Subscriber Discussion

Should Axis Hack Axis Public Cameras?

U
Undisclosed #1
Jul 21, 2016
IPVMU Certified

Hack meaning run a script on all accessible Axis cameras that would use the published exploit to gain access, and then make minimal changes to plug the hole and exit the camera in a matter of seconds.

Yes/No?

U
Undisclosed #2
Jul 21, 2016

Pretty sure that knowingly accessing a device remotely that you do not own/control is an offense punishable by prison time.

(1)
U
Undisclosed #1
Jul 21, 2016
IPVMU Certified

You think you would get put in prison if you ran a script to fix a vulnerability on a system which did not retrieve any information, and there was no intention to do harm?

U
Undisclosed #2
Jul 21, 2016

Ask Aaron Swartz that question.

....oh yeah, you can't.

U
Undisclosed #1
Jul 21, 2016
IPVMU Certified

which did not retrieve any information, and there was no intention to do harm?

U
Undisclosed #2
Jul 21, 2016

please... Swartz accessed information that was readily available (legally) via JSTOR - he didn't break into anything.

If you want to split hairs then... what about weev?

U
Undisclosed #1
Jul 21, 2016
IPVMU Certified

According to authorities, they obtained the ICC-ID and e-mail address for about 120,000 iPad users, including dozens of elite iPad early adopters such as New York Mayor Michael Bloomberg, then-White House Chief of Staff Rahm Emanuel, anchorwoman Diane Sawyer of ABC News, New York Times CEO Janet Robinson and Col. William Eldredge, commander of the 28th Operations Group at Ellsworth Air Force Base in South Dakota, as well as dozens of people at NASA, the Justice Department, the Defense Department, the Department of Homeland Security and other government offices.

U
Undisclosed #2
Jul 21, 2016

"According to authorities, they obtained the ICC-ID and e-mail address for about 120,000 iPad users"

And how did he obtain these email addresses? Did he break into servers? No.

U
Undisclosed #1
Jul 21, 2016
IPVMU Certified

What's your point?

They got in trouble because they knowingly harvested 100,000 users data. Yes you can get arrested even if you don't break into a server.

U
Undisclosed #1
Jul 21, 2016
IPVMU Certified

Swartz accessed information that was readily available (legally) via JSTOR - he didn't break into anything.

He was prosecuted for retrieving 1000 academic articles after entering a restricted, if unlocked, wiring closet and connecting his laptop to the switch, starting a script and then returning many hours later.

In any event, the outrage and subsequent policy changes due to the Swartz case makes it even more unlikely that a prison sentence would be imposed on a white hatter.

Also, if Axis wanted to, no one would even know, except for those who didn't upgrade the firmware and then tried to hack themselves and found they couldn't.

Not that I am saying Axis should necessarily do it on the sly.

Avatar
Meghan Uhl
Jul 21, 2016

Why wouldn't you just notify all your customers, distributors, integrators of the hole and offer the fix then let them decide if they want to fix it. Car makers do it all the time, how many items on your car have been "recalled"?

U
Undisclosed #1
Jul 21, 2016
IPVMU Certified

Agreed. You should, and Axis has done so.

And if the fix has been applied then the Axis re-exploit will not work.

The problem is one of notification.

Car makers have a much higher likelihood of being able to get a hold of the end user, since they would typically have your full name and address, financing information etc. If the car is sold there's your VIN and motor vehicle records to help.

But it is an interesting comparison, say for instance there was a defect in the electronic pin code lock of an automobile, that allowed anyone to steal your vehicle, so Ford (after notifying every other way), sent uniformed people to enter a special code in people's cars, saving many from being stolen without affecting anything else, would you be against it?

JH
John Honovich
Jul 21, 2016
IPVM

Poll:

U
Undisclosed #2
Jul 21, 2016

I find the premise of this string ridiculous..

NO company would access devices out in the wild to apply anything - without consent first being obtained. Period.

U
Undisclosed #1
Jul 21, 2016
IPVMU Certified

I find the premise of the string ridiculous

NO company would access devices out in the wild to apply anything - without consent first being obtained. Period.

I respect your opinion, and I think you may be right in any event, but could you share why that is?

i.e. because it is illegal or immoral or not to their financial gain, or all of the above?

Avatar
Brian Karas
Jul 22, 2016
IPVM

Do you think that Axis can verify:

  1. The push-upgrade "hack" 100% fixes the issue, does not cause new issues, and will persist across reboots
  2. The camera being upgraded is 100% an Axis camera and not some other device that mimic's Axis's API/responses/etc.
  3. The camera being upgraded is an unsecured camera and is not part of a test network, honeypot, research experiment, etc.
  4. The new firmware will not break ANY custom scripts/integrations/applications that may be tied to the camera
  5. The new firmware is guaranteed not to brick the camera
  6. The firmware upgrade is guaranteed not to fail and leave the camera in a non-functional state (whether it can be recovered or not)
  7. The reboot that is part of the upgrade (assuming it would need/want to reboot) will not happen at a critical time depriving the user of critical live or recorded video?

While the idea of Axis going out and patching all their unsecured devices sounds like a nice thing on the surface, I do not see how they could do this in a manner that does not backfire on at least some of the units.

(2)
U
Undisclosed #1
Jul 22, 2016
IPVMU Certified

These are all valid concerns.

Yes, I think that Axis can 'guarantee' all these things. But only in the way that Axis guarantees that it's cameras won't break, which is not to say that it won't happen, just that in the unlikely event it were to happen they would give you another one or otherwise remedy the situation.

Therefore, as opposed to the absolutes let me answer assuming that a 99.9% rate would be sufficient. You may feel it's not, and I think that is a valid point of view.

Talking blue-sky here, then, one thought that I had was this:

The hack is extremely comprehensive, but also extremely fragile, in fact is 25+ different hacks. Each one is for a precise firmware version, and chip architecture. Each one relies on segments being loaded into memory at a certain relative address. If these relative offsets were different a few bytes one way or another, even if the code were essentially the same, the hack would fail.

So perhaps there is a simple way to thwart the hack without even changing the code, just by changing the load somehow. Or block the network callback etc.

Regardless, we can assume whatever Axis did in the service patch is not overly complex by the fact that they seem to have 95% of the new versions done right after the first public disclosure.

Also remember that although a firmware update would require a reboot, which is undesirable, a change to a file of a single process may possibly be modified without a visible glitch. And would persist after reboot, though not after a factory reset.

But I don't claim to know whether it actually could be done 99.9% without problem.

But Axis might.

Avatar
Kyle Folger
Jul 22, 2016
IPVMU Certified

Dahua cameras show up in the Axis Camera Management tool as Axis cameras so that could be a problem. Brian brings up many valid points that makes me side against the idea.

I already don't like the idea that I feel as though I was hacked with all the Windows 10 upgrade notifications. At first I thought I was safe until they decided that domains need the notification too. At least they are easy to get rid of.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions