HiSilicon is a global leading fabless semiconductor and IC design company that is dedicated to providing comprehensive connectivity and multimedia chipset solutions for global equipment vendors in fields such as video surveillance, set-top boxes, and smart homes.
The vulnerability response of video surveillance devices may involve different stakeholders such as vulnerability research organizations/individuals, chip suppliers, component suppliers, equipment vendors, and end users. It is necessary to clearly understand the complexity of the supply chain. Any part of the supply chain may introduce vulnerabilities, which increases the difficulty in vulnerability response. Coordinated vulnerability disclosure is the best practice in the industry in this scenario. As an important part of the supply chain of video surveillance devices, HiSilicon is willing to cooperate with stakeholders in the industry to cope with cyber security risks through coordinated vulnerability disclosure and protect the interests of end users.
HiSilicon noticed that some media outlets reproduced a researcher's report about security vulnerabilities in DVRs/NVRs built on the HiSilicon HI3520DV400 video surveillance chip on September 16, 2020: CVE-2020-24214, CVE-2020-24215, CVE-2020-24216, CVE-2020-24217, CVE-2020-24218, and CVE-2020-24219. Our findings based on immediate investigation are as follows:
HiSilicon provides customers (equipment vendors) with chips, operating system kernels (such as Linux kernel of a certain version), and SDK (mainly driver) development platforms, based on which they design and develop products. The following figure shows the logic of the HiSilicon chip in a device.
Figure 1-1 Logic of the HiSilicon chip in a device
In this figure, the components marked in blue are delivered by HiSilicon; the parts marked in green are open-source code, and HiSilicon provides it as reference code to equipment vendors; the applications marked in orange are delivered by equipment vendors.
We have analyzed the security vulnerabilities mentioned by the researcher as follows:
The preceding analysis shows that all vulnerabilities mentioned in the report exist in the applications of equipment vendors (marked in orange in Figure 1-1). These vulnerabilities are not introduced by the chips and SDKs provided by HiSilicon.
As an important part of the supply chain of video surveillance devices, HiSilicon is willing to collaborate with downstream equipment vendors and researchers through coordinated response to cyber security risks brought by the vulnerabilities mentioned in the report and protect the interests of end users.
2020-09-17 V1.1 UPDATED Added the Technical Analysis Report
2020-09-17 V1.0 INITIAL
Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.
To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.
To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.
Customers should contact Huawei TAC (Huawei Technical Assistance Center) to get necessary support for product security vulnerabilities. For TAC contact information, please refer to Huawei worldwide website at: http://www.huawei.com/en/psirt/report-vulnerabilities.