Hidden backdoor discovered in Chinese IoT devices
Researchers at Trustwave have uncovered a backdoor in IoT devices from a Chinese manufacturer that could leave them open to exploitation.
The backdoor is present in almost all devices produced by VoIP specialist DBLTek, and appears to have been purposely built in for use by the vendor.
It uses a simple challenge and response mechanism to allow remote access. However, Trustwave's investigation has shown this scheme to be fundamentally flawed in that it is not necessary for a remote user to possess knowledge of any secret or password, besides the challenge itself and knowledge of the protocol/computation used.
The issue permits a remote attacker to gain a shell with root privileges on the affected device. It was first identified in an 8 port DBLTek VoIP GSM Gateway, however a number of other devices are also believed to be vulnerable.
When Trustwave researchers disclosed the discovery, DBLTek responded by trying to make the backdoor more hidden -- using a slightly more complex challenge-response system -- rather than closing it, before cutting off contact with Trustwave. The researchers have since been able to write exploits that open both the old and new backdoors.
Full details of the exploit and the devices affected can be found on the Trustwave blog.