Subscriber Discussion

Which DVRs Would You Like To See Cyber Security Tested?

AT
Andrew Tierney
Jan 28, 2017

We've (Pen Test Partners) done quite a bit of work on DVRs and IP cameras (as well as intruder alarm and signalling systems) over the last few years, finding and documenting a significant number of vulnerabilities.

We want to look at more DVRs. At the moment, we have:

  • A Yale home system
  • A QVIS/A-data home system
  • A Samsing mid-range system
  • A Honeywell mid-range system
  • A pile of cheap eBay systsm

We want to look at more systems to find more issues. What DVRs would you like us to look at?

Anything we find will go through co-ordinated disclosure with the vendor.

Thanks!

JH
John Honovich
Jan 28, 2017
IPVM

Andrew, thanks for sharing / asking!

From IPVM's perspective, since we focus on the commercial / professional market, it would be Hikvision, Dahua, Milestone Husky and Exacq appliances since those typically generate the most significant member interest.

If you are trying to make an impact in the mainstream media / press, I'd recommend Samsung or Honeywell.

Very few people care about Ebay systems or know who QVIS is, so those strike me as low priority targets.

(1)
Avatar
Luis C Delcampo Paz
Jan 28, 2017

Definitely Dahua and Hikvision

(2)
MM
Michael Miller
Jan 28, 2017

I would add I would like to see older firmware tested on both manufacturers as there are a lot of Dahua and Hikvision products on the web that has never had a firmware update. 

(2)
AT
Andrew Tierney
Jan 29, 2017

Older firmware is hard and awkward.

Hard because most of the vendors don't publish older firmware, and don't allow firmware downgrades to be carried out.

Akward because we get accused of choosing older, likely more vulnerable equipment as it is easier to attack...

MM
Michael Miller
Jan 29, 2017

Hikvision has FTP sites with lots of versions of firmware.   ftp://ftp.hikvision.com/  Just the other day we needed an older version of firmware to get a camera to connect to a VMS so I know this is possible.

Dahua on the other hand from what I have heard and others on here will have more detail but they only support firmware upgrades for a year or two.   I have relativity new Dahua PTZ camera and the newest firmware is years old.

 

The reason I brought this up is most of the devices that are installed by DYI customers never upgrade the firmware and there are hundred of thousands or maybe millions of them on the internet. 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions