"The hardcoded password is a deliberate backdoor."
Not a good look for a company wanting to have its kit accepted as secure and trustworthy with worldwide ambitions for its 5G kit.
Hardware video encoders from multiple suppliers contain several critical security bugs that allow a remote unauthenticated miscreant to run arbitrary code on the equipment. In a disclosure published this week, Alexei Kojenov, lead product security engineer at Salesforce, outlined a series of flaws affecting IPTV/H.264/H.265 …
@"from other manufactures that have had similar issues over the years." quite, windows codecs were IMHO always a dodgy idea, especially where windows askes if you want to download "correct" codec to play dodgy video.
The issue here is a shame as my HuaWei phone has had monthly android security updates, something that I never seen with Samsung or HTC. HTC in my case never provided an update for my phone and when I contacted them they obsessed about me wanting to unlock the phone rather than addressing the issue that the phone was selected because of their "reprutation for software maintenance", apparantly it didnt apply to my marketting package from CarPhone Warehouse ehcen HTC added to me Sh1tL1st.
I would generally say that if the phone is vulnerable then the manufacturer should address it.
That being said from what I have seen from HuaWei, relative to every other phone maker I have used, HuaWei "were" IMHO the most likely to actually bother with a fix. "were" here because in my case the UK sucking up to the American/Trump "we cant compete with China so they can't sell to our bitches, y'all" doesn't leave much of an incentive for HuaWei.
It is shit software that runs on top of them- as the article states not the chips and not the SDK.
No different from Intel, Microsoft, Oracle and everyone else running software on top of hardware with a variety of components in it.
What is missing from the article is an impact assessment - does any end user become less secure viewing these video’s ... or does that depend on the quality of the software - shall I say web browser, software ware or hardware enabled decoder - used to view it within your security realm at home or work.
Windows, OSX, Linux, Chrome, Firefox, IE, Safari, Edge, VLC Media Player, SmartTV’s, IOS, NVidia/AMD, Android, various shonky Linux based torrent streamers , !!!
All well known for their ‘robust software’ and wholesomeness.
"These devices are manufactured using components acquired from a complex supply chain and are often sold through common outlets such as retail stores and e-commerce websites. This makes it difficult to identify impacted devices and notify the appropriate stakeholders, thus illustrating the dire need for Software Bill of Materials SBOM in this growing and complex digital market." [CMU, IPTV encoder devices contain multiple vulnerabilities]
It's worth noting that this particular "software" (possibly plural) are anonymous, whereas the softwares you named have names, and can be name shamed - some level of accountability.
While it's true the system vendors have names (CMU lists 13 known system vendors, 3 affected, 1 not affected, and 9 undetermined) the relevant common software vendor remain anonymous. One might expect the vendors or even Huawei to identify the relevant vendor, to clear the air and show accountability, however, that has not happened. Why not?
Not necessarily. I've seen numerous instances of devs "innocently" setting hard coded passwords as a result of Dunning Kruger. There have even been instances of IoT vulnerabilities of this kind being due to devs copying and pasting example code fragments from chip vendors' data sheets directly into the production code without changing the example defaults (including the example passwords).
It only doesn't look good because the article is written as a hatchet job by an Author in America.
The title makes it looks like there are backdoors in Huawei chips. There isn't.
We all know chipsets get used in multiple hardware projects from different companies and they often use the same badly written software one company wrote which often has vulnerabilities. Think IP cameras/DVR's for example.
Totally different to all the American Cisco backdoors and vulnerabilities that we find month after month. hard coded credentials/keys and other backdoors before we we even get to the vulnerabilties.
This has sod all to do with Huawei really but its written to make them look bad. The registers lack of impartiality when it comes to stuff like Huawei is why it is becoming less trusted among peers.
I know for a fact some limited number of chips made or developed in the Pacific rim were deliberately changed at the manufacturing level to piggy back circuit design as a permanent back door, no matter what code was used. The person that witnessed this was thrown out of a laboratory when my friend asked what they were doing. They were so arrogant that they even screened in logos in the photolithography films. They may be more discreet now, but I'm not convinced it isn't still happening. I'd wager that they still at least salt shipments of random modifications from the foundry in every sale overseas.
"We all know chipsets get used in multiple hardware projects from different companies and they often use the same badly written software one company wrote which often has vulnerabilities. Think IP cameras/DVR's for example."
No one seems to have looked, or at least reported on looking, for any identifying text inside the binary code. Most seems to have some sort of copyright or similar embedded these days
Seems not Huawei's suppliers, but their customers. Behind the whole horrible China-based fly-by-night electronics hustle Huawei/HiSilicon just have the honour of being the only identifiable brand with some reputation to beat up on. If not for them would Arm be to blame?
The HiSilicon supplied SDKs are available here: https://dl.openipc.org/SDK/HiSilicon/
So it should be relatively straightforward to confirm their claim the bugs are indeed not theirs. Considering they describe the software as 'SDK' I'd assume all the Linux configuration issues aren't included.
Most likely some unknown 3rd party builds the SDK into a functioning OS and supplies minimally configurable firmware to a student working night-shift in a petrol station, who makes circuit diagrams and licenses those with the firmware to various solderers who in turn sell their bare boards to one of 40 different packaging shops all owned by three blokes who know the same dodgy geezer who knows where to get 'cheap plastic' (*wink* *wink*). From there they get branded by literally anyone capable of clicking the correct buttons on Alibaba to ask "I'd like 20 of these in red please with this logo on the side".
So to cut through the anti-Chinese crap, these IP TV boxes that play Airport signs and adverts on shop TVs have software running on them with a hardcoded password.
Account "admin" password "neworange88888888"
They have a web interface you log into to configure them with a web browser, you can use this hardcoded password to do that login. So if you have network access, you can do anything the web control panel can do, including upload new firmware.
"Arbitrary code execution by uploading malicious firmware"
No shit sherlock, you can run code by uploading new firmware.
Sloppy, fixed admin account should be disabled after first configuration. I don't see where the chipset comes in, this is a software bug.
The problem with bug reporting is that while its handy to quote references numbers like "CVE-2020-1234567" it doesn't tell us squat about what's actually going wrong. All I was able to glean from the article is that there's a telnet client in there that might have a hard coded password; since Telnet isn't exactly secure anyway this represents a significant security risk. But that's just a matter of including an unnecessary application with the end product. Once word about this gets out instead of people saying 'that's dumb, need to delete unnecessary code' or some such you end up with experts dogpiling on the OS (because we all know thanks to MSFT, Google, Apple et al that Operating Systems are huge, monolithic pieces of code).
As we progress further into a world where software is a product of curated development environments we're seeing more information but less knowledge. Inject politics into this and we end up with a huge mess. I'd guess that relatively few of us who read this have ever brought a board up, using or even developing a BSP ("Board Support Package") because if they did then they'd realize that what HiSilicon and Huawei say makes complete sense.
@big_D
From the article,
all the vulnerabilities except for the telnet flaw resided in a single executable program that's part of the software on these devices. "I'm not sure the vendors who build and sell these devices have much control over it,"
It's like the intel driver of their chipset had a bug. The Intel driver SW only gets used when the chip is made into a PC by Dell.
The supply chain for devices isn't so one dimensional though, manufacturer A buys chips from supplier B to do a certain job, B takes chips from designer H and writes their own firmware to it to fulfil that job spec. H doesn't have anything to do with B's work, even though the flaw is on A's H-based device. Embedded software is a discipline that has long lagged behind best practices in more accessible and better-resourced software - a combination of efficiency, cargo-cult programming and lack of visibility could well lead to a common flaw in firmwares from several companies, built into many, varied hardware platforms, that share a chipset, through no fault of the chipset's desginers. Perhaps the fault existed in some unrelated codebase that's been repurposed because it's a good fit the the new hardware, perhaps it's from a lazily copied from example code snippet the chip designers provided just to show functionality, that's obviously not a comprehensive implementation. Either way, because embedded software devs get their coding practices from a common root, they all introduce similar faults into software for similar/identical chips.
Little wonder it was an anonymous coward that posited that.
I'd like to complain: I specifically asked for middle-eastern petrol when I filled up at a previously reputable petrol-station.
Yet they supplied me with Russian stuff - complete with post-ignition backfires. IT'S - A - DISGRACE !!!
I shall sue Saudi Arabia.
It doesn't surprise me that there is a lot of handy freeware floating around China to help Chinese industry get nice cheap stuff out there bringing in the foreign currency. And it doesn't surprise me when it is found to contain dodgy but potentially 'useful' code.
When the west moved virtually all the production to China about 20 years ago it seems that nobody ever thought that China would be able to do the sort of things that No Such Agency is good at - there were discussions about this risk at the time, but the cheaper production costs were far more important than security - it's still that case, we see all these complaints but nobody ever suggests a solution, or is made responsible because they drove the stock prices up nicely.
We're blaming the Chinese for our stupidity in creating this environment.
Spies gotta spy. Outrage that one country's state agencies are doing what everyone's state agencies are doing is naive. There's a certain level where I believe chinese society allows this to be more structurally embedded in the development process, buy you can't blame a chinese company for being chinese, that is their own biggest market - not like they could even establish a 100% independent, foreign offshoot that was good for the company but absolutely uninfluencable by the parent, and also ensure no other country has any influence over it's employees.
It's interesting the terms used, when talking about negatives from the "Middle Kingdom" the reference is made to the whole country. When talking about bad stuff in the "Land of The Free" then it is specific towards a certain agency or agencies.
Why the differentiation between the countries, one targeting the whole country and its population the other narrowing down to just a small faction.
Hopefully it isn't due to western racism.
再見
Not defending, but as a Brit I could list exactly zero Chinese agencies. I have no idea what or who does the spying, and the large majority of Chinese media simply doesn't make it to the west...just some really over the top films like Wandering Earth.
Now for the Americans. How many agencies would you like me to list? Would you like to me to tell you where they're headquartered? All without popping over to Wikipedia.
So it might be something as simple as China being a nebulous black box, while we at least have some idea of where to point the finger when it comes to America.
Well saying the Chinese Government Agency or Chinese Security Services would at least allow you to focus your ire in a more targeted direction, even if you didn't know the name of the actual agency or military unit.
You could also go with the more nuanced journalistic friendly "State Sponsored Hackers".
when talking about negatives from the "Middle Kingdom" the reference is made to the whole country. When talking about bad stuff in the "Land of The Free" then it is specific towards a certain agency or agencies.
Isn't the reason obvious? China is a totalitarian dictatorship with extensive state control of supposedly private industry. Western countries are completely different, with substantial separation between private businesses and the government. Companies have legal protections, the ability to challenge legal orders, and the ability to refuse to comply with unlawful orders without being summarily executed.
" with substantial separation between private businesses and the government. Companies have legal protections, the ability to challenge legal orders, and the ability to refuse to comply with unlawful orders without being summarily executed." - Well, that is the idea anyway. In practice it is not always all that different.
Both in China and in the USA, the little guys are usually mostly left alone, while the big guys with political connections are a state on their own and the middle size Mafiosi live by the gun.
The old wild west telegram to HQ: "Send money, guns and lawyers!" still apply today and I have actually run into a situation like that - in Europe.
People who think that the old/new world is holier than thou, has some growing up to do.
The thing is, everyone makes such a huge fuss about it when "foreigners" do it, but who honestly thinks all of the Intel vulnerabilities were "discovered" rather than being put there deliberately for NSA, CIA etc to use to spy on US citizens and foreign powers?
Rather than claiming people "found" them I think its far more accurate to say they were EXPOSED, and intel moving chip manufacturing to Israel is on a par with asking a known child molester to watch your kids for a month while you are out of town lol
Wait a while and I will bet even ARM has them for MI6 to exploit
if you put a web sniffer on those CCTV systems just to see who exactly they are phoning home to.
Even better if then those destinations were blocked by a firewall. Would those CCTV systems stop working if they could not get commands from their Mothership.
That would make an interesting story for this site would it not?
>Is there a list of manufacturers that use the suspect silicon BTW?
Asking the wrong question; the vulnerabilities are in the application software the manufacturers add to their product, its just that currently they all use the Huawei chips. I expect that if these manufacturers switched silicon supplier (or used a different silicon supplier for certain products) the vulnerabilities would still be present.
So the correct use for a list of manufacturers that use the Huawei silicon is to enable you to avoid purchasing any products (not just the video encoders) from these manufacturers as it would be reasonable to assume they would have exercised a similar level of attention to the security of these other products...
We're blaming the Chinese for our stupidity in creating this environment. ...... Version 1.0While this situation was predictable, that doesn't absolve China of its responsibility. ..... rcxb
So, the stupid West abuses and uses and misuses China, treating it as if it were their ignorant cheap slave, and what exactly is the responsibility you suggest they embrace and maybe even be held accountable for, rcxb, further intimating that they be presently negligent in that particular and peculiar regard?
Are you expecting the assumed slave to be extraordinarily favourably accommodating of the arrogant presumptive slavemaster? Have a downvote for that perverse Dixie notion
QUOTE: "So, the stupid West abuses and uses and misuses China, treating it as if it were their ignorant cheap slave, and what exactly is the responsibility you suggest they embrace and maybe even be held accountable for, rcxb, further intimating that they be presently negligent in that particular and peculiar regard?
Are you expecting the assumed slave to be extraordinarily favourably accommodating of the arrogant presumptive slavemaster?"
Last time I saw a post as verbose in its declared outrage as that, it was from a Chinese troll farm.
As to using and abusing China: there is no 'China' as you would like to (mis)represent it. There is instead only the Chinese Communist Party, a viciously corrupt self-serving self-perpetuating elite which like every other Communist party that there has ever been, will say anything and do anything to dominate the world with its belief system.
So far, its greatest success has been to get "the stupid West" to talk of China without once mentioning those who run the place. As in your post.
How very nice to read a cogent response, VulcanV5, which I would not be able to truthfully disagree with.
However, not everyone, and I suspect that really means only a very few, may realise the fate and state of China, as may also be the case of all other nations too, can be as you suggest.
Such though in neither unique nor relatively novel, for surely it at least mimics Maggie Thatcher's world view ......
There is no such thing as society. There is living tapestry of men and women and people and the beauty of that tapestry and the quality of our lives will depend upon how much each of us is prepared to take responsibility for ourselves and each of us prepared to turn round and help by our own efforts those who are unfortunate. ..... https://www.margaretthatcher.org/document/106689
The Global System though, as would administer their wishes via the capture of mainstream media channels for the pumping and dumping and pimping of sympathetic daily news features and absolutely fabulous fabless tragic comedic tales would certainly prefer that such information and intelligence as exposes an elite sociopathic tendency in a politically disguised ascendancy remain suitably stubbornly underground rather than bubble up and bob about in general common knowledge on the surface ........ although methinks they rightly fear they have lost that corrupt advantage for ever now, and to try and regain and retain it, will clearly identify them as the mortal enemy within to be be got rid of.
Your post though is worthy of a 77th Brigade badge. Keep up the good work, practice makes perfect.
> root access via telnet (CVE-2020-24218)
Because no matter how you try to spin it, there's just not a single good - or lame - excuse for this one.
What about unauthenticated file upload (CVE-2020-24217)? What are we uploading here?
Stop playing the victim - either directly or through various Rent-A-Troll third parties.
Root access via Telnet is quite common on out-of-the-box networking kit, the vendor assumes the user is sufficiently competent to either disable or secure this access path as part of their configuration and deployment.
>root access via telnet (CVE-2020-24218)
It seems the real issue here is that the Telnet daemon cannot be disabled and neither can remote (ie. WAN) access.
[source: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/#root-access-via-telnet-cve-2020-24218 ]
Interesting point here is that I've often explicitly disabled both remote access and the Telnet service in the admin web interface of network equipment, but I've not checked that this actually disables (ie. kills) the Telnet daemon...
>What about unauthenticated file upload (CVE-2020-24217)? What are we uploading here?
A .rar file which can contain a simple shell script, which will gets executed immediately. Ie. you don't need a binary file.
[Source: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/#unauthenticated-file-upload-cve-2020-24217 ]
> Root access via Telnet is quite common on out-of-the-box networking kit [ ... ]
I don't know if it's quite common, or not, but I do know it shouldn't be.
If your networking kit vendor - I wonder whom that might be - still ships in.telnetd or some sort of equivalent on their kit, in 2020, you need to have a little chat with them.
It's not a question of whether it's enabled or disabled by default. It should just NOT be there.
> A .rar file which can contain a simple shell script [ ... ]
Uh-huh. Right. That's what everyone needs on their networking kit -- it's a must-have. An open, undocumented port that allows unauthenticated file uploads that can be subsequently executed by root with escalated privileges. Because root is allowed to connect to this network box via telnet. In 2020. Awesome!
Is there a problem here? Naaaaah. Can't possibly be.
The security flaws are not in Huawei's chips or software development kit.
Huawei's customers buy the chips, assemble them into products and install software configured by someone who prioritised his convenience far higher then any consideration for the security of the final customer. This is not a hidden top secret state sponsored back door. It is a row of giant barn doors with flashing lights and fireworks spelling out "Everyone come this way to reconfigure however you want".
Say whatever horrible things you like about Huawei's other products and software support but this particular time they have been let down by their customers.
There's been loads of articles on this very site about all of the security vulnerabilities of internet connected IOT tat. Kettles, barbeques, cctv, you name it, Shodan will find it. A lot of manufacturers (and not just Chinese ones) are fond of the odd default password, hardcoded test certificates, open telnet ports...
Has Mirai already been forgotten?
But it is a stretch to blame the chip manufacturer.
@Flocke Kroes
RTFA
"all the vulnerabilities except for the telnet flaw resided in a single executable program that's part of the software on these devices. "I'm not sure the vendors who build and sell these devices have much control over it"
Huawei's smoke amd mirrors press release is working after all.
As Flocke Kroes said - RTFA before you start blaming Huawei for bugs in software that a manufacturer chooses to write/run on a CPU.
Would Intel even get a mention if a security researcher found bugs/vulnerabilities in an encoder that ran on Intel x86 or Atom chips, but happened to run Windows embedded as it's main OS?
To those saying rtfa, I say rtfa back...
" all the vulnerabilities except for the telnet flaw resided in a single executable program that's part of the software on these devices. "I'm not sure the vendors who build and sell these devices have much control over it,"
*multiple* vendors are showing the *same* flaws. If the Huawei SDK releases is unusable for a product, and there is a common intermediate Huawei "real" SDK supplier, then it is in Huawei interest to either own the sdk to a usable form or accept the brand damage. This plausible deniability crap from Huawei PR is a poor show.
If they make a "secure" SDK no vendor or customer can directly use, this is the price they must accept.
Either way this is their problem.
Have you ever heard of white goods? One manufacturer in the supply chain builds it and re-brands it for multiple customers to re-sell as their own. In this case that white goods manufacturer is not Huawei but some other company. If they include this binary with all the exploits in their product then all the re-branded kit will also have that exploitable binary.
"That would mean someone else provided the makers of these video encoder devices application software riddled with holes, and this code was shipped with the equipment. The products just all happen to use the the hi3520d chipset."
All software runs on something. Are we now implying that Intel or AMD is to blame for bad software running on their hardware?
If it was done intentionally by a massive manufacturer, it was extremely poorly done. I bet it wasn't.
Pick your vendor and show me an intentional vulnerability ...
There will be the odd state sponsor involved somewhere but I'd wager 99.9% of all vulnerabilities are down to mistakes but the conspiracy theorists will never accept 'mistakes' as they believe anyone who suggests such a thing is obviously in league with the state sponsor ...
>Pick your vendor and show me an intentional vulnerability ...
Well in the spirit of the article and some other 'security' vulnerability reports, many major router manufacturers.
The routers in my house are 'vulnerable' as they have a readily accessible "Factory Reset" button which once used means the device can be accessed (LAN/WAN) using the default credentials: admin/admin.
"lead product security engineer at Salesforce, outlined a series of flaws affecting IPTV/H.264/H.265 video encoders powered by the hi3520d chipset from Huawei's HiSilicon subsidiary. The security holes are present in software, whose developer is unknown, that runs on top of a Linux stack provided by HiSilicon for products using its system-on-chips."
So not the Huawei chip or the Linux Stack provided by HiSilicon but the admin interface software written by "developer unknown"
Anyone with a C++ compiler can write an admin interface and without proper secure devops processes, might be littered with holes. Most cheap Internet of Thing suppliers may resort to sloppy code (especially to keep costs down) on devices.
This isn't on Huawei for their chip or Linux stack.
I know it's barely concievable but try to imagine a company writing a security-hole filled application, running on a buggy Microsoft Operating system, on an i386 platform managed by Intel firmware. Who would even consider writing the phrase "Intel responsible for security holes ..." in such a case? This story is the Trumpophile/xenophobe's equivalent ...
"Unknown software from unknown source turns out to be untrustworthy, or at the very least uncompetent. This is my shocked face."
Are you sure? Looks more like your constipated face.
So tell me great sage.
Which known software from known sources is actually trustworthy? Your spell checker obviously doesn't fit the requirements.
>"The security holes are present in software, whose developer is unknown" to Alexei Kojenov @Salesforce and Huawei. A situation you would expect with proprietary software. I've no idea who actually wrote all the software that was supplied pre-installed on my Humax box.
I'm sure the manufacturers of the video encoders know exactly who they purchased the software from.
It seems clear that we have some trump fantards on here that despite all the evidence, still insist on regurgitating the party line.
Frankly, given the option of getting into bed with a known sex offender, or some ageing pseudo communists, I assume you can guess I'm more likely to take the risk of getting rubbed up the wrong way, rather than the certainty of getting a grubby hand thrust up between my thighs, and then later bragged about in the hyena circles that he travels in.
It seems clear that we have some trump fantards on here that despite all the evidence, still insist on regurgitating the party line.
Better than the delusional Harris fantards we're seeing here (I already discount Senile Joe as being the actual president, expecting Kamala Chameleon will have her hand firmly up his butt making him talk).
Party line? Over the past 40 years, I have voted third-party. Not much of a follower of the "party line", then. Biden hasn't done anything useful in the half-century he's been in office, and the things he HAS done have been severely detrimental to this country. Trump may be an arrogant asshole, but as long as he's there pissing off anybody and everybody, then he's doing the job that needs doing.