Let's be fair now, do you even know what ICS-CERT is and what they really do?
What should you do if you installed a product that was listed with an ICS-CERT Alert or Advisory? Do you share it with the customers ISO and recommend the ICS-CERT Mitigation path? Here is a example only, not calling out any specific supplier what so ever. Geutebruck IP Cameras Vulnerability
We follow ICS-CERT RSS feed to get updates. Both the Hikvision backdoor and Dahua backdoor, e.g., had ICS-CERT advisories.
The advisory you link to (on Geutebreuck) literally just came out today. The CVSS scores are quite high, which is a bad sign. The only limiting issue is the lack of Geuebreuck cameras being used.
The 'problem' with ICS-CERT is they rely (seems so) on researchers reporting to them. However, I don't know for sure how Dahua backdoor ended up there, but there was dialog between Dahua/ICS-CERT. (Some other CERT monitor misc mail-lists and other sources)
There is extremely much more that never shows up on any CERT, much are public and copied from various mail-list/Exploit DB's/GitHub (GitHub hosting plenty of interesting works), where some sites are not public (w/o fee), and quite easy to find by simply asking Ms. Google.
My point here is that don't only rely on (ICS) CERT, try to be active and try to do your own searching, for trying to keep being updated.
My $0.02 to this topic
Related, Hikvision has taken to marketing based number of ICS-CERT filings as if total number indicates security, regardless of the severity of issues or issues not reported by ICS-CERT.
Additional, in my humble opinion, that type of reporting falls under the manufactures responsibility, not the researchers.
I know there is manufactures that don't agree with me in this opinion, but this is mine.
that type of reporting falls under the manufactures responsibility, not the researchers.
Bashis, so you mean the manufacturer should self-report this to ICS-CERT or? Trying to make sure I understand.
Of course, it's their thing for trying to reach out to all of their customers (even non-paying for support).
Simply look how Microsoft, Cisco and other big/small actors doing for their reporting, and learn from them.
No, here in CCTV 'Security' world it's better to keep silent and respond when it's to 'late', even if they already known and fixed the issue several months back.
Isn't it better that manufactures trying their hardest to inform/warn their customers of vulnerabilities (and some can be very serious), pointing to their updates before details are out?
This has no logic for me.
You can see it two ways
1. Manufactures reporting earliest possible to their customers for security vulnerabilities and pointing to fixed Firmware.
or
2. Researchers reporting to manufactures customers that there is serious issues, and providing details and maybe working exploits.
Then the manufactures informing about security vulnerabilities and pointing to fixed Firmware.
How would you choose to be informed?
Isn't it better that manufactures trying their hardest to inform/warn their customers of vulnerabilities (and some can be very serious), pointing to their updates before details are out?
Their logic is this:
There is a greater than 0 probability that no one publicly ever finds out.
There is a non-trivial probability that even if 'cyber' people find out, their customers will never know.
And even if IPVM reports on it, a good portion of their dealers will never know.
So to them, it's a choice of making themselves look bad immediately vs the probability of many people never finding out.
I am not saying I agree with it, but I am quite certain this is a common rationalization.
The details by the researcher will be out, sooner or later - simple facts.
I am not saying I agree with it, but I am quite certain this is a common rationalization.
It is, I had my conversations with some manufactures exactly about this, and what you described above is their point of view.
I am also end customer, and for my own point of view, I want to know potential security vulnerabilities from the manufacture before details from the researcher has been published, that would give me a small chance to protect my own equipment before details has been published.
I think this question would be a good poll here on IPVM, maybe I'm the only one who thinks like this, I don't know...
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.