How do you find hundreds of vulnerabilities hidden in millions of lines of firmware code?
WASHINGTON: In a world where Chinese hackers steal everything from F-35 schematics to federal personnel files, why should we worry about Huawei? Because, cybersecurity experts explain, network routers, surveillance cameras and other widely sold devices from Huawei, Dahua, and other Chinese firms are riddled with vulnerabilities — flaws that are easy for attackers to exploit but hard for defenders to find, because they’re buried deep in what’s known as firmware.
Traditional computer security techniques, already fallible enough with regular software, don’t work at all on firmware, which is loaded onto a device when it’s built, runs in the background largely hidden from the user, and can only be updated by the original manufacturer. Most devices networked together in the Internet of Things (IoT), in fact, have too little memory to run security scanning software or anything else besides their purpose-built firmware. But, Finite State founder Matt Wyckhouse and ReFirm Labs co-founder Terry Dunlap told me in interviews, there are now ways to run an automated search through firmware files to find suspicious code.
What those automated watchdogs have found so far is disturbing. In a single 36-hour run, Finite State’s tool checked 1.5 million firmware files from 558 Huawei enterprise networking products — that’s just business systems, not consumer devices — and found the average device had 102 vulnerabilities, at least a quarter of them severe enough to let a hacker get full access easily. That’s much more than comparable Western products, Wyckhouse told me: “These are some of the worst devices we’ve ever tested.”
It’s not just Huawei, Dunlap told me. In 2017, his ReFirm Labs team — some of them, including Dunlap himself, ex-NSA hackers — found a backdoor in the firmware of a surveillance camera made by Dahua, similar to one they’d discovered a few years before in a Huawei router. And the backdoor had been opened: Once ReFirm told their client (a Fortune 500 firm which they won’t name) what to look for, the company’s network operators discovered their Dahua cameras had been sending data out a rarely-used port, right through the company’s firewall, to unknown IP addresses in China.
Dahua at first ignored ReFirm’s inquiries, then claimed the vulnerability was a simple error that had been fixed in the latest update. But when ReFirm looked through the updated firmware, they still found the same backdoor — just relocated in a different place in the code. (Huawei had done the same thing).