Network Optix Director Criticizes Asian Camera 'Backdoor'

Graafsma's comment was published right after IPVM's post: Axis 5 Vulnerability Discoveries.

This is important to highlight because it showcases the ignorance of even a 'technical director'.

Not all vulnerabilities are the same, regardless of whom the manufacturer is. The crucial distinction is what the vulnerability allows exploiting and how hard it is to exploit.

Vulnerabilities vs Backdoors

Take the Hikvision WiFi Vulnerability. It is not a backdoor (nor do we call it a backdoor) because that vulnerability does not allow executing admin-level commands, nor changing the password, nor taking control of the admin account, etc.

By contrast, the Hikvision IP camera backdoor is a backdoor because it easily allows executing admin-level commands, changing the password, and taking control of the admin account.

Likewise, the Axis 'vulnerabilities' are not backdoors because they do not allow executing admin-level commands, nor changing the password, nor taking control of the admin account, etc.

Understanding the Details

One needs to understand the details of each vulnerability to understand how bad they are. For example, that is why there are scoring systems like the CVSS that help to differentiate and categorize vulnerabilities by their severity.

The Excuse

Give credit where credit is due. This ignorance, willful or otherwise, is a key marketing counter tactic. "All vulnerabilities are the same. Anyone can have a vulnerability, ergo buy the cheapest thing possible."

Unfortunately, low-cost manufacturers (primarily Asian), to date, simply have had the most severe vulnerabilities in the industry. It's just fact.

Login to read this IPVM discussion.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

******* *****, *** *********** **** *** ******* ** *** ******** combined **** *** ****** ** ******** *******.

** **'* ********* ** ****** **** ** *************/********* **** *** subject, *'** ***** *** ** *******.

********* *** ************* ******* ****** ****** *******.

************* **** ***** **** **** ****** *** *** *********.

********* *** **** ** **** *** ********** ******* *** ***’* know *** ******.

** **** *** ****** ** ****** ** **** **** **** a ************* ** ********** ** * ******* ******* ** ***** described ** **** * *************. *** ***** **** *.*. ** implying ** **** **** ***** ********, ** ** **** *** to ** ********* ** * ********, **** ** ***** ***** it ***** ** *******.

*** ***** ****** ******** *** *********.

*** **** **** *** * ********.

*** **** ****** ****** *** * *************/*** (********!)

*** **** ****** ****** *** * *************/*** (********!)

* *** ********** (***** ****** ******) ******** *** **** **** time, *** * **** ***** ** ***** **** *** ****** that ** ***, ** *** ******* *** **** ******* **** wide ***** ** ***** ** ********, *** *** *** ***** when * *** *********, **** ********** ****** ****** ***** ********** and * **** **** ** *** ** ****.

** **** ***** ** ** * ****** ******** * *** around *** ********* ******** ****** **** ********* ***** *** ***** versions *** ***/**** *** ******* **** * ***** ****** **** for ******** *** ** *** *** ***** *** ******.

* **** ********* **** ** *** ***** ************* **** ** actually *** *********** ********, ******* **** ****** ** ***** *** bug *******.

***** ****, * ***** *********** ****** ** **** ** *** implement **** **** ** ******** ** ***, *** **'* ****** working - *******, *** ******* ** ****** ******* *** ***** be ***** **** *** ******* ** ** ***********.

(**** **** *** *** **** ********, ** *'* ***** ******* on ** - *** *** ****)

******** * ************* *** * ******** *** *** *** ****, one ***'* **** *** ************ ********* ******* *** ****** *******.

******* ******* *** ****** **** *********, * ******* **** ***** on **** ** * ***** ****, ********.

* ***** **** **** ************* *** ******** *** **** ******* without *** ***** *********.

********* ********* **** ***** ***** ********** *****'* ******** **** *** OP ********... ** ******* **.

"...*** ***'* ****.."

"...* ******* **** *****..."

"* ***** **** **** *************...**** ******* '**'.."

***** *** *** *********** ***** ** **** *** ******** *******... supported ** *******.

**** *** ******** *******... ********* ** *******.

"* ***** **** **** *************...**** ******* '**'.." ** ********** ** personal *******.

** *** ** * ******* **** ***** *** *** ***'* deny... ***** ********* **** **** ****** ** **** ** ** many **** *'** **** *****. **'* *** **** **** *** I ***** ******* *** ** *** **** ****** ***** (*** my ******** *******).

** ***** ** **** *** ** **** ** **. ******** is ********* ********* - *** **** *** **** ******** *** flawed ******** **** ***** ***** **** ** '*** ***'* ****' what **. ******** ****.

**** ** *** * ******* - ** ** ****** *** saying *** **** ***** **** ** **** ***** ******** ** rebuttal ** *** ** *** ********* ** *** **.

"**** **** ***** ***** * **** ** * ***-***** ****** as * *************, *** **** ** ** ***** ****** **** call ** * ********."

**** ** ****** ***** - ** ********* **** ** ******' comments *****/*****.

** ***** ** **** *** ** **** ** **. ******** is ********* *********...

**** ******* ** *** **** ********* ********* ***** **. ********’* post?

*** '**** *****' ** * ********* ** ****. *****?

**** *** ***** ******* * ****** ************* ** * ******** - ********** ** *** *********** ** *** ****** *****. *****?

****

***** ******** *********

**.

**** ******** ******** *************

**** ********** ** ******. ** **** ****** ***************** **** **** potentially *********, *** ***** ***.

*** **** ****** *****’* ******* **** ***********, *** ***** ****** it ** *** *****.

******* **** ****** ***** **** **** ********** ** *** ***** than *** **** (********** ***), *** ***** **’* * ******** of ******.

**** ** **** ********** ******* **** **** ******* ***** **** were ********** ****** (****** ****** **** *******). * ** *** know **** *** ******** ****** **** ******** ** **** **** are *** - ***.... **** ** ******* **** *** *****.

*** ***** ***** ** * ********* ** ****. **** ***/** a ******** ********. **** *** ************-******* **** (****** *********** ********) that *** ******* **** ******... ** ***** '********' ******. *****?

*** **** ****** ****** *** **** *** ************* ********* ****** is * ******** ***** **** **** *** *********** ** ********* - *** **** **** *** ** ***** ** *******. *.*. it **** * ********.

*** ***** ***** ** * ********* ** ****.

*** ***** ***** **? *** ****** *****’* *** **** **. Is *** ******** ************ **** ** **** **? **, ** bashis **** *******.

****** ********* **** *** *********** ** ***** ******** ****** ** a ******** ****** **** * *******, ****** ****** ***** **** only ***** ***** ***** **** ***** ****** / '*****' *** here.

** *** *** **** ******, ** ****** **** ******* *****

* *** ********** (***** ****** ******) ******** *** **** **** time, *** * **** ***** ** ***** **** *** ****** that ** ***, ** *** ******* *** **** ******* **** wide ***** ** ***** ** ********, *** *** *** ***** when * *** *********, **** ********** ****** ****** ***** ********** and * **** **** ** *** ** ****.

*** *** ******** ****** ** *** *******, **** *** ** in **** ******.

** ****** ** ****** **** *** ***** ** * ******** but *** ***%(****** ********* *** *******) *** *** **** *** Axis***’****.

****,I ***** ** ***** **** * ********+sloppy coding, though I wouldn’t shocked if it was just sloppy, and that somebody left a debug routine in there by accident.

** *** ********* ***** **** * ******* #*.....

"*** ***** ***** **? *** ****** *****’* *** **** **. Is *** ******** ************ **** ** **** **? **, ** bashis **** *******.

****** ********* **** *** *********** ** ***** ******** ****** ** a ******** ****** **** * *******, ****** ****** ***** **** only ***** ***** ***** **** ***** ****** / '*****' *** here."

* ** *** ******* **** ***** ************* **** *** ******** in *****production **** - just that they *************** **** ********** ***** ** **** ** ** ******* **** it ****... ***** (********** ***-*********) ******** ****** - **** ******** created ***** ** ***********.

******* ******* *** ****** ****** *** *** ******** ********* - they *** ****** ** ******, ***** ** ******* **** * think ** *** **** **** *** ***** ********.

...********* *****...

**, *’** ***** *** ***** *** * ********, ****** ***** you’ll ***** **** ***** ** * **** *********** **** *** Axis *** ** ****.

******* *** ****** ******...

* ******************** **** *** **** ************* ***** ******** ** * ********...

*** ******* ******** **** * *** ********see to support this theory (unlike in the 'unpublished-URL' Dahua backdoor), I would find it difficult to claim this Axis vulnerability was a backdoor... especially in the title of a post describing same.

...* ***** **** ** ********* ** ***** **** **** ************* was * ********... ********** ** *** ***** ** * **** describing ****.

********* ***** ;)

* ****’* *** ** *** ** ***** ** ** *** title. *** * ***’* ***** ** ***** **** **** ***** to ******* *** *********** ** *** ******* ******.

**** ** *********** (***-********) ****** ****** ********, ** *** (**** some ******** ** ****) - **** **** ** ****** ****** from ** ****.

****-**-***.*

***** ****!

* ****** *** ***** *** ** ********** **** ** *** logic ** **** ** ****** ** ********** ** ******* ******* compiled **.

****’* *** ****** *** *** ********* ******** *********?

*********...*******

********, **** ** ********** ** ******** *** *****, *** ********* and *******.

**** ******* ** ** **** ******** ******* ****** *********** **********.

* ******* *** **** ****, ** * ********* ***********, *** are ******** ** **** ** ***** ******, *** * ***** respect *** **** ** *** *** ****** ******** *** ***** to ********** *** ******** **** ** ********* ** ***************. *** you?

**** * **** **** * *** **** ***** **** *** would ****** ** * ***** **** ** ** ***** (*** checking ** *** ******* ** ****). ****** *** **** * won't ****** *****.

** ** ** ****** **** *** *** *********** (*** **** might ** ** *******).

*** ** ******** ********** ** *******, ** **** *****. *** the ******* ******** ** *** ******* ******** **** * ********* country ******* *******.

** ***** ******** *** ** **** **** *** *-*-**** *** European ******* *** ***** ** ***** ***** *** ******* **** the **** ** *** ** *********. **** ******* **** **** every ****** ******, **** **** *** ****** *** ******* ** itself.

******* *** ******* ** ********** **** ** *** ********, ** matter *** ***** ** *** ** ****** *** *****. ****** responsibility *** *** *** ****** ** *** ***** ** ** coming ****, *** * ** **** ***** ***** ****.

...*** ***** ****** ** * ***** **** ** ** *****...

*** *** *****, ******* *** *** *****, *** **** *** the ******? :)

* ** *** **** **** ** ********* ** ****, *** I’m **** **** ** **** **** ******* ** ****** *** link ;)

***** **!

*****://****.***/******/*****-************/******/***-****-****-*******-*****-***-******-****-******-*********-*********-**#****-******

***** **!

*** ***** ******* ******* ** *** ***** ********** *****. * am ****** **** *** *** *****.

**** * **** *** ***** ****, **** ** *** *** have * ***** **** *** ;).

******* *** ******* ** ********** **** ** *** ********, ** matter *** ***** ** *** ** ****** *** *****.

****'* ****** ***. ******* ********** ******* *****. * **** ***** ****** **** any ******* ** "********** ****" *** *****, ******* ** ****** evidence, *** **** ********* ** **********.

******, ******* ** ****** * ****** ** **** ****** *******, you ******* ** **********, *****:

*************, ***-**** ************* (********* *****), ** ****, ****** **** *** the **** ****** *************** ** *** ********. **'* **** ****.

** *** **** ******** ** ******** ****, ****** *****.

* ***** **** * ***’* ***** **** **** ***** ******** have **** ******. ** * *** ****** ** ********** *** impact ** ********** **** **** *** **** ** **********. *** years ** **** **** ******** * *** **** **, **** though ****** ** *******.

** *** **** ***** **** ********, *** ** ******* *** is **** *** *** **** *********, ** **********.

*** **** * **** * *** ***** **** *** *** predictable ****, *** * ***’* ***** *******/********** **** *** ** all.

*’** **** ******** ** **** ****. *** ****** ***’* ******* like **** **** **** **** ***** *** ******* ** ** explaining/defending ** *****.

***** ** *****? ***************.

Newest Discussions

Posts Latest
1
less than a minute by Undisclosed Integrator #1
3
less than a minute by John Honovich
3
less than a minute by John Honovich
3
less than a minute by Robert Shih
42
about 2 hours by Chris Bentley