Huawei Says No Way They Knew About Those Backdoors

Source: The Register Huawei Says No Way They Knew About Those Backdoors

That’s Just Huawei It Is

Remember last year when the news was abuzz with stories about a magical chip hidden on SuperMicro boards which turned out to be almost completely bunk, but did remind us that other hardware and software backdoors have indeed been found in products in the past?  Well, welcome back to that topic after the lead product security engineer at Salesforce, Alexei Kojenov, with a little help from shodan.io, discovered a bevy of bugs in the hi3520d chipset from HiSilicon, a subsidiary of Huawei.

The chipsets in question are video encoders, handling IPTV, H.264 and H.265, which are sold by a variety of companies such as URayTech, J-Tech Digital, Oupree, Digicast and Pro Video Instruments.  Analysis showed the software running on those products to be vulnerable to at least some, if not all of the discovered issues.  The flaws allow remote attackers bypass authentication to execute arbitrary code and other nefarious actions on a vulnerable system.  As with most IoT things, the vast majority of the components have not been patched and more than a few will be unable to be fixed.

Statements from Huawei and HiSilcon deny any involvement in these flaws whatsoever, suggesting that someone else inserted the backdoors and hardcoded passwords.  As these are software vulnerabilities and not found directly on the hardware it is theoretically possible that they are innocent this time.  On the other hand, they have been caught doing similar things in the past and there are no leads on any other company which would have been involved with design all of the various affected hardware.

Keep an eye out for more information, and hopefully you and your city’s security systems aren’t dependent on the equipment listed in the various links from The Register.  You can always check Insecam.org to see if they start offering a lot of new streams in the near future as well.

Hardware video encoders from multiple suppliers contain several critical security bugs that allow a remote unauthenticated miscreant to run arbitrary code on the equipment.

Video News

About The Author

Jeremy Hellstrom

Call it K7M.com, AMDMB.com, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

1 Comment

  1. Trey

    First time I looked at the image I somehow thought it was a fancy Japanese urinal – like the camera eye was the drain. I thought the joke was going to be a backdoor in the thing looking in through your front door.

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!