Warning: Heartbleed Bug And Impact On Video Surveillance

A serious bug has been found in an implementation of SSL, called Heartbleed, used in OpenSSL. It is estimated to impact a vast array of computers (here's a list of 1000 sites vulnerable as of earlier today - Apr 8th). Most sites using open source software are likely impacted. We were and have immediately fixed it (see our passing test on heartbleed's site).

For more information, high level, see the NY Times article, technical level, see the HN discussion.

Because it impacts so many sites, we recommend changing all your passwords.

It could also impact VMS systems and IP cameras if they use OpenSSL. I am not sure which do or do not, but it's certainly worth checking.

A little more on Heatbleed from the official site:

  • "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software."
  • "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
  • "This bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously."

If anyone has any feedback on video surveillance impact of this, please share.

Really, no comments here? A catastrophic Internet wide issue and nothing?

Ok, don't complain when we spend more time criticizing manufacturers....

Not a video related question ... "Change your passwords" : is that referring to the sites on the list or all passwords and sensitive info on the computers are compromised??

Change all your passwords is probably your best bet. It's hard to know what sites were or were not impacted and it's a safe bet that most of the big sites on the Internet were impacted because OpenSSL is so broadly used.

change your passwords if the sites have been patched... if you changed them before they were patched change them again...

Correct. It does little good to change passwords on sites that are still vulnerable.

Here is a link to some top websites and current vulnerability status:

Heartbleed Sites

FYI: Dropcam has been impacted.

Weirdly, they claim "There is no indication that this vulnerability was exploited against dropcam.com" But this is the whole point of why it's such a dangerous bug. By definition / design, there would be no record of the exploit left, unless an attacker bragged about it.

In any event, I am sure there are other surveillance systems impacted, especially cloud ones.

There's a reason I am skeptical of the cloud, one day they might become secure enough for me to trust them, but for now. I feel safer controling everything. I dont even use dropbox, everything is kept on a personal QNAP server in my basement.

Cisco has confirmed that their physical access and video surveillance products are impacted by Heartbleed. See Cisco Security Advisory.

Again, I am sure there are many, many others impacted within video surveillance.

This raises an important topic for integrators and MSPs -- what are the best practices for passwords management both for internal systems and customer systems? What are some of the trusted password management services?

Curious to know what fraction of service providers take on user rights management for the end user.

CamioCam uses Perfect Forward Secrecy (read overview) for its SSL connections and we encourage everyone to use 2-step verification for sign-in. Everyone should move towards PFS and 2-step verification. But we also advocate solutions that do not require opening your network ports to outside hackers or supplying sign-in credentials to insecure cameras and DVRs. The cloud can be *much* more secure than most deployements we see out there.

Carter, thanks. Is CamioCam using 2-step verification? If so, is it mandatory? And are you doing it, like Google, by sending a code to one's phone number on file?

I certainly see the benefits. I just wonder how many users would object to having to do that.

Btw, do you know how Google determines one is looking in from the same computer in the future? Is it Cookie based or?

Yes, CamioCam uses 2-step verification but we do not *require* that you use it (we recommend it and use it personally). We actually use Google's authentication system ourselves so that customers do not need to create yet another username and password and get the benefit of Google's advances. Though you can receive an SMS, I prefer to use Google Authenticator which generates the code locally on your phone (rather that receive SMS). You're prompted only once very 30 days on the same computer/device, so it really doesn't feel like a big hassle - especially in comparison to the security advantage. Google does cookie the device, but I can't discuss all the other techniques they use to deter fake sign-ins (but their investment in that stuff is why we use them for our auth)

p.s. download Google Authenticator here

I don't think Perfect Forward Secrecy helps. Yes, if an attacker compromises your current session key they can't get a session you did a month ago. That was not the point. The point was that the secret key of the certificate (identify of the web site) could be leaked. Not the transient key used for crypto sessions. How could it affect that - you'd have to change certs at ever session. PFS is a good thing but it wouldn't stop memory leaks from heartbeat that leak all sorts of things (like passwords and config values.)

(Yep, that's only partially in English because I'm talking about crypto. Sorry about that.)

Axis issued a press release saying they use OpenSSL but are not impacted. Presumably, this means they use an older version of OpenSSL.

March Networks released a statement saying that the 4000 and 8000 series recorders (version 5.7.x) are affected by the Heartbleed bug and they are developing a patch in the meantime (releasing 4/17).

Didn't comment earlier becaue I just got to you in the stack of Heartbleed comment requests. This post is about cameras/etc. and not ipvm.com. Cameras send business critical data and so should be encrypted using TLS, all the time (yeah, that means no multicast.) So camera vendors should care. Axis for example uses TLS, optionally. Other vendors do too. You should ask your vendors if their equipment is vulnerable. VMS' that use web UI's are also vulnerable. As are all those browsers on workstations in closed areas watching video, if they use TLS for anything (which they should be.) All your network gear should be checked e.g. that Juniper firewall in front of your command center (not picking on Juniper.) If you live in an IT-managed network your gear is about to be scanned so better be ready when they call up and tell you you're vulnerable. Oh, yes, panels too.

How to deal: maintain the gear, do vendor updates when recommended, scan the network for vulnerabilities all the time. Nothing new here, just an opportunity for everyone to revisit the cyber maintenance practices they have concluded they could in the past ignore ;-)

Btw, here is a timeline of the Heartbleed bug discovery and disclosure. People knew at least 2 weeks before it was publicly announced and the number of people who knew kept on expanding even before it was offiically proclimated (and this does not factor in conspiracy theories about the NSA, etc.). This means the risk that someone exploited this on large number of services are high. On the one hand, targeting video surveillance devices is probably a less exciting prospect. On the other, since so many applications were impacted, at least one of the many services you use might be exploited.

10 days after it was announced, QNAP just released new firmware to deal with their exposure to Heartbleed. That's pretty bad but who know how many other surveillance manufacturers are impacted and have just said nothing.

March has an announcement about hybrid DVRs being impacted.

Genetec has issued a statement declaring them unaffected by the problem.