A new report work has been published by Vladislav Yarmak who is a security researcher after he had discovered details about a backdoor mechanism in Xiongmai firmware which is being used by millions of smart devices world wide such as DVDs, NVRs, Security Cameras and so on.
A firmware fix is not currently available as Yarmak did not report the issue to the company, citing a lack of trust in the vendor to properly fix the issue.
According to the well-detailed report which Yarmack had published on Habr, he made it known that the backdoor mechanism was a mash-up of four older security bugs which had been earlier discovered and made public way back in March 2013, March 2017, July 2017 as well as September 2017 which wasn’t adequately fixed by the respective vendors involved in the scandal.
Yarmack explained that such backdoor can be exploited by hackers by merely sending a series of commands over TCP port 9530 to devices that uses the HiSilicon Chipsets and Xiongmai firmware.
The commands which are the equivalent of a secret knock will enable the Telnet service on a vulnerable device. Now if the Telnet service is up and running, an attacker can easily log in with one of the six Telnet credentials (Listed below) and then gain control to a root account that gives a complete control over a vulnerable device.
These aren’t some made up Telnet’s logins as they’ve been found previously hardcoded in the firmware. This wasn’t shut down when it was made public back in those years and has been exploited even by Mirai Botnets while Yarmack also explained that hardcoded credentials were left in place while the vendor chose to disable the Telnet daemon instead.
Because Yarmak did not intend to report the vulnerability, firmware patches are not available. Instead, the security researcher has created proof-of-concept (PoC) code that can be used to test if a “smart” device runs on the vulnerable firmware.
So in any case you have a device that is vulnerable, Yarmack advised such device to be ditched and replaced with a better one. The proof-of-concept code is available on GitHub. Build and usage instructions for the PoC are available in the Habr post.
The fear is that tens of thousands of devices might be affected by this vulnerability because of the fact that Hangzhou Xionmai Technology Co usually make a white-label products which translates t other brands using these devices/equipment under their own brand names.
Yarmack also cited the work of another researcher who in September 2017 tracked down the same backdoor mechanism in the firmware that was being used by DVRs sold by tens of vendors.