Researchers have uncovered a backdoor in firmware made by China-based Hangzhou Xiongmai Technology and used in digital video recorder (DVR) and network video recorder (NVR) cameras often used for surveillance. Detailed this week, the issue affects many brands that have licensed the firmware from Xiaongmai. You can find a full list of affected devices here.
In 2016, Xiaongmai was also hit with a recall order by the U.S. government, due to the Mirai botnet enabling backdoors in its products.
Earlier versions of the firmware relied on access to telnet, a network protocol for remote connections, to be enabled by default. The researchers said it did this through use of "a static root password which can be recovered from firmware image with (relatively) little computation effort." A Russian security researcher found this hardcoded backdoor for the first time in 2013. He also discovered multiple remote code execution bugs in the built-in server.
More recent firmware versions did come with disabled telnet access but also had open port 9530/tcp "listening for special commands." Xiaongmai “upgraded” the remote root access connection by requiring cryptographic authentication. But while these upgrades may have made it more difficult for bot makers or other attackers to gain full access, it doesn’t change the fact that Xiaongmai has maintained its (now slightly more hidden) remote root access to all security camera systems powered by its firmware.
The company still kept a short list of static passwords it could use to login remotely and take over anyone's security camera system, just as any other third-party could, too, once they'd discover the backdoor. The good news is that this sort of poor security hygiene and use of default passwords will soon be illegal at least in the European Union and United Kingdom, as both have recently said that they will ban default passwords on Internet of Things (IoT) devices.
Even if the backdoors were not maliciously created by Xiaongmai, these sort of security issues leave the door wide open for other malicious parties to come right in and take over millions of IoT devices at once via bots. These bots can then go on and wreck havoc against online services, while also making the backdoored products dysfunctional.