Axis and Sony both had them for years on a large swath of their product line. Hikua, well you know the deal there...
So are there catatstrophic vulnerabilities, yet to be identified publicly, lurking in today’s ‘secure’ products?
When a researcher encounters a vulnerability and publicly discloses it, do you think that they are likely to have been the first to discover it?
Thoughts?
In theory, yes, many cameras (and networked access control products) may have such vulnerabilities.
But manufacturers can reduce the chance of attack, including removing (not just disabling) ssh and telnet servers (daemons) on the devices to make it near-impossible to get shell access. There is also a lot that can be done to reduce the chances outside code can be run without authorization, which eliminates much of the botnet risks and similar risks of cameras being 'taken over' and used for other purposes.
In theory, yes, many cameras (and networked access control products) may have such vulnerabilities.
But in practice, do you believe that every or nearly every device out there has a root-level access flaw?
Obviously, many if not most will never be discovered, let alone exploited, before being surreptitiously remediated by new versions.
What’s your gut, yes/no?
But in practice, do you believe that every or nearly every device out there has a root-level access flaw?
In practise, defiantly yes, I do. And especially within legacy code, since no-one audit this code except the manufacture itself.
And I personally know for sure know several, that is not out to the public (yet).
Obviously, many if not most will never be discovered, let alone exploited, before being surreptitiously remediated by new versions.
They will be discovered, when researches do source and/or binary audit. However, due to manufactures development it will always be new coming up.
In my humble opinion, this is quite natural process to have some killed and some new introduced.
Well, if you totally stop all development and kill all existing vulnerabilities, you won't find any new - but you are killed as manufacture as you stopped to develop.
catch 22
In practise, defiantly yes, I do...
So if every device has at least one unauthorized way to become root, (and probably more), how do we decide what manufacturer is doing the best cyber security job?
It seems that it might come down to whatever manufacturer the researchers are scrutinizing the most will seem the worst.
Also, it implies no matter who you are, you are better off not making a big deal about how great you cyber defenses are.
Still, everybody does.
I personally think the manufacture who is the most open to both found vulnerabilities and also openly provide information to obtain root access to the devices.
This simply show me they are not afraid and/or hiding stuff, and if vulnerabilities would be found they also openly take their responsibility to fix and provide information for the owners of their devices.
This is from my perspective...
That's up to the manufacture, and most probably they will not.
One another angle from my side is that looking at source code and looking at disassembled binary code can give different picture how the code works.
However, I strongly believe they should use basic open source as base, such as Yocto and add their own legacy code on top where needed.
Lots of firmware from misc manufactures as of today using way outdated basic foundation.
The strength of using Open Source like from Yocto is that all this code is continuously investigated by several hundred of thousand independent developers/researchers - free of any charges.
Who said flaw? Lol. They sometimes are there by design, with the hopes that people like bashis don’t find them. Is that better or worse that the vulnerability is intended to be there? Is it worse that it isn’t known by the manufacturer? I have trouble deciding myself.
Definatly intended and intentionally hidden are the worst.
For example,
Axis,has telnet by default disabled, but anyone who wants access to the device can do so.
https://www.axis.com/no/en/support/faq/FAQ38461
Hikvision, has sshd enabled, but filtered by iptables rules - however when turned off, you will only get limited and "protected shell".
https://ipcamtalk.com/threads/is-ssh-or-telnet-available-in-5-4-5.19050/
(look down and you will find how to disable iptables rules, by HIK design)
Now let me ask one question;
Who of these two you think is the most interesting to audit ?
1. Axis - who openly provide information to open up telnetd to access the device, and give root shell to the device.
2. Hikvision - who hide and filter ssh access, who give only 'psh' (protected shell) to the device?
Who hiding stuff? any guts feelings?
Researches who is determined to get in, will get in - sooner or later, proof is only to look at Montecryptos excellent work.
Manufactures!
If you don't have anything to hide, let researched in to your devices and they will most likely help you to sort out any discovered vulnerabilities.
- Don't be HIK, be smart.
Yes, I believe there are many 0-days, for both back and front-end products.
Also, I suspect the number of products not being updated to plug known holes surpasses other tech markets.
Watch the video on youtube: Black Hat 2013- Exploiting network surveillance cameras like a hollywood hacker.
I currently have a network security head looking into potential security holes in our deployed cameras.
This is one of the most impressive research/PoC I've seen, and it doesn't even need to have any vulnerabilities within the device.
DEF CON 23 - Van Albert and Banks - Looping Surveillance Cameras through Live Editing
LMAO. At least this hack requires physical access to the cable to achieve. Better than some of the stuff that is floating around.
this is why we limit access to , and have locked protocols in IT closets and rooms with separated partitions
Not easy access for this one.
Audit Trails for tracking personnel and access to and from IT.
So are there catatstrophic vulnerabilities, yet to be identified publicly, lurking in today’s ‘secure’ products?
Definitely answer is yes.
When a researcher encounters a vulnerability and publicly discloses it, do you think that they are likely to have been the first to discover it?
Most probably not. (maybe with some exceptions of deep hidden and blind)
Most of the pentesters I know consider IP Cameras a joke in terms of security. I remember one of them referred to IP Cameras as "glorified IoT s***".
So IMO I believe there are still multiple 0-days left to be exploited. That beings said it tends to be overshadowed by exploits like Krack which affect much more than just our industry.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
