Subscriber Discussion

Axis Cameras Riddled With Vulnerabilities

Avatar
Sean Nelson
Jun 19, 2018
Nelly's Security

Axis Cameras Riddled With Vulnerabilities Enabling Full Control

So you have ripped all your Hikvision/Dahua cameras out and replaced them with Axis, now what shall you be replacing them with? 

(3)
(10)
(4)
Avatar
Brian Rhodes
Jun 19, 2018
IPVMU Certified

We've got a full update on this coming, I'll update here when we publish.

Avatar
Dave Arnould
Jun 19, 2018

This Vulnerability was already posted yesterday.

SD
Shannon Davis
Jun 19, 2018
IPVMU Certified

To me the issue with security vulnerabilities with any IT device is the response to the vulnerability, owning it and how quickly they can fix it. NO IT DEVICE will ever be free from vulnerabilities no matter how much testing the manufacturer does. The problem is when manufacturers don't admit vulnerabilities exist, do little or nothing to correct the issue or take forever to finally fix the issues is what has damaged the reputation of some of the manufacturers. 

(8)
(3)
U
Undisclosed #1
Jun 19, 2018
In reply to Shannon Davis

Well said. The type of vulnerability says a lot too. A magic query string in the URL (backdoor) makes me question everything the manufacturer knows about security and their efforts to produce and audit secure products. A complex vulnerability requiring the chaining of multiple exploits or a vulnerability in widely used libraries for protocols like SSL/TLS or RTSP are an inevitability that we should watch for and respond to accordingly.

When a pattern of low sophistication exploits emerges along with poor communication and defensiveness, it's enough to put me off before bringing politics into the discussion.

Hikvision is never going to shed criticism over government sponsorship, and I would expect the Chinese government and customers to be weary of products developed by companies with similar links to the US government for example. Heck, as a US citizen I'd be concerned about putting US government sponsored networked hardware on my network too. But taking responsibility for their mistakes, communicating them responsibly without juvenile jabs at naysayers and allowing their cyber security director to operate as more than a hood ornament would go a long way toward repairing their reputation.

(8)
(3)
(1)
UI
Undisclosed Integrator #2
Jun 19, 2018

Hey Sean. As the UI1 who posted about the Axis Vulnerabilities yesterday I wouldn't be throwing stones...

https://www.bleepingcomputer.com/news/security/all-that-port-8000-traffic-this-week-yeah-thats-satori-looking-for-new-bots/

Avatar
Sean Nelson
Jun 19, 2018
Nelly's Security

I hereby would like to coin a new term

"Ax Hater"

(3)
(1)
U
Undisclosed #3
Jun 19, 2018
In reply to Sean Nelson

(1)
(2)
U
Undisclosed #4
Jun 20, 2018
IPVMU Certified
In reply to Sean Nelson

I hereby would like to coin a new term

Done.

 

(8)
Avatar
Sean Nelson
Jun 20, 2018
Nelly's Security
In reply to Undisclosed #4

Lol! FYI, im not an "ax hater". Just coining the term ahead of time when people start talking about swedens role in WCW1. world cyber war 1.

(1)
Avatar
Sean Patton
Jun 20, 2018

We posted our report on this vulnerability dislosure: Cybersecurity Startup VDOO Disclosing 10 Manufacturer Vulnerabilities Starting With Axis And Foscam

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions