back to article We found a hidden backdoor in Chinese Internet of Things devices – researchers

IoT devices from a Chinese vendor contain a weird backdoor that the vendor is refusing to fix, we're told. The vulnerability was discovered in almost all devices produced by VoIP specialist dbltek, and appears to have been purposely built in as a debugging aid, according to researchers at TrustWave. The infosec biz says that …

  1. sorry, what?
    Devil

    I realized there is a self-describing acronym for use of IoT...

    I Do Internet Of Things.

    1. DNTP

      Re: I realized there is a self-describing acronym for use of IoT...

      but what if

      I Don't Internet Of Things

      1. Dylan Fahey

        Re: I realized there is a self-describing acronym for use of IoT...

        but what if

        Ancient Aliens access this device to travel to earth and abuse our women, and rape our cattle?

    2. Steve Davies 3 Silver badge
      Holmes

      Re: I realized there is a self-describing acronym for use of IoT...

      Don't you mean

      Idiots Or Twats

      are those who use this crap.

      Mind you who is at all surprised by this. This is probably the first of many.

      Beware. If you use this stuff then you might get more than you imagined.

    3. Destroy All Monsters Silver badge
      Paris Hilton

      Re: I realized there is a self-describing acronym for use of IoT...

      Your PC is not connected to the Internet?

      1. Anonymous Coward
        Anonymous Coward

        Re: I realized there is a self-describing acronym for use of IoT...

        "Your PC is not connected to the Internet?"

        No, only Facebook.

      2. eldakka Silver badge

        Re: I realized there is a self-describing acronym for use of IoT...

        "Your PC is not connected to the Internet?"

        Nope, my PC is connected to the local network with a non-routeable address, and has to traverse a NATting firewall to access anything on the internet.

        Most of these Internet of Trash devices get into trouble because many of them ARE directly connected to the internet, with no firewall between them and the Internet.

        1. Anonymous Coward
          Anonymous Coward

          Re: I realized there is a self-describing acronym for use of IoT...

          Your PC is still connected to the internet, however indirectly.

          Also, NAT is not what is saving you there - it is your Firewall. NAT is NOT a security mechanism...

          This is not really an IoT device either, it is just a crap embedded device that many people have connected to the internet/their internal network without a suitable set of firewall rules.

    4. Anonymous Coward
      Anonymous Coward

      Shorten to 'Idiot(s) of Things'???

      "Re: I realized there is a self-describing acronym for use of IoT..."

  2. Alister Silver badge

    I'm not sure I would classify VoIP GSM Gateways as an IoT device, really, it's more a network device like a router or switch.

  3. inmypjs Silver badge

    FFS since when is a GSM to VOIP gateway...

    an internet thing?

    The linked article does not contain IOT or even the word thing so I'll put it down to dumb reporting.

    1. Christian Berger Silver badge

      Re: FFS since when is a GSM to VOIP gateway...

      In deed! In fact such a device typically would be next to your PBX behind NAT and probably with no Internet access at all. For example we have a setup with another GSM to VoIP gateway which is on a separate network with one server and an ISDN to VoIP gateway... all with no Internet access.

    2. Bucky 2

      Re: FFS since when is a GSM to VOIP gateway...

      I find the "Fake News" term boils down to sloppy reporting combined with indifferent editing. I just hate to validate a term popularized by You Know Who.

      1. Anonymous Coward
        Anonymous Coward

        Re: FFS since when is a GSM to VOIP gateway...

        This device is very much like a consumer wifi router, which is most definitely an IOT device - cheap, throwaway after a couple years, insecure as fuck.

        Of course it's IOT.

      2. MonkeyCee Silver badge

        Re: FFS since when is a GSM to VOIP gateway...

        "I find the "Fake News" term boils down to sloppy reporting combined with indifferent editing"

        Erm, no. That's not what fake news is. It originally was used to describe events that did not happen, that are being presented as having occurred, in order to elicit a particular response or confirm a particular viewpoint. It's the latest new/old thing in terms of propaganda and misinformation.

        Most "proper" reporting involves some element of cherry picking or selectively ignoring facts that don't suit your narrative, rather than outright lies. Outlets that deliberately lie for satirical effect only get away with it because it is considered clear that it is not to be trusted. Same for gossip mags and Weird News type publications. Places like InfoWars and Breitbart (and equivalents from the loony left) should come with the same "pinch of salt" type deal.

        What the Donald does is declare any story he dislikes, or feels does not 100% represent his views as "fake news", which also helpfully distracts from the issue of how certain countries are using fake news articles as propaganda to forward their own goals. Still better than him calling the free press "enemies of the people"

        Obviously the USA and the Ruskies are the ones at the forefront of these shenanigans.

    3. Anonymous Coward
      Anonymous Coward

      Re: FFS since when is a GSM to VOIP gateway...

      Came to say the same thing, then took one look at it. It certainly looks like cheap tat compared to the kit I've worked with.

      1. Destroy All Monsters Silver badge
        Trollface

        Re: FFS since when is a GSM to VOIP gateway...

        Contribute the the ever-changing definition of IoT: Define IoT

        ... 86 pages PDF!

  4. Anonymous Coward
    Anonymous Coward

    Dumb reporter or click bait master

    Reporters often know very little about the "news" they report but in this case they would have had to know nothing about it which seems unlikely.

    But if you want your "fake news" to go viral all you need is to write the story people want or expect. It does not matter if it has any basis in fact. Find something that sounds like it could be turned into click bait or the next viral story and the reporter is good to go.

    In this case reporting that a single manufacturer of VoIP GSM Gateway equipment is building their equipment with a hidden backdoor isn't nearly as interesting as suggesting Chinese vendors are accessing your baby camera's.

    That's the story that sells so that's news. Has it ever really mattered if or how the news story was true?

    1. ZootCadillac

      Re: Dumb reporter or click bait master

      master click baiter?

  5. heyrick Silver badge

    Surprised?

    Remind me - how many little IP cameras have an open telnet port with the baked in login root (or admin) and the password 123456 (or admin).

    My cute little Verbatim media sharer has a baked in telnet with known password (it's a date).

    I think this sort of thing is extremely widespread.

    This is why we NEED to push for rejecting any IoT devices that aren't fully open source...

    1. Loyal Commenter Silver badge

      'fully open source' hardware?

      I hope you like breadboards, and soldering.

    2. Destroy All Monsters Silver badge
      Paris Hilton

      Re: Surprised?

      That's as likely as going to happen as having fully open sourced PCs, down to the firmware....

      "Devices with a network ports" (because I do not like the meaningless IoT designation): Always behind firewalls, with an IDS in the vicinity, walled off, on separate VLANs, in "novelty" roles, or "as open as possible".

      Then again, there are "mobiles"....

    3. Captain Scarlet Silver badge

      Re: Surprised?

      "rejecting any IoT devices that aren't fully open source"

      I thought the manufacturers of these devices were using open source, they sure as hell can't be bothered to actually waste time developing software longer than needed or contributing to the projects they use source from.

  6. Doctor Syntax Silver badge

    To have a door you must have a wall to put it in. The truly amazing discovery would have been if they'd found any evidence of walls.

  7. YourNameHere

    Are you surprised????

    Last time I checked, all equipment like this, if sold in china is required to have back doors that their government can access. This is required for routers, switches, and anything else that connects to the internet. Nothing bad, nothing good, just the law. So you can expect most of this equipment coming out of China to have hooks like this buried in it.

    1. Destroy All Monsters Silver badge

      Re: Are you surprised????

      > Nothing bad, nothing good, just the law.

      Actually bad.

    2. Anonymous Coward
      Anonymous Coward

      Re: Are you surprised????

      Odd but didn't Huwaei's Network kit get a clean bill of health from GCHQ?

      Ok, maybe they do, but they are not letting us know about it.

      1. Doctor Syntax Silver badge

        Re: Are you surprised????

        "Odd but didn't Huwaei's Network kit get a clean bill of health from GCHQ?"

        Hello GCHQ, here's the back door and here's the key. Do we pass?

      2. Tom Paine Silver badge

        Re: Are you surprised????

        Correct. @YourNameHere is mistaken.

  8. earl grey Silver badge
    Facepalm

    IOT = POS

    'Nuf said.

  9. Anonymous Coward
    Anonymous Coward

    Everything has a backdoor these days

    Just assume everything has a backdoor at this point. Your IoT gadget. Your hard drive firmware. Your Intel Management Engine CPU. Your EFI BIOS'd motherboard. Your Cisco router. Your Windows 10 OS. Your remote access and antivirus software.

    Best bet is to hope they all fight each other for control and none of them work.

    1. Peter2 Silver badge

      Re: Everything has a backdoor these days

      I agree in so far as I expect that things probably do have backdoors.

      However I also expect that sourcing a perimeter security/firewall (from a different manufacturer) to prevent remote access to those backdoors unless there is widespread and deliberate coordination to expose backdoors to the internet.

    2. bombastic bob Silver badge
      Devil

      Re: Everything has a backdoor these days

      But, NOT my Linux/FreeBSD computers. Worthy of note.

  10. Anonymous Coward
    Mushroom

    Ethical dilemma

    Should some hacker simply BRICK all these devices to prevent further damage to their owners/victims?

    What's the worst that could happen? Some phone problems until they get replacements? Business as usual, in other words.

    1. Voland's right hand Silver badge

      Re: Ethical dilemma

      What's the worst that could happen?

      Conviction for malicious damage.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ethical dilemma

        "delicious damage", right?

      2. Doctor Syntax Silver badge

        Re: Ethical dilemma

        Conviction for malicious beneficial damage.

  11. Andy Non
    Unhappy

    With a bit of luck

    dbltek have destroyed their reputation and nobody will ever buy their products again. However, I somehow doubt that knowledge of their dodgy hardware will progress much beyond El Reg, so it will be business as usual for them.

    1. YourNameHere

      Re: With a bit of luck

      People will forget about this by next week. Plus 99.99% of the people I talk to don't have a clue about what this means nor do they care as long as they can still look at the selfies they took.

    2. John Brown (no body) Silver badge

      Re: With a bit of luck

      "However, I somehow doubt that knowledge of their dodgy hardware will progress much beyond El Reg, so it will be business as usual for them."

      Hah! TalkTalk made mainstream news and 12 months later your average punter thinks "TalkTalk? Heard of them, they must be good". Brand awareness works.

    3. Adam 1 Silver badge

      Re: With a bit of luck

      Or they will just rebrand with a new logo sticker on the side and carry on business as usual. Hardly a middle kingdom phenomenon though...

  12. Kev99

    Why do you need to connect your crapper or fridge to the internet? And are you really surprised there a backdoor already encoded into the device?

    1. heyrick Silver badge
      Happy

      A backdoor in a toilet? The mind bo.... actually let's just not go there.

    2. Adam 1 Silver badge

      Pfft. Like my car. It has two back doors that I'm aware of.

      /Grabs coat

  13. Anonymous Coward
    Anonymous Coward

    Just how safe is all the antivirus software that comes out of China that people cheerfully install on their phones? But then it must be safe, because it's free and google play and their ilk have checked it.

  14. CrazyOldCatMan Silver badge

    192.168.2.1

    the gadget tries to connect to UDP port 11000 on 192.168.2.1 on its local network

    So, as an exercise for the class, name me any business of over a very small size that's going to use the 192.168 range for it's LAN?

    Maybe a DMZ (and that's also pretty much of a stretch[1]), but a main LAN? Only one company I've ever worked at did that (network was set up by someone using various tutorials as a guide and, since they all used 192.168.1 as their network, he did likewise. By the time I came along 20+ years later, it was far, far too late to do anything about it as there were lots of hardcoded IP addresses[1] in our internal systems and it would break everything if I re-IP'd. I did consider putting up a 2nd network for new kit but didn't actually have any budget for new kit..). Everywhere else has used one of the other private ranges - the range used being dependent on how many sites/VLANs they were planning to have.

    Plus, being vulnerable to such a small attack surface ( UDP port 11000 on 192.168.2.1 on its local network) means that the only people most likely to exploit it are local network admins or firewall bods that can reverse-NAT that to somewhere interesting outside the firewall.

    [1] Which came back to bite us badly when some of the senior people went to a conference that mentioned VPNs and wanted me to give them access from home. Turns out that having a 192.168.1.x[2] network on two side of a VPN tunnel doesn't work too well. Who'd a thunk it?

    [2] Most UK home ISPs seem to use that for the home-facing side of their routers..

    1. doke

      Re: 192.168.2.1

      name me any business of over a very small size that's going to use the 192.168 range for it's LAN

      That's the point, almost no corporate lans use 192.168.2.0/24, so it's wide open for another infected machine to assume that as a secondary IP.

      We have to overlay 192.168.1.0/24 on one of our other subnets, on the same vlan, and provide a tftp server on it, for reinstalling certain voip phones. When you factory reset them, they don't even dhcp, they use a fixed ip on that subnet, and try to tftp their OS image from a fixed server ip.

    2. HeliosFA

      Re: 192.168.2.1

      > So, as an exercise for the class, name me any business of over a very small size that's going to use the 192.168 range for it's LAN?

      Probably very few, which makes this all the easier to exploit as the IP will definitely not be taken. If you are on the same segment of the network (physical or VLAN) and there is no routing between you and the device, just allocate a second IP. None of the intervening switches will care (they just switch packets based on MAC address unless you have some form of NAC set up) and no one will notice an IP conflict.

  15. Anonymous Coward
    Anonymous Coward

    EXPOSED security vulnerability - Bayit Home Automation webcam Pro HD BH1826/BH1818 model + Temp FIX

    Check out the video online:

    https://youtu.be/Yz-I8Q3rhEU

    Consumer Webcam Alert - The reason why Bayit Home Automation marketer of the IOT Bayit Pro HD BH1826 and BH1818 released a mandatory security vulnerability fix for their popular webcam line on Friday March 3rd. An affected Consumer FIRST brought to their attention on Sunday February 26, 2017 a major security breach and exposed vulnerability of their very popular Bayit Pro HD 1080p BH1826 model that was a result of a major lax of security and testing on their part.

    The Security vulnerability exposes (2) additional undocumented default login user/passwords access methods over an insecure internet facing web Port 81 without encryption to their webcam when setup of the Camera is completely using the Bayit iPhone app. This immediately exposed the consumer to the internet and making them vulnerable for invasion of privacy. The lax of security of Bayit software of their BH1826/BH181 camera firmware may have existed since the camera was released to the public as far back as 2015. The affected consumer had owned this Bayit Pro HD BH1826 since Nov, 2015 and had done the right thing to secure the camera following all of Bayit instructions for du-diligence by ensuring a password was set. Him and his family of your children privacy of their personal lives were exposed for anyone to see on the internet since Nov, 2015 with no hack required and was finally caught as a result of the camera being operated remotely by changing pan and tilt positions.

    This is a case of the consumer doing the right thing and the IOT vendor Bayit Home Automation recklessly neglecting to reasonably secure and protect their devices as a result of very weak security and testing practices.

    This consumer should not have been the person to expose their negligence this late. This should have been caught much earlier and stricter security standard should have been practiced to secure and protect the privacy of their consumers.

    1. floorlizard

      Re: EXPOSED security vulnerability - Bayit Home Automation webcam

      I called this company twice in early 2016 to report the issue! I had a HELL of a time getting a phone number but was eventually able to get a number. In both instances I had to leave a message on a voicemail and never received a return phone call. I started noticing that my camera was repositioning itself. I would set it so it was looking at the wall behind it and when I would come back into the room to check, it would be facing forward. I tested this NUMEROUS times and am concerned about what video(s) might be out there of my family and me. Has there been any talk of a class action lawsuit? Knowing that I attempted to contact this company several times about this issue, and never getting a return call, has me furious!

  16. Kevin McMurtrie Silver badge

    Cheaper, cheaper, cheaper

    Most of the top search results for product reviews are written by bots or idiot bloggers that have done nothing but hash a press release to get a few micropayments on referrals. That's where these crap IOT products come in. Maybe you can find a fanatic who does in-depth reviews for free, but that's on page 15 of your search results. (Consumer Reports asks for real money but they rarely have the expertise needed to properly review anything.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019