Warning: Heartbleed Bug And Impact On Video Surveillance
A serious bug has been found in an implementation of SSL, called Heartbleed, used in OpenSSL. It is estimated to impact a vast array of computers (here's a list of 1000 sites vulnerable as of earlier today - Apr 8th). Most sites using open source software are likely impacted. We were and have immediately fixed it (see our passing test on heartbleed's site).
For more information, high level, see the NY Times article, technical level, see the HN discussion.
Because it impacts so many sites, we recommend changing all your passwords.
It could also impact VMS systems and IP cameras if they use OpenSSL. I am not sure which do or do not, but it's certainly worth checking.
A little more on Heatbleed from the official site:
- "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software."
- "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
- "This bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously."
If anyone has any feedback on video surveillance impact of this, please share.
Really, no comments here? A catastrophic Internet wide issue and nothing?
Ok, don't complain when we spend more time criticizing manufacturers....
FYI: Dropcam has been impacted.
Weirdly, they claim "There is no indication that this vulnerability was exploited against dropcam.com" But this is the whole point of why it's such a dangerous bug. By definition / design, there would be no record of the exploit left, unless an attacker bragged about it.
In any event, I am sure there are other surveillance systems impacted, especially cloud ones.
There's a reason I am skeptical of the cloud, one day they might become secure enough for me to trust them, but for now. I feel safer controling everything. I dont even use dropbox, everything is kept on a personal QNAP server in my basement.
Cisco has confirmed that their physical access and video surveillance products are impacted by Heartbleed. See Cisco Security Advisory.
Again, I am sure there are many, many others impacted within video surveillance.
This raises an important topic for integrators and MSPs -- what are the best practices for passwords management both for internal systems and customer systems? What are some of the trusted password management services?
Curious to know what fraction of service providers take on user rights management for the end user.
CamioCam uses Perfect Forward Secrecy (read overview) for its SSL connections and we encourage everyone to use 2-step verification for sign-in. Everyone should move towards PFS and 2-step verification. But we also advocate solutions that do not require opening your network ports to outside hackers or supplying sign-in credentials to insecure cameras and DVRs. The cloud can be *much* more secure than most deployements we see out there.
Axis issued a press release saying they use OpenSSL but are not impacted. Presumably, this means they use an older version of OpenSSL.
March Networks released a statement saying that the 4000 and 8000 series recorders (version 5.7.x) are affected by the Heartbleed bug and they are developing a patch in the meantime (releasing 4/17).
Didn't comment earlier becaue I just got to you in the stack of Heartbleed comment requests. This post is about cameras/etc. and not ipvm.com. Cameras send business critical data and so should be encrypted using TLS, all the time (yeah, that means no multicast.) So camera vendors should care. Axis for example uses TLS, optionally. Other vendors do too. You should ask your vendors if their equipment is vulnerable. VMS' that use web UI's are also vulnerable. As are all those browsers on workstations in closed areas watching video, if they use TLS for anything (which they should be.) All your network gear should be checked e.g. that Juniper firewall in front of your command center (not picking on Juniper.) If you live in an IT-managed network your gear is about to be scanned so better be ready when they call up and tell you you're vulnerable. Oh, yes, panels too.
How to deal: maintain the gear, do vendor updates when recommended, scan the network for vulnerabilities all the time. Nothing new here, just an opportunity for everyone to revisit the cyber maintenance practices they have concluded they could in the past ignore ;-)
Btw, here is a timeline of the Heartbleed bug discovery and disclosure. People knew at least 2 weeks before it was publicly announced and the number of people who knew kept on expanding even before it was offiically proclimated (and this does not factor in conspiracy theories about the NSA, etc.). This means the risk that someone exploited this on large number of services are high. On the one hand, targeting video surveillance devices is probably a less exciting prospect. On the other, since so many applications were impacted, at least one of the many services you use might be exploited.
10 days after it was announced, QNAP just released new firmware to deal with their exposure to Heartbleed. That's pretty bad but who know how many other surveillance manufacturers are impacted and have just said nothing.
March has an announcement about hybrid DVRs being impacted.
Genetec has issued a statement declaring them unaffected by the problem.
Started by Jermaine Wilson
|1 minute by Jermaine Wilson|
Started by Undisclosed Integrator #1
|less than a minute by Greg Scott|
Started by Brian Rhodes
|4 minutes by Steve Beck|
Started by Donald Maye
|less than a minute by Donald Maye|
Started by John Honovich
|about 1 hour by Undisclosed End User #2|
Back to Top