Here is what a good saying exists – “it never happened and now again.” She describes the situation around Chinese companies like nothing else. Often, other manufacturers face similar problems, but it is the Chinese who sin this much more often. And now a new vulnerability has been found from the category of those that are commonly called backdoors. It was found at the level of hardware, which is produced by a subsidiary company Huawei – HiSilicon. This vulnerability allows not only spying on the victim, but even taking control of its device. Such an unpleasant feature of iron is sometimes found. But let's talk about this in more detail.
Huawei has another security problem. But is she to blame?
Vulnerability Huawei
The crux of the problem lies in the fact that the video processing equipment contains several critical security bugs that allow a remote unauthenticated attacker to run arbitrary code on this equipment.
In a post this week, Alexey Kozhenov, Lead Product Security Engineer at Salesforce, elaborated on the issues with the hi3520d chipset created by HiSilicon, a subsidiary Huawei. Security holes exist in software of unknown origin.
Vulnerabilities exist in application software running on these devices, Kozhenov said in his post. – All vulnerabilities can be exploited remotely and could lead to confidential information disclosure, denial of service, and remote code execution. The latter can lead to complete capture of the device.
Critical flaws include an administrative interface with a backdoor password, root access via telnet, and unauthenticated file uploads, which allows malicious code to be executed and commands injected. All of this can be remotely used to hijack vulnerable equipment. Kozhenov also noted vulnerabilities of high and medium severity, namely, a buffer overflow and a way to access RTSP video streams without authorization.
To many, what you have written may say nothing, but it is enough just to know that by taking advantage of this, attackers can intercept control of your device or download personal information from it.
Safety comes first!
How Huawei relates to security
Huawei insists that the vulnerabilities are not related to its HiSilicon chips or the SDK code that it provides to manufacturers using its components. If this is true, then what happened is almost a coincidence. In theory, it could be that devices that are susceptible to vulnerabilities, in addition to the HiSilicon chip, received other hardware and software, as leaky as Swiss cheese.
In a statement posted online by the company, a spokesman Huawei said: “Following media reports of alleged security issues in HiSilicon video processing chips, on September 16, 2020, the company Huawei launched an immediate investigation. After technical analysis, it was confirmed that none of the vulnerabilities were introduced by the HiSilicon chips. Huawei advocates the coordinated disclosure of vulnerabilities by all organizations and individuals in the security industry. This will reduce the impact on the outcome of the investigation. ”
CERT coordination center CMU reported that vulnerabilities exist in various network services running on devices from different manufacturers using HiSilicon components. They are the result of software errors such as insufficient input validation and hard-coded credentials.
We think that only smartphones and computers are at risk, but this is not the case.
Which are vulnerable to crackers
Kozhenov says he analyzed decoders from URayTech, J-Tech Digital and Pro Video Instruments and found that their devices are vulnerable in terms of some or all of the flaws found. He has also identified several other vendors offering products based on the same chipset and believes they may also have the above security flaws. Among them are equipment from Network Technologies Incorporated, Oupree, MINE Technology. Blankom, ISEEVY, Orivison, WorldKast / procoder and Digicast.
This state of affairs cannot please a company that is already in a difficult situation. While her phone business is falling apart, Huawei is trying to save something. Such scandals and discovered vulnerabilities clearly do not contribute to this.
Time will tell how events will develop further, but at this stage, the investigation proposal from Huawei looks like the most correct decision for her. She is the first of those who are interested in establishing the truth.