That’s Just Huawei It Is
Remember last year when the news was abuzz with stories about a magical chip hidden on SuperMicro boards which turned out to be almost completely bunk, but did remind us that other hardware and software backdoors have indeed been found in products in the past? Well, welcome back to that topic after the lead product security engineer at Salesforce, Alexei Kojenov, with a little help from shodan.io, discovered a bevy of bugs in the hi3520d chipset from HiSilicon, a subsidiary of Huawei.
The chipsets in question are video encoders, handling IPTV, H.264 and H.265, which are sold by a variety of companies such as URayTech, J-Tech Digital, Oupree, Digicast and Pro Video Instruments. Analysis showed the software running on those products to be vulnerable to at least some, if not all of the discovered issues. The flaws allow remote attackers bypass authentication to execute arbitrary code and other nefarious actions on a vulnerable system. As with most IoT things, the vast majority of the components have not been patched and more than a few will be unable to be fixed.
Statements from Huawei and HiSilcon deny any involvement in these flaws whatsoever, suggesting that someone else inserted the backdoors and hardcoded passwords. As these are software vulnerabilities and not found directly on the hardware it is theoretically possible that they are innocent this time. On the other hand, they have been caught doing similar things in the past and there are no leads on any other company which would have been involved with design all of the various affected hardware.
Keep an eye out for more information, and hopefully you and your city’s security systems aren’t dependent on the equipment listed in the various links from The Register. You can always check Insecam.org to see if they start offering a lot of new streams in the near future as well.