Technological devices developed and manufactured in China remain a threat to the privacy and data protection of users around the world. Recent reports state that Huawei installed a rudimentary and unsecure backdoor on millions of surveillance devices including chips from HiSilicon, a subsidiary of the Chinese tech giant.
This backdoor exists in the form of a remote debugging tool in the firmware of video cameras produced by the company, and could be used on a local network to inject commands into vulnerable devices.
Data protection experts point out that this vulnerability lies in the software that HiSilicon produces for its customers; allegedly compromised components are employed by countless security system manufacturers installed in business, industrial and government environments.
Vladislav Yarmak, pseudonym of the editor of this report, says that this is a really simple, obvious and insecure backdoor. “The firmware opens a service on TCP port 9530. By connecting to this port it is possible to exchange some data to agree on a randomly generated session key to encrypt the rest of communications with the software. Subsequently, a Telnet OpenOnce request is sent to instruct the device to open a Telnet service,” Yarmak says. If everything goes according to plan, a Telnet daemon starts on TCP port 9527.
While Yarmak believes this is not a critical or easily exploitable flaw, it does believe it is a sign of the poor commitment that Huawei (and many other technology firms) has shown with user data protection. So far, neither Huawei nor HiSilicon has responded to questions.
Although specialists from the International Cyber Security Institute (IICS), among others, have externalized their concern about this finding and its potential reach of millions of devices, Yarmak states that, during its scans using Shodan, it has only 13 exposed devices with port 9530 open detected. Still, it is Huawei’s responsibility to speak out on this finding, especially in the face of the complex picture facing the company regarding its potential with the Chinese government, which has generated multiple business problems, including potential ban in the U.S.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
