Wanna Cry Ransomware Impact On Video Surveillance / Physical Security?

JH
John Honovich
May 13, 2017
IPVM

The major recent cyber security stories within video surveillance are Dahua's backdoor and Hikvision's backdoor.

However, overall, the biggest recent cyber security story is the 'Wanna Cry' Ransomware attack. Currently, we have not heard any reports of this impacting video surveillance systems, though given how widespread the attacks are, this could be happening.

This has started to be debated in other IPVM articles.

For example, one member said:

And you are all worried about Hikvision. Maybe it would be better looking in your own back yard first.

Another member counter:

These recent events justifies the calling out of Hik' s issues even more. Cyber-attacks will be our enemy of the future in many different ways.

What do you think? Will the Wanna Cry Ransomware have an impact on video surveillance? Does it impact your attitude to cyber security?

 

(1)
JH
John Honovich
May 13, 2017
IPVM

I could see 3 broad reactions:

(1) 'Everybody' has backdoors, so don't worry about that it product selection. Just protect the network.

(2) The products that have proven backdoors are much bigger risks, especially given the increase in public attacks.

(3) Buyers do not hear or care about the Wanna Cry ransomware attack.

So far, from what I have seen, these ransomware attacks have hit EMEA harder than the Americas, so that could have an impact on which buyers focus on it.

I think option (1) is going to be popular among buyers from smaller companies that have less risk (i.e., if their computer networks went down, it would be an inconvenience but not a major disaster).

But option (2) opposition to proven backdoored products (like Dahua and Hikvision) will rise significantly, if the Wanna Cry ransomware becomes an issue that buyer become concerned about.

Of course (3) indifference is still quite possible depending on how quickly this ransomware gets contained.

(1)
Avatar
Brian Karas
May 13, 2017
IPVM

This one is mostly shutdown now:

How to Accidentally Stop a Global Cyber Attacks

Also, Microsoft has issued a patch, but many NVRs are likely to remain unpatched, as people think of them as 'appliances' many times and forget to run updates.

The domain registration that stopped this ransomware does nothing to solve the actual exploit, so it is likely a new iteration will popup soon.

 

(1)
CB
Cullen Brannan
May 16, 2017

You gotta feel pretty bad for MalwareTech... He tries to do a good thing to screw over the creators of WannaCry and then gets his real identity outed by media. This could have been even worse if MalwareTech had not gone though and crippled their ability to get paid for encrypting peoples HDDs. 

MM
Michael Miller
May 13, 2017

 

(2)
(22)
U
Undisclosed #2
May 14, 2017
IPVMU Certified

Poor NestCam takes the PR hit for XiongMai :(

UE
Undisclosed End User #1
May 13, 2017

It's highly serious problem, and highly possible upcoming scenario when DDoS and/or bitcoin mining w/ IoT isn't so much 'productive' anymore.

But as always, big news for a week or two, then it's forgotten/ignored, until it hits again. 

 

Avatar
Brian Karas
May 14, 2017
IPVM

Some new variants of this being detected:

Wannacry new variants

(1)
Avatar
Jon Dillabaugh
May 14, 2017
Pro Focus LLC

So I am assuming everyone, including IPVM, will be denouncing the future use of both the Windows platform, as well as the US gov for creating this mess?

I would have hope this would have been more of a free, headlining, front page story, instead of being buried as a simple discussion. Something along the lines of the second report on the recent Hikvision exploit, that to my knowledge, affected NO ONE. Here we have a global exploit with FAR greater reach and far more data at risk, let alone the monetary damages, and this is buried here?

I am disappointed, to say the least.

(5)
(4)
MM
Michael Miller
May 14, 2017

If anything should make people even more aware of Hikvision/Dahua issues. 

(1)
U
Undisclosed #3
May 14, 2017

Jon D,

only for you:)

Clickbaiting Copycat Caught

U
Undisclosed #3
May 14, 2017

https://prescienta.wordpress.com/2017/05/09/clickbaiting-copycat-caught/

(1)
Avatar
Brian Karas
May 14, 2017
IPVM

This is a Windows exploit, it is being covered heavily in various tech/IT blogs/news outlets/etc. We report primarily on manufacturers/products directly in the security industry. 

Still, it is worth being aware of, as so many NVR's are based on Windows, which is why it was posted as a discussion here.

Something along the lines of the second report on the recent Hikvision exploit,

One good way to minimize the impact of vulnerabilities is to make people aware of them so they can take adequate action (update software, remove/replace product, etc.). While several of Hikvision's vulnerabilities have been picked up by other news outlets, overall they tend to get less coverage than Windows vulnerabilities.

Similarly, we test various new products from Hikvision and other manufacturers, but we do not generally review updates or new products from Microsoft.

that to my knowledge, affected NO ONE.

It would be ideal if that most recent Hikvision vulnerability was not used in the wild, and everyone managed to patch their cameras in time. If that is true, that nobody was affected, I would think that would be due in part to people becoming aware of the exploit. And, by extension, given the number of readers IPVM has, our coverage would have factored in to that.

 

Avatar
Jon Dillabaugh
May 14, 2017
Pro Focus LLC

Brian, using your logic, one could argue that you made the case for having this exploit on the front page, free to everyone, just like the two Hikvision reports were. 

Since the IPVM coverage lead to the industries awareness of the Hikvision exploit using the free, headline articles, I would suspect covering WannaCrypt the same way would have similar positive effects, no?

Don't forget that more than just some NVRs rely on the Windows platform. Almost every server and client station we have sold runs on Windows. We have very few, rare clients using MacOS. Windows is a central piece to almost every single system we sell. 

The other elephant in the room is the disdain for the Chinese gov who is "building backdoors" into Hikvision cameras so they can spy on Americans, yet it was the US gov who created this backdoor into far more devices, world wide, that hold much more critical data, which is held for ransom! How naive (or predudicial) do you have to be to not make the same amount of fuss about this?

This was a state sponsored attack on over 90% of the words PCs. The NSA discovers the exploit, hid it from Microsoft, developed code to exploit the flaw, allowed it to be stolen, and still didn't do ANYTHING to help fix the issue!

(1)
(5)
(1)
JH
John Honovich
May 15, 2017
IPVM

I would suspect covering WannaCrypt the same way would have similar positive effects, no?

Jon, virtually every mainstream publication is covering Wanna Cry as it is an international political issue (NY Times, BBC, CCN, Washington Post, Al Jazeera, Buzzfeed, on and on). There's no shortage of news sources and social media coverage of this. Right now there's not much we can add nor will us covering it make much difference vs every publication in the world.

If or when this starts impacting major video surveillance installations or manufacturers, we'll increase coverage because (1) it will directly impact our coverage area and (2) this won't be something that the mainstream media will give significant attention to.

Not going to apologize for making Axis, Dahua and Hikvision, etc. cybersecurity issues front page news in the last year. That's what we do.

(6)
UD
Undisclosed Distributor #4
May 15, 2017

Patches for current Microsoft operating systems to protect against the methods used in this attack to spread infection were issued months ago.  Wanna guess why Russia and China were the hardest hit by these attacks?  Because they used older pirated operating systems that don't get patched.  This is why they are still developing with Visual Studio 2010 and why we still get ActiveX plug-ins for security devices.

I don't discount the innocent victims that are being terrorized by this (and it IS terrorism and should be dealt with accordingly) but if these hospitals, car manufacturers, and other businesses are not employing basic security measures such as applying OS patches, using OS versions that are not past their support life-cycles and not teaching their users basic security practices then they have invited these problems in with arms wide open.

(6)
(1)
UM
Undisclosed Manufacturer #6
May 25, 2017

"Wanna guess why Russia and China were the hardest hit by these attacks? Because they used older pirated operating systems that don't get patched."

IMHO many companies switched off Windows Update because of Microsoft recently added Telemetry services, that collect your data (like WIFI passwords and keylogger data)  and send it to Microsoft via SSL connection) introduced in Windows 10 and added later to Windows 8 and 7 as "security patches",  for example, security patches: KB3080149 and KB3075249.

 

 

JH
John Honovich
May 15, 2017
IPVM

I received a report from an integrator of an older Geovision system being impacted by Wanna Cry.

Just cataloging it here. Others who get reports, please share to help track how wide spread it is.

(2)
Avatar
Armando Perez
May 16, 2017
Hoosier Security and Security Owners Group • IPVMU Certified

I did receive a notice from Tyco today stating that two Exacq machines could be affected. Z series and A series because well, theyre windows based.

https://cdn.tycosp.com/email_images/Cyber%20Protection%20Program/Advisory/CPPSA-2017-01-WannCry%20-%20FINAL%20TSP%20FINAL%20FINAL.pdf

They do however note some other windows based machines that are not affected.

UI
Undisclosed Integrator #5
May 17, 2017

The issue is serious and affect us all however we react publicity about it. The discussion is warranted and IPVM posting about Hikvision (although I am a fan) vulnerabilities should be commended. Turning a blind eye to Hikvision (or other) misdeeds is not a wise business strategy.

The problems with OS patches is that , sometimes they screw up a perfectly working system. A nightmare scenario whose impact can be as serious as a ransomware or any cyber attack... The thought a  crippled non functional video system at the enterprise level is a scenario that will have more than an integrator waking up,  screaming in the middle of the night... So yes the OS patches might have been issued but routinely patching OS is something many avoid and for food reasons. On that Microsoft needs to clean their act as well, they have issued in the past some patches whose effect on system can be quite severe ranging from no longer functioning peripherals to downright system shut-down... We admit being very , very leery and cautious in applying these then again we have taken the unusual path of not hooking our customers system on the Internet at all and advise our customers very strongly against it but the sexyness of being able to see what is happening from a distance goes against many of our warning ... We hold tight but .. for how long can we not follow the trend of offering monitoring anywhere to a willing customer?

The scary thing is that we are depending more and more on the Internet for various things among these our physical security. Not a trend that I favor but ...

Avatar
Armando Perez
May 24, 2017
Hoosier Security and Security Owners Group • IPVMU Certified

We just got our firat call related to this. Client has an exiating honeywell recorder that got hit. We are replacing with an appliance to match the rest of their sites.

(1)
JH
John Honovich
May 24, 2017
IPVM

Armando, thanks. What type / model of Honeywell recorder is it?

Avatar
Armando Perez
May 24, 2017
Hoosier Security and Security Owners Group • IPVMU Certified

Dont know yet. Havent been to this site in a while. Its obviously an older windows machine, though.

Avatar
Ethan Ace
May 24, 2017

The Fusion line of recorders were all Windows based (XP embedded, I think). I'm not sure of others, though RapidEye might have been, as well.

If WannaCry impacts them, that's going to be a bad time for Honeywell, because they were pretty popular early on as their only embedded IP recorder.

(1)
(1)
MM
Michael Miller
Aug 07, 2017

For anyone still following along.  The man that stopped the WannaCry attack was arrested by the FBI at Defcon in Vegas.   

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions