Replacing the systems with secure cameras recommended

Feb 6, 2020 06:30 GMT  ·  By

Security researchers have discovered a firmware backdoor embedded into surveillance cameras using a HiSilicon SoC, and a successful attack would allow technically anyone to gain root shell access and control the device.

An in-depth analysis of the vulnerability published this week reveals that all brands which installed the firmware on their digital video recorder (DVR) and network video recorder (NVR) cameras are affected, with a comprehensive list available on this GitHub page.

Similar issues have been discovered in the same firmware several years ago after researchers figured out an easy way to recover a static root password for telnet access from the firmware image.

Replacing the surveillance system, the recommended solution

The developing company updated the firmware with new versions that disabled the telnet and debug ports by default, but instead opened the 9530 tcp port to allow remote access. The static password is the same on all devices, researchers warn.

“Most recent firmware versions have open port 9530/tcp listening for special commands, but require cryptographic challenge-response authentication for them to be committed,” the backdoor analysis reads. “Apparently, all these years HiSilicon was unwilling or incapable to provide adequate security fixes for same backdoor which, by the way, was implemented intentionally.”

The worst thing is that the firmware developers are very unlikely to come up with a patch, so researchers explain that the only way to get rid of the backdoor is to actually replace the surveillance systems entirely.

If this isn’t possible, obviously from a cost perspective, owners should at least restrict network access only to trusted users, thus making sure that anyone trying to take advantage of the backdoor wouldn’t be able to connect.

“Ports involved in this vulnerability is 23/tcp, 9530/tcp, 9527/tcp, but earlier researches indicate there is no confidence other services implementation is solid and doesn't contain RCE vulnerabilities,” researchers explain.

An attacker who manages to connect to a surveillance system can also grab password hashes and even change the password.