Security researcher Vladislav Yarmak has published details about a backdoor mechanism he discovered in Xiongmai firmware, used by millions of smart devices across the globe, such as security cameras, DVRs, NVRs, and others. A firmware fix is not currently available as Yarmak did not report the issue to the company, citing a lack of trust in the vendor to properly fix the issue.
In a detailed technical rundown that Yarmak published on Habr, the security researcher says the backdoor mechanism is a mash-up of four older security bugs/backdoors that were initially discovered and made public in March 2013, March 2017, July 2017, and September 2017 — and which the vendor failed to adequately fix.
According to Yarmak, the backdoor can be exploited by sending a series of commands over TCP port 9530 to devices that use HiSilicon chips and Xiongmai firmware. The commands which are the equivalent of a secret knock will enable the Telnet service on a vulnerable device.
Yarmak says that once the Telnet service is up and running, the attacker can log in with one of six Telnet credentials listed below, and gain access to a root account that grants them complete control over a vulnerable device.
These Telnet logins have been found in previous years as being hardcoded in the firmware, but despite public disclosures and their abuse by Mirai botnets, Yarmak says the hardcoded credentials were left in place, while the vendor chose to disable the Telnet daemon instead.
Because Yarmak did not intend to report the vulnerability, firmware patches are not available. Instead, the security researcher has created proof-of-concept (PoC) code that can be used to test if a “smart” device runs on the vulnerable firmware.
If a device is found to be vulnerable, the Russian researcher advises that device owners should ditch and replace the equipment. The proof-of-concept code is available on GitHub. Build and usage instructions for the PoC are available in the Habr post.
This backdoor is said to likely be on a countless number of devices, as the Hangzhou Xiongmai Technology Co which manufactures the Xiongmai firmware is a known seller of white-label products, sold under tens of other brands. The researcher cited the work of another researcher who in September 2017 tracked down the same backdoor mechanism in the firmware that was being used by DVRs sold by tens of vendors.
This content was originally published here.