Huawei Says No Way They Knew About Those Backdoors
That’s Just Huawei It Is
Remember last year when the news was abuzz with stories about a magical chip hidden on SuperMicro boards which turned out to be almost completely bunk, but did remind us that other hardware and software backdoors have indeed been found in products in the past? Well, welcome back to that topic after the lead product security engineer at Salesforce, Alexei Kojenov, with a little help from shodan.io, discovered a bevy of bugs in the hi3520d chipset from HiSilicon, a subsidiary of Huawei.
The chipsets in question are video encoders, handling IPTV, H.264 and H.265, which are sold by a variety of companies such as URayTech, J-Tech Digital, Oupree, Digicast and Pro Video Instruments. Analysis showed the software running on those products to be vulnerable to at least some, if not all of the discovered issues. The flaws allow remote attackers bypass authentication to execute arbitrary code and other nefarious actions on a vulnerable system. As with most IoT things, the vast majority of the components have not been patched and more than a few will be unable to be fixed.
Statements from Huawei and HiSilcon deny any involvement in these flaws whatsoever, suggesting that someone else inserted the backdoors and hardcoded passwords. As these are software vulnerabilities and not found directly on the hardware it is theoretically possible that they are innocent this time. On the other hand, they have been caught doing similar things in the past and there are no leads on any other company which would have been involved with design all of the various affected hardware.
Keep an eye out for more information, and hopefully you and your city’s security systems aren’t dependent on the equipment listed in the various links from The Register. You can always check Insecam.org to see if they start offering a lot of new streams in the near future as well.
Hardware video encoders from multiple suppliers contain several critical security bugs that allow a remote unauthenticated miscreant to run arbitrary code on the equipment.
More Tech News From Around The Web
- AMD to grab 20% share of notebook processor market in 2020 @ DigiTImes
- Google bans stalkerware apps from Android store. Which is cool but… why were they allowed in the first place? @ The Register
- Hubble Captures Crisp New Image of Jupiter and Europa @ Slashdot
- Listening To An IPhone With AM Radio @ Hackaday
- Sony Makes It Official: PlayStation 5 Won’t Natively Support PS1, PS2, PS3 @ Slashdot
- NBC Threatens To Black Out Apps on Roku in Dispute Over Peacock @ Slashdot
First time I looked at the image I somehow thought it was a fancy Japanese urinal – like the camera eye was the drain. I thought the joke was going to be a backdoor in the thing looking in through your front door.