720-891-1663
Return to the list of client alerts
Okay, this is a catchy headline from The Register, but it is not accurate.
Still, the problem is real and very difficult to figure out whether you are at risk. ARGH!
Here is the situation.
Salesforce’s security team reported this week a series of flaws affecting video encoders powered by Huawei subsidiary HiSilicon’s hi3520d chipset.
Looking at the surface, it looks like the headline is correct (sorry, bear with me, I will get to a very important point in a minute).
The problem is that the holes are not in HiSilicon’s chip, nor are they in the Linux software provided by HiSilicon for developers to interface with.
The holes are in the software that rides on top of all that, DEVELOPER UNKNOWN.
But the bugs are very serious and include an administrative interface with a backdoor password, telnet root access, unauthenticated file upload and other problems.
The researcher tested products from URayTech, J-Tech Digital and Pro Video Instruments and found them to be vulnerable to some or all of the attacks. There are also many other products that use that chipset that likely found the same, very cheap software vendor who offered buggy, unsupported software and who integrated that software into their products.
BUT YOU HAVE NO IDEA WHETHER THE COMPANY WHO’S LABEL ON THE OUTSIDE OF THE CASE USED THAT CHIPSET OR THAT BUGGY SOFTWARE!
Okay, now my point.
I have been talking about Software Bill of Materials (SBoM) for a while now. If SBoM had been required by the customers of these vendors, we would know, at least, where the buggy software came from. Then we might be able to identify what devices were vulnerable.
The government has a project inside NTIA (part of the Department of Commerce) to set standards around SBoM and SBoM tools, but companies can start implementing SBoM principles long before there are standards and standard tools. For most companies, a spreadsheet, policy and training is sufficient. It is likely that the federal government will eventually require vendors that sell to them to provide SBoM manifests if they choose to sell to them. That will be a big shot in the arm to SBoM.
I just heard that the FDA is going to, some time soon, require SBoM for all new medical device certifications. That is great news.
If you need help with this, contact us.
In the meantime, there is no easy to figure out whether your video platform (cameras, recorders and any equipment that includes video encoding) is vulnerable. The best you can do right now is isolate that hardware and software. That (segmentation) is a good practice anyway.
Assuming you would prefer that the bad guys not take over your network. Just a suggestion. Credit: The Register