Security researchers at IT security company Trustwave have discovered Chinese Internet of Things (IoT) devices containing a hidden backdoor.
According to a blog post, the issue affects numerous DblTek branded devices.The backdoor exists in the Telnet admin interface of DblTek-branded devices.
This backdoor enables access by the manufacturer, but leaves the devices open to exploitation by others. Despite the researchers following responsible disclosure processes and alerting the manufacturer, it remains exposed.
The devices use a simple ‘challenge and response’ mechanism to allow remote access. But researchers found that this was fundamentally flawed, in that it is not essential for a remote user to have knowledge of any secret or password, besides the challenge itself and knowledge of the protocol/computation used.
The problem allows a remote attacker to gain a shell with root privileges on the affected device. The issue was first identified in an eight-port DblTek VoIP GSM Gateway, however, a number other devices are also believed to be vulnerable.
Flawed Chinese IoT devices, flawed response?
After researchers found the backdoor, the manufacturers responded by trying to make the backdoor more hidden, using a slightly harder challenge-response system, rather than closing it.
“It seems DblTek engineers did not understand that the issue is the presence of a flawed challenge response mechanism and not the difficulty of reverse engineering it,” said the researchers.
Zach Lanier, research director at IT security company Cylance told Internet of Business that this is not an isolated issue.
“Network devices from manufacturers all over the world have fallen prey to attackers time and time again – often by way of backdoor services and accounts. These backdoors are often present under the guise of providing “remote administration” or “support”, but occasionally for more nefarious purposes,” he said.
“What’s frustrating about this particular instance is the vendor’s response to Trustwave’s findings: ‘security through obscurity’ is not the way to go, nor is cutting off communications with researchers who are trying to disclose something. Trying to ‘hide’ something like this is what brings about the ‘Streisand Effect‘ – it will only draw more attention.”
“Chances are high that we’ll continue to see more of the same as far as backdoors go, especially as IoT-esque devices proliferate,” added Lanier.