Axis: 90% Of Hacks Are NOT The Manufacturer's Fault

JH
John Honovich
Dec 14, 2016
IPVM

The lead item in Axis monthly newsletter is an Axis post on cybersecurity. In it, they declare:

Cyber Security experts state that over 90% of all successfulbreaches and intrusions are due to failures caused by people and poorly configured systems, together with a lack of maintenance [their emphasis, not ours]

This certainly gets to a contentious matter, about who is responsible - the user, the integrator or the manufacturer.

However, as our cyber security comparison report shows, Axis:

  • Does not require strong passwords (using 'pass' or '1234' is just fine)
  • Does not support auto lockout for failed login attempts (so their devices can be brute force or dictionary attacked)

Combine these two together, Axis makes it easy for weak passwords to be hacked.

Remember the hack IP camera video that went around the industry a few months ago? The guy used just that technique (dictionary attack against a camera that did not require strong passwords) to get access to the camera in less than a minute. He did not use an Axis camera but the same method works against Axis because it has the same design. The hack portion starts at the 4:30 mark:

So should Axis take responsibility for this or is this the user's fault? Vote:

(1)
UI
Undisclosed Integrator #1
Dec 14, 2016

I'm obviously biased as an integrator, but I think it takes all three (customer, manufacturer and integrator) to take efforts to secure these devices. For one of them to instantly say "NOT IT!" is just poor form and does not bode well for future interactions when these issues occur.

They may have well have just said that once it is off their loading dock it is someone else's issue. Way to commoditize your product Axis. You're better than this.

(6)
(1)
RS
Robert Shih
Dec 14, 2016
Independent

I'll even be so bold as to include distributors into the blame chain as awareness of what we sell should come with being prepared for consequences. In the end, manufacturers need to be responsive as it is their product and they have a lot more to lose. Everyone else down the food chain has the option to change platforms and sell something else.

Indeed, it's bad form for anyone to completely deny blame in this situation. I've learned to constantly badger my dealers/installers to avoid default passwords.There's just an overall top to bottom awareness we need to impress upon all levels.

(1)
JH
John Honovich
Dec 14, 2016
IPVM

it's bad form for anyone to completely deny blame in this situation

In fairness, Axis is evidently willing to take 10% of the blame...

I'll even be so bold as to include distributors into the blame chain

That's why Dahua likes you having your company as a partner. Related: Dahua Says They Are Botnet Attack 'Victims'

(1)
U
Undisclosed #2
Dec 15, 2016

To Axis's defense, they appear to be quoting "Cyber security experts", and that group of experts is probably looking at a macro view of all IT security and not the more narrow view of IoT style hardware.

From a general IT perspective, I'm sure most attacks are indeed a result of misconfigured networks and software. But your ability to secure IoT devices are limited. You often don't have root access, or users/installers are not expected to SSH in and lock down the equipment. It would have been wise to comment about how vendors can help customers to secure their devices for Axis to make some relatively minor firmware updates available to apply industry standard authentication practices (HTTPS by default, strong password support, brute force protection etc).

JH
John Honovich
Dec 15, 2016
IPVM

To Axis's defense, they appear to be quoting "Cyber security experts"

It is actually not a quote. It is a rhetorical device to deflect responsibility. There is no name for the 'quote' and there is no citation for the 'quote'.

Indeed, Axis next sentence makes it clear that this is Axis position:

A malicious user will always start his attack from the easiest and least demanding point, namely the users, and then attack the whole system at a later stage.

And yes users do stupid things like using 'pass' or '1234' as their password but the rest of the IT community has long decided that stopping such weak passwords and brute/dictionary attacks is the responsibility of the manufacturer. Not Axis.

(1)
(1)
UI
Undisclosed Integrator #3
Dec 15, 2016

I think the integrator is the person responsible for securing the system. If the integrator does a basic password and opens it up to the network, then shame on them at that point. I don't expect my bank to be responsible because I choose "cashmoney" as my online password. The first problem is the required education of integrators. My state has no required network security education, just a yearly "education fair" for credits where vendors come in and showcase their latest tech.

Now if it is an obvious security vulnerability that an integrator has no access to fix, then the manufacturer is at fault. Or if the customer decides to open their network to the internet then it is their fault.

UM
Undisclosed Manufacturer #4
Dec 15, 2016

All banks today would not allow "cashmoney" to be your password. They require complex passwords. Same as 10 or 20 years ago, they stopped letting you use 1111 as your PIN.

It is the manufacturer's job to require some minimum level of security, just like they mostly changed to prevent null passwords....

(1)
Avatar
Blake Murphy
Dec 15, 2016

While manufacturers cannot ensure that best practice is followed in each install, all of us must at least take on the responsibility of fixing obvious vulnerabilities

Avatar
Arthur Huijskens
Dec 15, 2016

Manufacturers should make it mandatory that usernames and passwords are changed direct after the first login. Even when using cloud based applications the users email is known by the provider. They e.g. issue a warning when not changed they will be removed from that platform.

This is only addressing the username and password. Same old story over and over again. A shame that this happens.

For the other part and by that I mean the firmware and software I still think that a certification like ISO 27001 should be introduced. Especially since all these devices become more IP orientated and are connected to the Internet (IOT).

A part of this certification should be fines when not compliant or when a data leak is discovered. This would make the manufacturer more and more conscious and especially cautious when bringing out new products and firmware updates.

Another part is keep making the effort to create awareness with the users (read as installers, integrators and especially end-users).

(3)
Avatar
Joel Kriener
Dec 15, 2016
IPVMU Certified

My opinion....

It is the responsibility of purchaser to fully understand the product they are buying and installing and to know and understand the known risks at the time of purchase.

It is the responsibility of the manufacturer to engineer, design, fabricate and distribute their product with the minimum defects and communicate clear specifications and information that will assist the purchaser to decide 'suitability for use' in their implementation. It is also their responsibility to respond to defects in a timely manner once the issues become known.

Yes these are broad statements but there is no such thing as 'zero defect' manufacturing.

I am an end-user and project designer / implementer.

RM
Ryan Masters
Dec 17, 2016

But the purchaser's bad decision or ignorance can put us all at risk as proved by Murai. Who is negligent in that case?

AT
Andrew Tierney
Dec 18, 2016
Mirai's fault lies firmly with the manufacturers are resellers. The issue of default telnet passwords has been known for many years, and still the DVRs were sold. A week after Mirai started spreading, we bought two DVRs from high-street retailers in the UK. One from a very big name, the other from a smaller, but still well-known, brand. Both vulnerable to Mirai. When contacted, neither were aware they were vulnerable. That's just crazy that they hadn't thought to even check.
U
Undisclosed #6
Dec 19, 2016
IPVMU Certified

A week after Mirai started spreading, we bought two DVRs from high-street retailers in the UK. One from a very big name, the other from a smaller, but still well-known, brand. Both vulnerable to Mirai.

Were they vulnerable before changing the default password or after?

AT
Andrew Tierney
Dec 19, 2016

~50 of the 65 devices I have looked at vulnerable to Mirai use a different set of credentials for the system compared to the DVR. You can't change the system credentials, so can't fix Mirai.

FP
Faisal Pandit
Dec 15, 2016
Johnson Controls

Axis is wrong. As a manufacturer and software services supplier in this industry for 20 years, my humble opinion is that it is our responsibility to provide systems that protect the customer and the integrator. Solutions should automatically force password changes on cameras to prevent using default passwords along with rolling password changes and forcing of complex user passwords as just a few examples.

(1)
(1)
UE
Undisclosed End User #8
Jan 02, 2017

I am not sure I agree, I have 1500 IP cameras and for me rolling passwords is a no go, I would automatically find another vendor who required that.  As far as the manufacturer being responsible, I am not sure I agree with that either. I can see on product lines focused to small insulations or retail stores, yea strong passwords and locked down product lines would be important.  On professional product lines, I don't  see the need.  Leave it up to the customer or installer to do that.  We use a password that would be cracked in minutes by a dictionary attack, and I am not at all worried as the network is locked down and camera traffic cant be passed off the subnet or out of the firewall. Now I did not set this up, it was set up before I came to my current property, but I have other worries and priority's first.  As for locking down after failed login attempts, nope for me also, we have too many hands that need to get in there to the config pages, and it would be a nightmare dealing with that.  But we are not a typical use case, I think it is the manufactures responsibility in an "all in one" system that can be passed to the internet, let the customer decide what security to take on "Professional" lines, by professional the customer should have a vendor or employees who know what measures to take to keep the system secure.

 

FYI: We are a medium size casino moving to IP from an mostly analog system, we now do not fix or upgrade any analog cameras, we pull in cable and upgrade to IP. Also almost 99.9% Axis for out IP products, and I only buy Axis for new installs. 

(1)
JH
John Honovich
Jan 02, 2017
IPVM

#8, Thanks for an excellent first comment and welcome to IPVM!

You note:

On professional product lines, I don't see the need

That's a tricky one. Axis cameras are certainly professional quality but because Axis has chosen to allow anyone to sell them (via Wal-Mart, Amazon, Ebay, etc.), many Axis cameras will be purchased by consumers or DIY. So does Axis leave those purchasers 'undefended'?

let the customer decide what security to take on "Professional" lines, by professional the customer should have a vendor or employees who know what measures to take to keep the system secure.

As an aspirational goal, this certainly makes sense. The challenge I see is that there are a fair number of 'professional' installers / dealers / end users, even if a minority, that make very basic mistakes.

AT
Andrew Tierney
Dec 18, 2016

I've recently evaluated a series of IP cameras for security, including a number of Axis cameras.

Once you have followed Axis's own hardening guide, they are amongst the most secure of IP cameras. But they still give you more than enough rope to hang yourself with - not HTTPS by default, weak password policy, no brute force protection.

Certainly not secure enough to be exposed to the Internet.

JH
John Honovich
Dec 18, 2016
IPVM

not HTTPS by default

I do not believe any open IP camera is HTTPS by default. I qualify that with 'open' as some / many of the cloud only systems do default / require HTTPS.

So, Should IP Cameras Default To HTTPS?

AT
Andrew Tierney
Dec 18, 2016

Certainly that aligns with my experience.

Axis, Bosch, Sony, Hikvision and Samsung/Hanwa Techwin are HTTP as standard.

U
Undisclosed #5
Dec 18, 2016

Apply some of these same thought processes to automobile manufacturers:

How come they all make vehicles that can drive at speeds better than 100mph - when doing so would be quite dangerous.... both to the 'user' and to those around them?

I think the onus is on the user to use the camera in a safe manner - and if they hire a professional to install/configure their cameras, then this responsibility falls squarely on these 'experts'.

JH
John Honovich
Dec 18, 2016
IPVM

How come they all make vehicles that can drive at speeds better than 100mph - when doing so would be quite dangerous.... both to the 'user' and to those around them?

Let me turn the tables on you - Why doesn't my bank give me unlimited number of tries to log in to my account? Why doesn't google give you unlimited number of tries to log in to gmail?

The reason is simple - computers allow massive 'speed'. Without such blocks, an adversary could do hundreds of thousands of login attempts an hour. And you would have mass non-stop hacks of bank accounts and email accounts, etc.

What type of computer 'libertarian' does one need to be not to accept that account lockout after multiple failed attempts is a good thing?

(2)
U
Undisclosed #5
Dec 18, 2016

Personally, I do not disagree that locking out the account after a number of failed log-in attempts is a wise thing to have built-in to an IP camera. Also, HTTPS and a stronger password policy would certainly be beneficial less dangerous for their customers.

Back in March, Axis held the first in a series of Cyber Security webinars called 'The Value of Cybersecurity' - with this sub-heading:

"This webinar focuses on the importance of creating a safe and secure system of Axis devices on an end users’ network . Get a leg up on your competition by maximizing the value of Axis products with the new Axis Hardening Guide. You'll walk away knowing that cybersecurity is a process, not a product. Be sure to go on and share this valuable knowledge with your customers."

I attended this webinar and asked the Axians hosting the session 2 questions....

The first question was "why do you spell Cybersecurity as one word?"

The second question was "if you are promoting the '5 Levels of Security' (which was the basis of this webinar, in step with their newly-released Axis Hardening Guide) - why do you ship cameras at the lowest level of security?"

The background Axians answered my first question directly in the chat stating "it can be both one or two words" - which I disagree with. It's two words, morons.

The host of the webinar answered my second question to the entire audience, stating:

"That is the way our integrator partners want them shipped".

I still have the recording of him saying this if you are interested.

(1)
JH
John Honovich
Dec 18, 2016
IPVM

The host of the webinar answered my second question to the entire audience, stating:

"That is the way our integrator partners want them shipped".

I believe that. I have heard Axis say similarly.

This gets to a usability vs security tradeoff.

For example, we implemented strong passwords and auto lockout after 5 attempts. Strong passwords has caused some problems for sure. The auto lockout has caused maybe 1 at most.

So I am saying if you don't support strong passwords, at least support auto lockout. It is the combination of the two that is especially dangerous since weak passwords, without any login limit, are especially vulnerable to attack.

(1)
(1)
AT
Andrew Tierney
Dec 18, 2016

The reason many of them don't support lockout is that they use HTTP Basic or Digest auth (i.e. the pop-up dialog that is not common on most sites) rather than full session tracking.

None of the common HTTP servers support lock outs using this authentication mechanism, hence it being absent.

(1)
U
Undisclosed #6
Dec 19, 2016
IPVMU Certified

The reason many of them don't support lockout is that they use HTTP Basic or Digest auth...

What do they use for authentication then?

AT
Andrew Tierney
Dec 19, 2016

HTTP Basic or Digest auth? I'm confused.

U
Undisclosed #6
Dec 18, 2016
IPVMU Certified

It's two words...

I have always preferred two words myself.

However, it should be noted that even the DHS has decided on just one, apparently in an effort to reduce storage costs one byte at a time.

It could be worse, at least we're not in Germany...

(1)
UE
Undisclosed End User #7
Dec 18, 2016

TheyCouldAlsoSaveBandwithWithSkippingSpaces

U
Undisclosed #5
Dec 18, 2016

be that as it may... :)

I imagine that this new 'word' stems from the prior development of the term/word infosec(urity) becoming adopted first.

Oddly, while cybersecurity is indeed a word according to George, Charles and Noah's page that I linked to, both infosec and infosecurity are not listed as words there.

U
Undisclosed #5
Dec 18, 2016

I am lernin' stuff today!

According to this very smart-sounding fellow, both the one and two word varieties are valid - when used in the manner he describes.

And the Axians use the noun form in the title of their webinar - wrongly.

It's two words, morons.

U
Undisclosed #6
Dec 18, 2016
IPVMU Certified

Applying this new rule though would have led to the seemingly hypocritical

Back in March, Axis held the first in a series of Cybersecurity webinars called 'The Value of Cybersecurity' - but of course its two words...

:)

U
Undisclosed #5
Dec 18, 2016

I have been righteously served

U
Undisclosed #6
Dec 31, 2016
IPVMU Certified

You have been righteously vindicated

AT
Andrew Tierney
Dec 18, 2016

It's a common spelling of the word.

Axis seem to be one of the best at promoting secure practices, I'm not sure what attacking them on grammar achieves.

U
Undisclosed #5
Dec 18, 2016

lighten up francis...

it was a joke. since humor (at least my version of it) is lost on you, I apologize.

I used a reference to one of my previous comments (which was a joke to begin with; question 1 was not the point.... question 2 was) for comedic effect.

I don't always ring the bell.

UM
Undisclosed Manufacturer #4
Dec 19, 2016

So, since cameras ship with HTTP authentication, how many cameras out there use DIGEST authentication to prevent clear text passwords from flying through the network?

I know some brands have an option (with HTTPS disabled) of a) Basic, b) Digest c) Digest or Basic. The problem with option C, which was their default, was the client could simply reply that they didn't support digest and be given basic authentication, negating the benefit at preventing an attacker from seeing clear text passwords. They should have only had options A & B. Make B the default, and if needed for 3rd party integration, back it down to A...

(1)
AT
Andrew Tierney
Dec 19, 2016

Digest is still pretty easy to brute force unfortunately.


They shoul be moving towards proper session tracking.

HK
HyuckRae Kim
Dec 20, 2016

It is obious.

I think Axis had to first give a choice to use a strong security functions, then choose whether to use it or not, only by the user.

(1)
JH
John Honovich
Jan 02, 2017
IPVM

Responding to Axis new tweet on responsibility:

RL
Randy Lines
Jan 03, 2017

10 Percent of Hacks ARE the manufacturer's fault !!  That is totally unacceptable.

U
Undisclosed #6
Jan 03, 2017
IPVMU Certified

Agree.  

So what can be done increase the percentage of breaches due to misconfigured/poorly implemented systems, as well as increase the percentage of social engineering exploits, etc?

and thereby bring the manufacturer's fault percentage down to a more acceptable level?

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions