Security researching in the middle of the night.
Focusing on ARM based embedded IoT

Request for Comment response (CVE-2021-36260)

This article is in response to a request for comment received 27 September 2021

I received a request for comment on an upcoming media article, and though I generally prefer my report to stand on it’s own, I took the view the questions raised could use clarification to what was already in my report.

Unfortunately, the request was made only 6 hours or so before publication, and as I work primarily during the night I was asleep and wasn’t able to respond in time.

I present my full response below:

Hi there

Thank you for your request for comment. I am happy to address your questions:

Tell me why exactly do you feel that this is not a Government mandated backdoor and just a genuine vulnerability?

I’ve worked in IT with an emphasis on security for almost 30 years. I’ve also had extensive experience reverse engineering code deployed on embedded devices in addition to reviewing hostile malware and remote access trojans (RATs) more generally.

With such experience it becomes obvious if something is deliberately placed and obfuscated on an embedded device. The manner in which a deliberately implanted and malicious “backdoor” would be implemented and utilized is totally different to this genuine software vulnerability. I cannot provide specific details aside to say it was absolutely clear to me in this case this was a genuine software bug and not a deliberate backdoor.

I’d like to also make it clear Hikvision in no way asked me to say this wasn’t a backdoor or influenced the wording I used in any way. If I found something I considered to be a backdoor placed by any vendor based in any country I would publicly disclose it irrespective of the vendor’s wishes.

Why did it take so long to release a fix since your first disclosure to Hikvision? June 21 – Sept. 18

There is a huge range of firmware to check, patch and test. 90 days is actually very quick given the large range of products that needed to undergo this process when it’s done thoroughly with proper testing.

It’s also the case that in order to protect customers Hikvision were pushing out fixed firmware on public firmware portals way ahead of publicly announcing this problem. Responsible, coordinated disclosure is a complicated process that needs to be handled carefully so that you don’t expose companies/end-users to bad actors (attackers) before fixes are ready. As soon as you announce a vulnerability publicly the bad guys (criminals) look for it to use to harm people.

This is also why I choose to work with Hikvision privately rather than simply announce to the world I’d found this vulnerability the day I discovered it. Protecting people is my number one priority.

Apart from this is there anything else that you would like to say and convey to our readers on this topic?

I’ve received a large number of emails, and messages from people all over the world on this topic. Though I am not free to provide some of the technical details I’ve been asked for, I would like to thank everyone for their kind words.

I hope that is somewhat helpful.

Kind Regards

Watchful IP