Slashdot Mirror
Hidden Backdoor Discovered In Chinese IoT Devices (techradar.com)
"A backdoor has been found in devices made by a Chinese tech firm specializing in VoIP products," reports TechRadar. An anonymous reader quotes their article:
Security outfit Trustwave made the discovery of a hidden backdoor in DblTek's devices which was apparently put there to allow the manufacturer access to said hardware -- but of course, it's also open to being exploited by other malicious parties. The backdoor is in the Telnet admin interface of DblTek-branded devices, and potentially allows an attacker to remotely open a shell with root privileges on the target device.
What's perhaps even more worrying is that when Trustwave contacted DblTek regarding the backdoor last autumn -- multiple times -- patched firmware was eventually released at the end of December. However, rather than removing the flaw, the vendor simply made it more difficult to access and exploit. And further correspondence with the Chinese company has apparently fallen on deaf ears.
The firmware with the hole "is present on almost every GSM-to-VoIP device which DblTek makes," and Trustwave "found hundreds of these devices on the net, and many other brands which use the same firmware, so are equally open to exploit."
What's perhaps even more worrying is that when Trustwave contacted DblTek regarding the backdoor last autumn -- multiple times -- patched firmware was eventually released at the end of December. However, rather than removing the flaw, the vendor simply made it more difficult to access and exploit. And further correspondence with the Chinese company has apparently fallen on deaf ears.
The firmware with the hole "is present on almost every GSM-to-VoIP device which DblTek makes," and Trustwave "found hundreds of these devices on the net, and many other brands which use the same firmware, so are equally open to exploit."
There is a price for putting things on the internet that require command and control outside of the owners network. Authoritarian government == Authoritarian company. I love connected things but not when I have to ask someone elses servers to access or do shit with equipment behind MY firewalls.
Digital is, by definition, imperfect. Analog is the way to go.
Referring to every router and gatway as an "IoT device" is getting stupid. This has nothing to do with X10 or lightbulbs or switches or home automation.
What was the price the world has paid for years of using American products, not little IoT thingies, but huge equipment for Internet backbone services from Cisco, Juniper etc., being loaded with backdoors etc. by NSA?
"Hidden Backdoor Discovered In Chinese IoT Devices"
Shocking *cough*.
Seriously, this should surprise no one. No one who's been paying attention, anyway. At this point I pretty much assume that any internet-enabled Chinese hardware likely contains some sort of backdoor, hard-coded passwords, or other hidden stuff.
Just cruising through this digital world at 33 1/3 rpm...