Security vendor Trustwave has called out Chinese IP telephony and gateway manufacturer DBL Technologies (DBLTek) for a hidden backdoor in their products. The details were disclosed by Trustwave in a blog and it has also published its advisory to DBLTek. Both documents show that the manufacturer has deployed a hidden backdoor using a secret login. By using a flawed challenge-response authentication it is possible to use this account to take control of devices.
Worryingly, Trustwave say that this backdoor exists in several devices shipped by DBLTek.
What DBLTek products are affected?
Trustwave has provided a list of affected devices and a statement about other DBLTek products. It reads:
“Confirmed affected versions are GoIP 1, 4, 8, 16 and 32 (which are essentially the same thing but with 1 and 32 lines respectively)
“Most of their other devices they manufacture (http://www.dbltek.com/goip.html) seem to have the same login binary in their firmware images, but we haven’t been able to confirm this for sure. We’re reasonably confident it will be a consistent feature across their product ranges.”
What is the risk?
The hidden account is called dbladm. It provides a user with root level shell access on the device. This means that they have complete control over what the device does and the software it runs. It would allow a malicious hacker to install malware on the device. As the device is likely to be connected to other networks, it could then compromise those networks.
The attack would also allow a remote party to intercept all traffic going across DBLTek’s GoIP devices. They could listen to calls and even use the data to create replay attacks.
Why make it public and not inform the vendor?
Trustwave has informed the vendor who produced an initial patch. However, Trustwave researchers quickly showed that the patch did not address the vulnerability around the challenge-response authentication. It also did not disclose the hidden backdoor access to customers as part of the patch update notes.
The revision history for this disclosure as published by Trustwave is:
- 10/13/2016 – Attempt to contact vendor
- 11/01/2016 – Attempt to contact vendor
- 11/14/2016 – Attempt to contact vendor
- 12/02/2016 – Attempt to contact vendor
- 12/05/2016 – Finding disclosed to vendor
- 12/21/2016 – Vendor releases firmware update (GST1610-1.01-58.pkg)
- 12/28/2016 – Vendor contacted about firmware not fully addressing vulnerability
- 01/12/2017 – Attempt to receive update from vendor
- 01/24/2017 – Attempt to receive update from vendor
- 01/27/2017 – Vendor non-responsive for 30 days
The last date is important. Most researchers give 90 days for an issue to be fixed. If a vendor is unable to complete that within 90 days or other issues are found, most researchers will extend the time. In this case it appears that DBLTek is unwilling to engage with Trustwave in order to solve this problem.
What should customers do?
Customers need to decide if they want to continue to use DBLTek GoIP products. They should also consider disconnecting them from networks over which other data is shared. An alternative approach is to ring fence them so that any data moving in and out of GoIP devices is trapped and can be examined. This will provide an opportunity to see if anyone is using or attempting to use the backdoor account.
The more devices organisations have the more likely this type of problem will be. Manufacturers need to do a better job disclosing any accounts with access to a device and what level of access those accounts have. We sent an email to a Mr Bai who is listed as a Marketing contact on the DBLTek website. In it we asked why there was a hidden backdoor and for their response to the Trustwave blog. We have had no response so far.