What Goes Around Comes Around

Note:?Welcome to the?sixth and final?installment of my mailing list series we used at ReFirm Labs. Now, if you really want to be part of this wild ride and truly appreciate the awesomeness of my marketing concept focused on origin stories,?you gotta read the previous installments, my friend. Seriously, they lay down the foundation and bring you up to speed on the journey so far. Trust me.???

Attached was a copy of their firewall log, which revealed that the Dahua surveillance cameras were transmitting the company's network traffic to Chinese-based IP addresses!

Not only did our team discover the backdoor in the Dahua cameras, but we learned it was actively being used against our Fortune 500 client! Neither of us knew how long this network traffic theft had taken place or what intellectual property may have been stolen. The Dahua cameras were ripped out and replaced within a few weeks.

Like clockwork, the Washington Post and Fortune articles hit the wires at 6:00AM ET on Wednesday, November 15, 2017. Within a few hours, Dahua emailed me.

Daniel Chau, Overseas Marketing Director for Dahua, claimed we had examined the wrong firmware. The firmware we looked at was out of data. A newer firmware image was available for that camera, which corrected the issue we discovered. Conveniently, he provided a link in his email for me to click and download the newest firmware.

Yeah, right. I'm not clicking on your link, Daniel. I'm not an idiot.

The team could not find the firmware Daniel alluded to in his email on Dahua's actual support pages. After several more hours of leveraging Google's site-specific searching capabilities, the team found the firmware on an obscure Dahua page. If this was indeed a newer firmware image that users were to download for upgrading their cameras, Dahua did not make it easy.

Once again, the team dropped the firmware image into the Centrifuge platform. And once again, the team discovered the exact same backdoor in the new firmware image.

But this time, there was a twist!

The backdoor was no longer in the exact location of the firmware where we had previously discovered it. Dahua simply moved it to a different location, expecting us not to find it!

I confronted Danial via email with our findings. In his response, he said his developer assured him the problem had been corrected.

I replied with full technical details from our team, including detailed IDA Pro screenshots clearly highlighting the backdoor. I responded, "Are you sure your developer works for you and not your government?"

I never heard from Daniel again.

This tactic was not new to us. We had seen this scenario before, back in 2013!

At Tactical Network Solutions, we were asked to review a new wireless router being built for a UK telecommunications provider. It was your typical WiFi router for Internet access.

We found a backdoor that appeared to be left behind by an engineering or development team for remote testing and debugging. It was pretty obvious. We advised the client to contact the manufacturer, inform them of the finding, and request that it be removed.

A few weeks later, we were presented with the updated firmware image. The manufacturer listened to the UK telecommunications provider and removed the backdoor.

But... we found the same backdoor in a different location within the firmware! They simply moved the backdoor.

Now I was curious. So I asked my contact, "Who's making this router for you?"

"Huawei," he replied.

That was in 2013. Fast-forward to 2017. We now see another, yet different, Chinese manufacturer installing backdoors into their firmware. And once discovered, they simply moved the backdoor to a different location.

What are the chances that two completely different Chinese companies use the exact same tactic to install and hide backdoors without some central coordination?

What really stands out between the two events is that the 2013 Huawei backdoor was obvious. The 2017 Dahua backdoor was more advanced and obfuscated, similar to how an intelligence agency might do it. Our adversaries are learning and adapting.

I guess the old adage is true: What goes around comes around.

What we, as former intelligence professionals, have been doing against our foreign adversaries for years has now come around to put the security of all IoT and embedded devices and their supply chain directly in the crosshairs of cyber warfare, intelligence collection, and intellectual property theft.

The backdoors in the Dahua product line and other attack vectors in IoT devices we have examined would have easily passed security audits using traditional penetration testing tools like Nessus and others. And source code auditing tools would undoubtedly have missed embedded backdoors obfuscated in the binaries of a compromised supply chain.

ReFirm Labs is on a mission to help you, the makers and users of IoT devices, remove any doubt of compromise by leveraging our experience in dealing with these threats.

So now you know who we are, what we do, and why we do it.

If we are not a good fit for you in securing firmware and IoT devices, please click here to remove yourself from our system immediately.

Regardless of your choice, I hope you enjoyed our origin story.

Terry Dunlap co-founded Tactical Network Solutions, ReFirm Labs, and?Gray Hat Academy. Before that, he worked at the US National Security Agency developing hacking tools and exploit capabilities, which would have landed him in jail in any other capacity.