IoT and surveillance devices that use Xiongmai Tech firmware discovered to have zero-day backdoor mechanism

Russian security researcher Vladislav Yarmak discovered a backdoor mechanism integrated into DVR/NVR devices built on top of HiSilicon SoC. He published a full-disclosure report on Habr, a Russian IT and Computer Science blog.

The backdoor mechanism is implemented using a mix of exploits that take advantage of bugs discovered years ago, with some dating as early as March 2013.

HiSilicon, a fabless semiconductor Chinese company fully owned by Huawei, was inferred to be responsible for the backdoor mechanism. An earlier version of the HiSilicon firmware came with telnet access enabled using a static root password that can be easily recovered from the firmware image.

In 2017, Istvan Toth did a comprehensive and detailed analysis of the firmware and discovered multiple vulnerabilities with the firmware and the built-in webserver.

He also published a list of brands with the affected firmwares on this GitHub page: From the list, there are hundreds of products across at least a dozen of brands.

Subsequent versions of the firmware had their telnet access and the debug port (9527/tcp) disabled by default. Another port, 9530/tcp, was opened instead to receive a special command to start the telnet daemon and enable shell access with the same static password. This was intentionally baked into the firmware.

Huawei published an official media statement stating that they are not responsible for the discovered vulnerabilities. In addition, they said that they and their affiliates, including HiSilicon have long committed that they will not and have not install backdoors nor will they allow their vendors to do the same.

It was later determined by other security researchers that only devices using Xiongmai firmwares are affected by the vulnerabilities.

Xiongmai (Hangzhou Xiongmai Technology Co, XMtech) is a Chinese technology company founded in 2009 that develops IoT and surveillance devices such as DVR, NVR and IP Cameras.

Given that the vulnerabilities remained unpatched and the company is not responding to the disclosure, it is advised that devices using Xiongmai software are replaced. If the replacement of these devices is not possible, then it is best to restrict network access to these devices to only trusted users. Ports involved in this vulnerability are 23/tcp, 9530/tcp and 9527/tcp, and they should be blocked from external access.