HiSilicon is a global leading fabless semiconductor and IC design company that is dedicated to providing comprehensive connectivity and multimedia chipset solutions for global equipment vendors in fields such as video surveillance, set-top boxes, and smart homes.
The vulnerability response of video surveillance devices may involve different stakeholders such as vulnerability research organizations/individuals, chip suppliers, component suppliers, equipment vendors, and end users. It is necessary to clearly understand the complexity of the supply chain. Any part of the supply chain may introduce vulnerabilities, which increases the difficulty in vulnerability response. Coordinated vulnerability disclosure is the best practice in the industry in this scenario. As an important part of the supply chain of video surveillance devices, HiSilicon is willing to cooperate with stakeholders in the industry to cope with cyber security risks through coordinated vulnerability disclosure and protect the interests of end users.
HiSilicon noticed the media report about the suspected security issue in DVRs/NVRs built on HiSilicon video surveillance chips on February 4, 2020: The Telnet service can be enabled via TCP port 9530 and the default password can be exploited to log in and gain control over the device. HiSilicon immediately investigates the security issue mentioned in the report and provides our investigation results as follows:
The researcher did not explicitly state product models and equipment vendors but inferred that the vulnerability is introduced by HiSilicon chips merely based on that the products use HiSilicon chips and that the firmware obtains the Telnet login password from the /etc/passwd file and logs in to Telnet to get root shell.
The research report said that the Telnet service that is disabled by default on the device can be enabled through TCP port 9530, and then the attacker can brute force the device to gain control over the device.
The article also mentioned four vulnerabilities back from 2013 to 2017. HiSilicon analyzed the vulnerabilities and found that they were not introduced by the chips or SDKs provided by HiSilicon.
Huawei has got in touch with the researcher and made technical clarifications. The researcher has updated the blog information, stating that HiSilicon cannot be blamed for the issue in the specified binary. To protect the customer's interests, HiSilicon has informed the equipment vendor for immediate handling.
The following figure shows the logic of the HiSilicon chip in an entire device.
In this figure, the components marked in blue are delivered by HiSilicon; the parts marked in green are open-source code, and HiSilicon provides it as reference code to equipment vendors; the applications marked in orange are delivered by equipment vendors. The PSK and authentication management mechanisms mentioned in the reported research are categorized as the contents marked in orange and are delivered by equipment vendors.
HiSilicon offers SDK versions to subscribed customers via the HiSupport website. The reference code (contents marked in green) in SDK versions contains development and debugging interfaces commonly used in the industry, for example, the serial port, Telnet, and JTAG interfaces, which can be used by downstream equipment vendors for secondary development. This is a common practice of chip vendors in the industry. Telnet is disabled by default, and there is no default user password. In addition, HiSilicon provides the Cyber Security Precautions for Secondary Development to equipment vendors along with the software package. The Cyber Security Precautions for Secondary Development strongly advises customers to delete the Telnet function and other functions concerning risky services from final mass production versions and provides specific methods to do so. Huawei (and its affiliates worldwide, including HiSilicon) has long committed that it has not and will never place backdoors nor allow anyone else to do so.
The report mentioned the fact that the tested devices have telnet access. As an important part of the supply chain of video surveillance devices, HiSilicon is willing to collaborate with downstream equipment vendors and researchers through coordinated response to cyber security risks brought by the vulnerability and protect the interests of end users.
Note: All Huawei equipment that uses HiSilicon video surveillance chips has already had risky services such as Telnet deleted, in accordance with the Cyber Security Precautions for Secondary Development and therefore does not contain the vulnerability mentioned in the report.
2020-02-06 V1.2 UPDATED Update the Technical Analysis Report
2020-02-05 V1.1 UPDATED Added the Technical Analysis Report
2020-02-05 V1.0 INITIAL
Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.
To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.
To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.
Customers should contact Huawei TAC (Huawei Technical Assistance Center) to get necessary support for product security vulnerabilities. For TAC contact information, please refer to Huawei worldwide website at: http://www.huawei.com/en/psirt/report-vulnerabilities.