Hack meaning run a script on all accessible Axis cameras that would use the published exploit to gain access, and then make minimal changes to plug the hole and exit the camera in a matter of seconds.
Yes/No?
Hack meaning run a script on all accessible Axis cameras that would use the published exploit to gain access, and then make minimal changes to plug the hole and exit the camera in a matter of seconds.
Yes/No?
Pretty sure that knowingly accessing a device remotely that you do not own/control is an offense punishable by prison time.
You think you would get put in prison if you ran a script to fix a vulnerability on a system which did not retrieve any information, and there was no intention to do harm?
which did not retrieve any information, and there was no intention to do harm?
please... Swartz accessed information that was readily available (legally) via JSTOR - he didn't break into anything.
If you want to split hairs then... what about weev?
According to authorities, they obtained the ICC-ID and e-mail address for about 120,000 iPad users, including dozens of elite iPad early adopters such as New York Mayor Michael Bloomberg, then-White House Chief of Staff Rahm Emanuel, anchorwoman Diane Sawyer of ABC News, New York Times CEO Janet Robinson and Col. William Eldredge, commander of the 28th Operations Group at Ellsworth Air Force Base in South Dakota, as well as dozens of people at NASA, the Justice Department, the Defense Department, the Department of Homeland Security and other government offices.
"According to authorities, they obtained the ICC-ID and e-mail address for about 120,000 iPad users"
And how did he obtain these email addresses? Did he break into servers? No.
What's your point?
They got in trouble because they knowingly harvested 100,000 users data. Yes you can get arrested even if you don't break into a server.
Swartz accessed information that was readily available (legally) via JSTOR - he didn't break into anything.
He was prosecuted for retrieving 1000 academic articles after entering a restricted, if unlocked, wiring closet and connecting his laptop to the switch, starting a script and then returning many hours later.
In any event, the outrage and subsequent policy changes due to the Swartz case makes it even more unlikely that a prison sentence would be imposed on a white hatter.
Also, if Axis wanted to, no one would even know, except for those who didn't upgrade the firmware and then tried to hack themselves and found they couldn't.
Not that I am saying Axis should necessarily do it on the sly.
Why wouldn't you just notify all your customers, distributors, integrators of the hole and offer the fix then let them decide if they want to fix it. Car makers do it all the time, how many items on your car have been "recalled"?
Agreed. You should, and Axis has done so.
And if the fix has been applied then the Axis re-exploit will not work.
The problem is one of notification.
Car makers have a much higher likelihood of being able to get a hold of the end user, since they would typically have your full name and address, financing information etc. If the car is sold there's your VIN and motor vehicle records to help.
But it is an interesting comparison, say for instance there was a defect in the electronic pin code lock of an automobile, that allowed anyone to steal your vehicle, so Ford (after notifying every other way), sent uniformed people to enter a special code in people's cars, saving many from being stolen without affecting anything else, would you be against it?
Poll:
I find the premise of this string ridiculous..
NO company would access devices out in the wild to apply anything - without consent first being obtained. Period.
I find the premise of the string ridiculous
NO company would access devices out in the wild to apply anything - without consent first being obtained. Period.
I respect your opinion, and I think you may be right in any event, but could you share why that is?
i.e. because it is illegal or immoral or not to their financial gain, or all of the above?
Do you think that Axis can verify:
While the idea of Axis going out and patching all their unsecured devices sounds like a nice thing on the surface, I do not see how they could do this in a manner that does not backfire on at least some of the units.
These are all valid concerns.
Yes, I think that Axis can 'guarantee' all these things. But only in the way that Axis guarantees that it's cameras won't break, which is not to say that it won't happen, just that in the unlikely event it were to happen they would give you another one or otherwise remedy the situation.
Therefore, as opposed to the absolutes let me answer assuming that a 99.9% rate would be sufficient. You may feel it's not, and I think that is a valid point of view.
Talking blue-sky here, then, one thought that I had was this:
The hack is extremely comprehensive, but also extremely fragile, in fact is 25+ different hacks. Each one is for a precise firmware version, and chip architecture. Each one relies on segments being loaded into memory at a certain relative address. If these relative offsets were different a few bytes one way or another, even if the code were essentially the same, the hack would fail.
So perhaps there is a simple way to thwart the hack without even changing the code, just by changing the load somehow. Or block the network callback etc.
Regardless, we can assume whatever Axis did in the service patch is not overly complex by the fact that they seem to have 95% of the new versions done right after the first public disclosure.
Also remember that although a firmware update would require a reboot, which is undesirable, a change to a file of a single process may possibly be modified without a visible glitch. And would persist after reboot, though not after a factory reset.
But I don't claim to know whether it actually could be done 99.9% without problem.
But Axis might.
Dahua cameras show up in the Axis Camera Management tool as Axis cameras so that could be a problem. Brian brings up many valid points that makes me side against the idea.
I already don't like the idea that I feel as though I was hacked with all the Windows 10 upgrade notifications. At first I thought I was safe until they decided that domains need the notification too. At least they are easy to get rid of.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.