Really, no comments here? A catastrophic Internet wide issue and nothing?
Ok, don't complain when we spend more time criticizing manufacturers....
Not a video related question ... "Change your passwords" : is that referring to the sites on the list or all passwords and sensitive info on the computers are compromised??
FYI: Dropcam has been impacted.
Weirdly, they claim "There is no indication that this vulnerability was exploited against dropcam.com" But this is the whole point of why it's such a dangerous bug. By definition / design, there would be no record of the exploit left, unless an attacker bragged about it.
In any event, I am sure there are other surveillance systems impacted, especially cloud ones.
IPVMU Certified | 04/10/14 02:44pm
There's a reason I am skeptical of the cloud, one day they might become secure enough for me to trust them, but for now. I feel safer controling everything. I dont even use dropbox, everything is kept on a personal QNAP server in my basement.
Cisco has confirmed that their physical access and video surveillance products are impacted by Heartbleed. See Cisco Security Advisory.
Again, I am sure there are many, many others impacted within video surveillance.
This raises an important topic for integrators and MSPs -- what are the best practices for passwords management both for internal systems and customer systems? What are some of the trusted password management services?
Curious to know what fraction of service providers take on user rights management for the end user.
CamioCam uses Perfect Forward Secrecy (read overview) for its SSL connections and we encourage everyone to use 2-step verification for sign-in. Everyone should move towards PFS and 2-step verification. But we also advocate solutions that do not require opening your network ports to outside hackers or supplying sign-in credentials to insecure cameras and DVRs. The cloud can be *much* more secure than most deployements we see out there.
Axis issued a press release saying they use OpenSSL but are not impacted. Presumably, this means they use an older version of OpenSSL.
IPVMU Certified | 04/14/14 07:49pm
March Networks released a statement saying that the 4000 and 8000 series recorders (version 5.7.x) are affected by the Heartbleed bug and they are developing a patch in the meantime (releasing 4/17).
Didn't comment earlier becaue I just got to you in the stack of Heartbleed comment requests. This post is about cameras/etc. and not ipvm.com. Cameras send business critical data and so should be encrypted using TLS, all the time (yeah, that means no multicast.) So camera vendors should care. Axis for example uses TLS, optionally. Other vendors do too. You should ask your vendors if their equipment is vulnerable. VMS' that use web UI's are also vulnerable. As are all those browsers on workstations in closed areas watching video, if they use TLS for anything (which they should be.) All your network gear should be checked e.g. that Juniper firewall in front of your command center (not picking on Juniper.) If you live in an IT-managed network your gear is about to be scanned so better be ready when they call up and tell you you're vulnerable. Oh, yes, panels too.
How to deal: maintain the gear, do vendor updates when recommended, scan the network for vulnerabilities all the time. Nothing new here, just an opportunity for everyone to revisit the cyber maintenance practices they have concluded they could in the past ignore ;-)
Btw, here is a timeline of the Heartbleed bug discovery and disclosure. People knew at least 2 weeks before it was publicly announced and the number of people who knew kept on expanding even before it was offiically proclimated (and this does not factor in conspiracy theories about the NSA, etc.). This means the risk that someone exploited this on large number of services are high. On the one hand, targeting video surveillance devices is probably a less exciting prospect. On the other, since so many applications were impacted, at least one of the many services you use might be exploited.
10 days after it was announced, QNAP just released new firmware to deal with their exposure to Heartbleed. That's pretty bad but who know how many other surveillance manufacturers are impacted and have just said nothing.
March has an announcement about hybrid DVRs being impacted.
IPVMU Certified | 04/23/14 05:45pm
Genetec has issued a statement declaring them unaffected by the problem.