Network Optix Director Criticizes Asian Camera 'Backdoor'

JH
John Honovich
Dec 01, 2017
IPVM

Graafsma's comment was published right after IPVM's post: Axis 5 Vulnerability Discoveries.

This is important to highlight because it showcases the ignorance of even a 'technical director'.

Not all vulnerabilities are the same, regardless of whom the manufacturer is. The crucial distinction is what the vulnerability allows exploiting and how hard it is to exploit.

Vulnerabilities vs Backdoors

Take the Hikvision WiFi Vulnerability. It is not a backdoor (nor do we call it a backdoor) because that vulnerability does not allow executing admin-level commands, nor changing the password, nor taking control of the admin account, etc.

By contrast, the Hikvision IP camera backdoor is a backdoor because it easily allows executing admin-level commands, changing the password, and taking control of the admin account.

Likewise, the Axis 'vulnerabilities' are not backdoors because they do not allow executing admin-level commands, nor changing the password, nor taking control of the admin account, etc. 

Understanding the Details

One needs to understand the details of each vulnerability to understand how bad they are. For example, that is why there are scoring systems like the CVSS that help to differentiate and categorize vulnerabilities by their severity.

The Excuse 

Give credit where credit is due. This ignorance, willful or otherwise, is a key marketing counter tactic. "All vulnerabilities are the same. Anyone can have a vulnerability, ergo buy the cheapest thing possible."

Unfortunately, low-cost manufacturers (primarily Asian), to date, simply have had the most severe vulnerabilities in the industry. It's just fact.

(6)
(1)
(1)
bm
bashis mcw
Dec 01, 2017

Totally agree, big differences when you looking on the patterns combined with the volume of affected devices.

If it's ignorance or simply lack of understanding/knowledge into the subject, I'll leave out to comment.

 

(4)
(2)
U
Undisclosed #1
Dec 01, 2017
IPVMU Certified

Backdoors are intentionally created secret access methods.

Unintentional bugs which give such access are not backdoors.

Sometimes its hard to know the difference because you don’t know the intent.

So what the writer is saying is that when such a vulnerability is discovered in a Western product it might described as just a vulnerability.  The point that N.G. is implying is that with Asian products, it is more apt to be described as a backdoor, even in cases where it might be unclear.  

The magic string exploits are backdoors.

The Sony hack was a backdoor.

The Axis format string was a vulnerability/bug (probably!)

(7)
bm
bashis mcw
Dec 02, 2017

The Axis format string was a vulnerability/bug (probably!)

I was suspecting (smart format string) backdoor for very long time, and I also tried to proof this for myself that it was, as the pattern was very similar with wide range of major FW versions, but the few times when I was convinced, some unexpected things happen while exploiting and I went back to not be sure.

At some point in my 6 months research I had around 100 different unpacked images with different major and minor versions for ARM/MIPS and Crisv32 that I drove within QEMU for testings and to get the proof for myself.

I even challenge Axis in our early conversations that it actually was intentional backdoor, however they showed me where the bug entered.

After this, I spend significant amount of time to try implement this kind of backdoor in lab, and it's indeed working - however, the pattern is pretty obvious and could be quite easy for proving to be intentional.

(This work has not been released, as I'm still working on it - now and then) 

 

(5)
BP
Bas Poiesz
Dec 04, 2017

Although a vulnerability and a backdoor are not the same, one can't deny the overwhelming sentiment against all things Chinese.

Bashing someone for making that statement, a feeling many share on IPVM is a cheap shot, childish.

I would take your contributions and articles far more serious without the added sentiment.

(2)
(1)
U
Undisclosed #2
Dec 04, 2017

Defending ignorance with false logic statements doesn't actually help the OP argument... it weakens it.

"...one can't deny.."

"...a feeling many share..."

"I would take your contributions...more serious 'if'.."

These are all deflections based on your own personal opinion... supported by nothing.

U
Undisclosed #1
Dec 04, 2017
IPVMU Certified

your own personal opinion... supported by nothing.

(1)
BP
Bas Poiesz
Dec 04, 2017

"I would take your contributions...more serious 'if'.." is absolutely my personal opinion.

As far as a feeling many share and one can't deny... those arguments have been shared in dept in so many post I've lost count. It's all been said and I doubt someone pro or con will switch sides (yes my personal opinion).

 

 

(1)
U
Undisclosed #2
Dec 04, 2017

My point is that the OP made by Mr. Graafsma is factually incorrect - and that you just reshaped his flawed argument with added fluff such as 'one can't deny' what Mr. Graafsma said.

This is not a defense - it is simply you saying the same thing that he said while offering no rebuttal at all to the criticism of the OP. 

"Some CCTV sites claim a flaw in a non-Asian camera as a vulnerability, but when it is Asian camera they call it a backdoor."

This is simply wrong - as explained well in others' comments above/below.

U
Undisclosed #1
Dec 04, 2017
IPVMU Certified

My point is that the OP made by Mr. Graafsma is factually incorrect...

What exactly do you find factually incorrect about Mr. Graafsma’s post?  

U
Undisclosed #2
Dec 04, 2017

His 'some sites' is a reference to IPVM.  Agree?

IPVM has never labeled a simple vulnerability as a backdoor - regardless of the nationality of the camera maker.  Agree?

  

U
Undisclosed #1
Dec 04, 2017
IPVMU Certified

Take 

 Dahua Backdoor Uncovered

vs.

 Axis Critical Security Vulnerability

Both discovered by bashis.  Of both bashis contemporaneously said were potentially backdoors, but maybe not.

The Axis report doesn’t mention this possibility, the Dahua states it in the title.

Granted that bashis seems much more suspicious of the Dahua than the Axis (especially now), but again it’s a question of intent.

 

(1)
U
Undisclosed #2
Dec 04, 2017

Both of your referenced reports have been updated since they were originally posted (stated within both reports).  I do not know what the original titles were compared to what they are now - BUT.... that is neither here nor there.

The Dahua title is a statement of fact.  This was/is a textbook backdoor.  This was specifically-written code (though unpublished publicly) that was written with intent... to allow 'backdoor' access.  Agree?

The Axis report points out that the vulnerability described within is a critical level flaw that can potentially be exploited - not that Axis put it there on purpose.  i.e. it aint a backdoor.

 

U
Undisclosed #1
Dec 04, 2017
IPVMU Certified

The Dahua title is a statement of fact.

Did Dahua admit it? The report doesn’t say they do. Is the evidence overwhelming that it must be?  No, as bashis says himself.

Bashis concludes that the combination of these elements points to a backdoor rather than a mistake, though Bashis notes that only Dahua truly knows what their intent / 'error' was here.

As for the Axis report, as bashis says himself above

I was suspecting (smart format string) backdoor for very long time, and I also tried to proof this for myself that it was, as the pattern was very similar with wide range of major FW versions, but the few times when I was convinced, some unexpected things happen while exploiting and I went back to not be sure.

For the original titles of the reports, they may be in your emails.

So bashis is pretty sure the Dahua is a backdoor but not 100%(unless something has changed) but not sure the Axis isn’t one.

U
Undisclosed #1
Dec 04, 2017
IPVMU Certified

Yeah, I agree it looks like a backdoor+sloppy coding, though I wouldn’t shocked if it was just sloppy, and that somebody left a debug routine in there by accident. 

 

U
Undisclosed #2
Dec 04, 2017

We are splitting hairs here I believe #1.....

"Did Dahua admit it? The report doesn’t say they do. Is the evidence overwhelming that it must be? No, as bashis says himself.

Bashis concludes that the combination of these elements points to a backdoor rather than a mistake, though Bashis notes that only Dahua truly knows what their intent / 'error' was here."

I am not stating that Dahua intentionally left the backdoor in their production code - just that they clearly designed this particular piece of code to do exactly what it does... allow (admittedly non-published) backdoor access - most probably created while in development.

Willful actions and sloppy coding are not mutually exclusive - they can happen in tandem, which is exactly what I think is the case with the Dahua Backdoor.

U
Undisclosed #1
Dec 04, 2017
IPVMU Certified

...splitting hairs...

Ok, I’ll agree the Dahua was a backdoor, though maybe you’ll agree that there is a real possibility that the Axis was as well.

Without the sloppy coding...

 

U
Undisclosed #2
Dec 04, 2017

I will absolutely accept that the Axis vulnerability might possibly be a backdoor...

But without evidence that I can actually see to support this theory (unlike in the 'unpublished-URL' Dahua backdoor), I would find it difficult to claim this Axis vulnerability was a backdoor... especially in the title of a post describing same.

U
Undisclosed #1
Dec 04, 2017
IPVMU Certified

...I would find it difficult to claim this Axis vulnerability was a backdoor... especially in the title of a post describing same.

Splitting straw ;)  

I didn’t say it had to claim in it the title.  But I don’t think it would have been wrong to suggest the possibility in the article itself. 

 

U
Undisclosed #2
Dec 04, 2017

Fair enough...  ; )

bm
bashis mcw
Dec 04, 2017

This is intentional (non-crashing) Format String backdoor, my PoC (with some borrowed w3 code) - with lots of sloppy coding from my side.

tiny-w3-mcw.c

 

U
Undisclosed #1
Dec 05, 2017
IPVMU Certified

Looks cool!

I assume you would try to obfusucate some of the logic to make it harder to understand if someone reverse compiled it.

What’s the reason for the GOT_COUNT compiler directive?

JH
John Honovich
Dec 04, 2017
IPVM

sentiment...feeling

Jonathan, what is worthwhile is evidence and logic, not sentiment and feeling.

Your pattern is to vent emotions and post easily disprovable assertions.

I respect the fact that, as a Hikvision distributor, you are standing by them in their crisis, but I would respect you more if you can muster evidence and logic to contradict and disprove mine on backdoors vs vulnerabilities. Can you?

(1)
(1)
BP
Bas Poiesz
Dec 05, 2017

Well I knew when I hit Post Reply that you would remind me a third time of my error (not checking if you covered an item). Thanks for that I won't forget again.

To me it proves that you are predictable (yes this might be an opinion).

Yes my position influences my opinion, as does yours. How the averige American or the averige European sees a communist country greatly differs.

It might interest you to know that per 1-5-2018 the European privacy law kicks in which makes the privacy laws the same in all EU countries. This demands more from every camera system, more than any camera can provide by itself.

Viewing any product as inherently safe is not possible, no matter the brand or who is behind the brand. Taking responsibility for how the system is set seems to be coming back, and I am very happy about that.

 

(1)
U
Undisclosed #1
Dec 05, 2017
IPVMU Certified

...you would remind me a third time of my error...

Saw the third, clicked for the first, but when was the second? :)

(1)
BP
Bas Poiesz
Dec 05, 2017

I am not that good at searching on IPvm, but I’m sure John is more than willing to supply the link ;)

BP
Bas Poiesz
Dec 06, 2017

Found it!

https://ipvm.com/forums/video-surveillance/topics/wsj-when-your-company-makes-you-queasy-what-should-hikvision-employees-do#post-149807

 

JH
John Honovich
Dec 06, 2017
IPVM

Found it!

You found another example of you being completely wrong. I am amused that you are proud. 

(1)
BP
Bas Poiesz
Dec 06, 2017

Glad I made you smile John, good to see you have a human side too ;).

 

JH
John Honovich
Dec 05, 2017
IPVM

Viewing any product as inherently safe is not possible, no matter the brand or who is behind the brand.

That's a straw man. Another simplistic logical error. I have never argued that any product is "inherently safe" and again, instead of citing evidence, you just fabricate an allegation.

Indeed, instead of taking a minute to read before posting, you ignored my contention, quote:

Unfortunately, low-cost manufacturers (primarily Asian), to date, simply have had the most severe vulnerabilities in the industry. It's just fact.

If you have evidence to disprove that, please share.

BP
Bas Poiesz
Dec 05, 2017

I never said I don’t agree with that their breaches have been severe. As a hik distri we understand the impact to installers more than you seem to appreciate. For years we have been shipping a lot more IP, even though analog is cheaper. 

If you like facts over feelings, the EU privacy law is fact and for this continent, of importance.

But like I said a few posts back you are predictable John, and I don’t enjoy arguing/discussing with you at all. 

I’ll stop replying in this post. And please don’t respond like last time with more links and demands of me explaining/defending my stand. 

 

U
Undisclosed #2
Dec 05, 2017

(2)
U
Undisclosed #1
Dec 06, 2017
IPVMU Certified

Maybe an A1001?  Brian warned them.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions