge
      Holmes

      It would be interesting

      if you put a web sniffer on those CCTV systems just to see who exactly they are phoning home to.

      Even better if then those destinations were blocked by a firewall. Would those CCTV systems stop working if they could not get commands from their Mothership.

      That would make an interesting story for this site would it not?

    2. Roland6 Silver badge

      >Is there a list of manufacturers that use the suspect silicon BTW?

      Asking the wrong question; the vulnerabilities are in the application software the manufacturers add to their product, its just that currently they all use the Huawei chips. I expect that if these manufacturers switched silicon supplier (or used a different silicon supplier for certain products) the vulnerabilities would still be present.

      So the correct use for a list of manufacturers that use the Huawei silicon is to enable you to avoid purchasing any products (not just the video encoders) from these manufacturers as it would be reasonable to assume they would have exercised a similar level of attention to the security of these other products...

  8. amanfromMars 1 Silver badge

    Monumental Stupidity Always Costs and Pays an Exorbitant Price

    We're blaming the Chinese for our stupidity in creating this environment. ...... Version 1.0

    While this situation was predictable, that doesn't absolve China of its responsibility. ..... rcxb

    So, the stupid West abuses and uses and misuses China, treating it as if it were their ignorant cheap slave, and what exactly is the responsibility you suggest they embrace and maybe even be held accountable for, rcxb, further intimating that they be presently negligent in that particular and peculiar regard?

    Are you expecting the assumed slave to be extraordinarily favourably accommodating of the arrogant presumptive slavemaster? Have a downvote for that perverse Dixie notion

    1. VulcanV5

      Re: Monumental Stupidity Always Costs and Pays an Exorbitant Price

      QUOTE: "So, the stupid West abuses and uses and misuses China, treating it as if it were their ignorant cheap slave, and what exactly is the responsibility you suggest they embrace and maybe even be held accountable for, rcxb, further intimating that they be presently negligent in that particular and peculiar regard?

      Are you expecting the assumed slave to be extraordinarily favourably accommodating of the arrogant presumptive slavemaster?"

      Last time I saw a post as verbose in its declared outrage as that, it was from a Chinese troll farm.

      As to using and abusing China: there is no 'China' as you would like to (mis)represent it. There is instead only the Chinese Communist Party, a viciously corrupt self-serving self-perpetuating elite which like every other Communist party that there has ever been, will say anything and do anything to dominate the world with its belief system.

      So far, its greatest success has been to get "the stupid West" to talk of China without once mentioning those who run the place. As in your post.

      1. amanfromMars 1 Silver badge

        Re: Monumental Stupidity Always Costs and Pays an Exorbitant Price

        How very nice to read a cogent response, VulcanV5, which I would not be able to truthfully disagree with.

        However, not everyone, and I suspect that really means only a very few, may realise the fate and state of China, as may also be the case of all other nations too, can be as you suggest.

        Such though in neither unique nor relatively novel, for surely it at least mimics Maggie Thatcher's world view ......

        There is no such thing as society. There is living tapestry of men and women and people and the beauty of that tapestry and the quality of our lives will depend upon how much each of us is prepared to take responsibility for ourselves and each of us prepared to turn round and help by our own efforts those who are unfortunate. ..... https://www.margaretthatcher.org/document/106689

        The Global System though, as would administer their wishes via the capture of mainstream media channels for the pumping and dumping and pimping of sympathetic daily news features and absolutely fabulous fabless tragic comedic tales would certainly prefer that such information and intelligence as exposes an elite sociopathic tendency in a politically disguised ascendancy remain suitably stubbornly underground rather than bubble up and bob about in general common knowledge on the surface ........ although methinks they rightly fear they have lost that corrupt advantage for ever now, and to try and regain and retain it, will clearly identify them as the mortal enemy within to be be got rid of.

        Your post though is worthy of a 77th Brigade badge. Keep up the good work, practice makes perfect.

    2. heyrick Silver badge

      Re: Monumental Stupidity Always Costs and Pays an Exorbitant Price

      Whoa, dude, that actually read (mostly) coherently.

      Have we touched a nerve, or are you losing your touch?

      1. John Brown (no body) Silver badge

        Re: Monumental Stupidity Always Costs and Pays an Exorbitant Price

        No, but the AI has reached version 3.11, which as we all know is the version that actually works :-)

        AManFromMarsForWorkgroups.

  9. ST Silver badge
    Mushroom

    Please explain root access via telnet in year 2020

    > root access via telnet (CVE-2020-24218)

    Because no matter how you try to spin it, there's just not a single good - or lame - excuse for this one.

    What about unauthenticated file upload (CVE-2020-24217)? What are we uploading here?

    Stop playing the victim - either directly or through various Rent-A-Troll third parties.

    1. Roland6 Silver badge

      Re: Please explain root access via telnet in year 2020

      Root access via Telnet is quite common on out-of-the-box networking kit, the vendor assumes the user is sufficiently competent to either disable or secure this access path as part of their configuration and deployment.

      >root access via telnet (CVE-2020-24218)

      It seems the real issue here is that the Telnet daemon cannot be disabled and neither can remote (ie. WAN) access.

      [source: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/#root-access-via-telnet-cve-2020-24218 ]

      Interesting point here is that I've often explicitly disabled both remote access and the Telnet service in the admin web interface of network equipment, but I've not checked that this actually disables (ie. kills) the Telnet daemon...

      >What about unauthenticated file upload (CVE-2020-24217)? What are we uploading here?

      A .rar file which can contain a simple shell script, which will gets executed immediately. Ie. you don't need a binary file.

      [Source: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/#unauthenticated-file-upload-cve-2020-24217 ]

      1. ST Silver badge
        FAIL

        Re: Please explain root access via telnet in year 2020

        > Root access via Telnet is quite common on out-of-the-box networking kit [ ... ]

        I don't know if it's quite common, or not, but I do know it shouldn't be.

        If your networking kit vendor - I wonder whom that might be - still ships in.telnetd or some sort of equivalent on their kit, in 2020, you need to have a little chat with them.

        It's not a question of whether it's enabled or disabled by default. It should just NOT be there.

        > A .rar file which can contain a simple shell script [ ... ]

        Uh-huh. Right. That's what everyone needs on their networking kit -- it's a must-have. An open, undocumented port that allows unauthenticated file uploads that can be subsequently executed by root with escalated privileges. Because root is allowed to connect to this network box via telnet. In 2020. Awesome!

        Is there a problem here? Naaaaah. Can't possibly be.

  10. sanmigueelbeer Silver badge
    Coat

    For the nth time: It is NOT a bug -- it is an "undocumented feature".

    1. Louis Schreurs Bronze badge

      Where 'n' is a complex number.

  11. Flocke Kroes Silver badge

    Number of commentards who cannot RTFA

    The security flaws are not in Huawei's chips or software development kit.

    Huawei's customers buy the chips, assemble them into products and install software configured by someone who prioritised his convenience far higher then any consideration for the security of the final customer. This is not a hidden top secret state sponsored back door. It is a row of giant barn doors with flashing lights and fireworks spelling out "Everyone come this way to reconfigure however you want".

    Say whatever horrible things you like about Huawei's other products and software support but this particular time they have been let down by their customers.

    1. You aint sin me, roit Silver badge
      Holmes

      Cheap IOT tat...

      There's been loads of articles on this very site about all of the security vulnerabilities of internet connected IOT tat. Kettles, barbeques, cctv, you name it, Shodan will find it. A lot of manufacturers (and not just Chinese ones) are fond of the odd default password, hardcoded test certificates, open telnet ports...

      Has Mirai already been forgotten?

      But it is a stretch to blame the chip manufacturer.

    2. Anonymous Coward
      Anonymous Coward

      Re: Number of commentards who cannot RTFA

      @Flocke Kroes

      RTFA

      "all the vulnerabilities except for the telnet flaw resided in a single executable program that's part of the software on these devices. "I'm not sure the vendors who build and sell these devices have much control over it"

      Huawei's smoke amd mirrors press release is working after all.

    3. NonSSL-Login

      Re: Number of commentards who cannot RTFA

      The article and headline was written to deceive from the start.

      I wish there was a way we could block certain authors on el reg who are poisoning the site with this stupidity.

      1. Louis Schreurs Bronze badge

        Re: Number of commentards who cannot RTFA

        Lock him up !! Lock him up !!

  12. pintofbitter
    Black Helicopters

    You can hear the silence from all the peeps from just the other week applauding Huawei saying that all the security worries were pointless !

    1. James Hughes 1

      FFS, RTFA, FM.

      1. Aussie Doc Bronze badge
        Joke

        Re:

        "FFS, RTFA, FM."

        My favourite radio station.

    2. anonymous boring coward Silver badge

      I can't hear the silence.

      But I can hear someone who don't seem to understand what the articles says.

  13. slinkywizard

    In other news - Intel to blame for all Windows bugs

    As Flocke Kroes said - RTFA before you start blaming Huawei for bugs in software that a manufacturer chooses to write/run on a CPU.

    Would Intel even get a mention if a security researcher found bugs/vulnerabilities in an encoder that ran on Intel x86 or Atom chips, but happened to run Windows embedded as it's main OS?

    1. David Lewis 2
      Pint

      Re: In other news - Intel to blame for all Windows bugs

      Yes, this. I'm glad someone else said this before I could.

      Have one =>

    2. Anonymous Coward
      Anonymous Coward

      Re: In other news - Intel to blame for all Windows bugs

      To those saying rtfa, I say rtfa back...

      " all the vulnerabilities except for the telnet flaw resided in a single executable program that's part of the software on these devices. "I'm not sure the vendors who build and sell these devices have much control over it,"

      *multiple* vendors are showing the *same* flaws. If the Huawei SDK releases is unusable for a product, and there is a common intermediate Huawei "real" SDK supplier, then it is in Huawei interest to either own the sdk to a usable form or accept the brand damage. This plausible deniability crap from Huawei PR is a poor show.

      If they make a "secure" SDK no vendor or customer can directly use, this is the price they must accept.

      Either way this is their problem.

      1. Cronus

        Re: In other news - Intel to blame for all Windows bugs

        Have you ever heard of white goods? One manufacturer in the supply chain builds it and re-brands it for multiple customers to re-sell as their own. In this case that white goods manufacturer is not Huawei but some other company. If they include this binary with all the exploits in their product then all the re-branded kit will also have that exploitable binary.

        1. cornetman Silver badge

          Re: In other news - Intel to blame for all Windows bugs

          This is pretty common with small USB goods like cheap webcams, video encoders and the like.

          The software and drivers packaged with the differently branded items are all the same and come from some nebulous third party.

  14. anonymous boring coward Silver badge

    "That would mean someone else provided the makers of these video encoder devices application software riddled with holes, and this code was shipped with the equipment. The products just all happen to use the the hi3520d chipset."

    All software runs on something. Are we now implying that Intel or AMD is to blame for bad software running on their hardware?

    If it was done intentionally by a massive manufacturer, it was extremely poorly done. I bet it wasn't.

  15. Homeboy

    Hidden in plain view

    "While most vulnerabilities seem unintentional (i.e. coding mistakes)....."

    That's how I'd make it look as well.

    1. Andy The Hat Silver badge

      Re: Hidden in plain view

      Pick your vendor and show me an intentional vulnerability ...

      There will be the odd state sponsor involved somewhere but I'd wager 99.9% of all vulnerabilities are down to mistakes but the conspiracy theorists will never accept 'mistakes' as they believe anyone who suggests such a thing is obviously in league with the state sponsor ...

      1. Roland6 Silver badge
        Pint

        Re: Hidden in plain view

        >Pick your vendor and show me an intentional vulnerability ...

        Well in the spirit of the article and some other 'security' vulnerability reports, many major router manufacturers.

        The routers in my house are 'vulnerable' as they have a readily accessible "Factory Reset" button which once used means the device can be accessed (LAN/WAN) using the default credentials: admin/admin.

  16. Anonymous Coward
    Anonymous Coward

    "lead product security engineer at Salesforce, outlined a series of flaws affecting IPTV/H.264/H.265 video encoders powered by the hi3520d chipset from Huawei's HiSilicon subsidiary. The security holes are present in software, whose developer is unknown, that runs on top of a Linux stack provided by HiSilicon for products using its system-on-chips."

    So not the Huawei chip or the Linux Stack provided by HiSilicon but the admin interface software written by "developer unknown"

    Anyone with a C++ compiler can write an admin interface and without proper secure devops processes, might be littered with holes. Most cheap Internet of Thing suppliers may resort to sloppy code (especially to keep costs down) on devices.

    This isn't on Huawei for their chip or Linux stack.

  17. msknight
    Coat

    "Huawei has launched an immediate investigation"

    ...into how they got caught.

  18. Cuddles Silver badge

    Well there's your problem

    "The security holes are present in software, whose developer is unknown"

    Unknown software from unknown source turns out to be untrustworthy, or at the very least uncompetent. This is my shocked face.

    1. Andy The Hat Silver badge

      Re: Well there's your problem

      I know it's barely concievable but try to imagine a company writing a security-hole filled application, running on a buggy Microsoft Operating system, on an i386 platform managed by Intel firmware. Who would even consider writing the phrase "Intel responsible for security holes ..." in such a case? This story is the Trumpophile/xenophobe's equivalent ...

    2. John Bailey

      Re: Well there's your problem

      "Unknown software from unknown source turns out to be untrustworthy, or at the very least uncompetent. This is my shocked face."

      Are you sure? Looks more like your constipated face.

      So tell me great sage.

      Which known software from known sources is actually trustworthy? Your spell checker obviously doesn't fit the requirements.

    3. Roland6 Silver badge

      Re: Well there's your problem

      >"The security holes are present in software, whose developer is unknown" to Alexei Kojenov @Salesforce and Huawei. A situation you would expect with proprietary software. I've no idea who actually wrote all the software that was supplied pre-installed on my Humax box.

      I'm sure the manufacturers of the video encoders know exactly who they purchased the software from.

  19. Rol Silver badge

    Two legs good, four legs bad!

    It seems clear that we have some trump fantards on here that despite all the evidence, still insist on regurgitating the party line.

    Frankly, given the option of getting into bed with a known sex offender, or some ageing pseudo communists, I assume you can guess I'm more likely to take the risk of getting rubbed up the wrong way, rather than the certainty of getting a grubby hand thrust up between my thighs, and then later bragged about in the hyena circles that he travels in.

    1. Anonymous Coward
      Anonymous Coward

      Re: Two legs good, four legs bad!

      It seems clear that we have some trump fantards on here that despite all the evidence, still insist on regurgitating the party line.

      Better than the delusional Harris fantards we're seeing here (I already discount Senile Joe as being the actual president, expecting Kamala Chameleon will have her hand firmly up his butt making him talk).

      Party line? Over the past 40 years, I have voted third-party. Not much of a follower of the "party line", then. Biden hasn't done anything useful in the half-century he's been in office, and the things he HAS done have been severely detrimental to this country. Trump may be an arrogant asshole, but as long as he's there pissing off anybody and everybody, then he's doing the job that needs doing.

  20. sanmigueelbeer Silver badge
    IT Angle

    China-backed telecom firm says won't spy on Philippines

    China-backed telecom firm says won't spy on Philippines

    1. Louis Schreurs Bronze badge

      Re: China-backed telecom firm says won't spy on Philippines

      Hehe.....hehehehehe........HAHAHAHAHAHAHAHAHAHAA!!!!!!!!!!!!!!

  21. Maximum Delfango Bronze badge
    WTF?

    "...lead product security engineer at Salesforce..."

    ^ I read this a few times, my reactions starting at disbelief, passing through uncontrolled mirth and settling on incredulity.

    Salesforce and security in the same sentence with out an interleaving negative. Never thought I'd read that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020