Subscriber Discussion

WHY WOULD YOU DO THIS, YOU IDIOTS?

Avatar
Ari Erenthal
Feb 18, 2016
Chesapeake & Midlantic

WHAT POSSIBLE REASON WOULD YOU HAVE TO HAVE A HARD CODED ROOT ACCOUNT THAT CANNOT BE CHANGED OR DELETED???

ARE END USERS CALLING YOU ALL DAY LONG AFTER HAVING FORGOTTEN THEIR PASSWORDS, LEAVING YOU NO CHOICE BUT TO REMOTE IN WITH YOUR ROOT ACCOUNT TO RESET THE DVR? AND IF THEY ARE, WHY ARE YOU COOPERATING?

ALL CAPS TO PROPERLY EXPRESS MY RAGE AND DISBELIEF.

(2)
(4)
KA
Konstantin Avramenko
Feb 18, 2016

Why did they publish mentioned credentials in the article? To make it easy for everybody? Anyway, it is bad bad for business. How will vendors react on it?

Avatar
Ari Erenthal
Feb 18, 2016
Chesapeake & Midlantic

Why did they publish mentioned credentials in the article? To make it easy for everybody?

Because most network security researchers don't believe in security through obscurity, they believe in publishing vulnerabilities as quickly and as loudly as possible to motivate vendors into patching. See Bruce Schneier's whole shtick.

How will vendors react on it?

I'm sure some will try to ignore it and hope it goes away. At least Hikvision releases firmware updates relatively quickly.

KA
Konstantin Avramenko
Feb 18, 2016

The vulnerability has to be published indeed. But published credentials is a proposal to try it right away.

Avatar
Ethan Ace
Feb 18, 2016

I think they absolutely should publish the credentials. The only way these things change is via massive pressure, and massive publicity is the only real pressure that can be applied.

There is precedent for the FTC fining manufacturers for things like this, also, but that doesn't seem to happen very often.

(1)
KA
Konstantin Avramenko
Feb 18, 2016

It can be done in a different manner without exposing credentials to the public. I think the idea to punish end users first to get more pressure on the vendors is bad.

(1)
Avatar
Ethan Ace
Feb 18, 2016

If these issues were never publicized. They would never be fixed. Simply saying, "Hey we found a backdoor" is not proof of a backdoor and wouldn't carry anywhere near the same weight.

U
Undisclosed #1
Feb 18, 2016
IPVMU Certified

And the vendor was already notified via US-CERT and aware of it, and chose to do nothing about it for months, so...

(1)
(1)
KA
Konstantin Avramenko
Feb 18, 2016

IMO "Hey we found a backdoor and here is a video how we use it." is more than enough. But I agree that from the point of promotion of publisher it is not the same.

Avatar
Jon Dillabaugh
Feb 18, 2016
Pro Focus LLC

I am all for exposing these types of security holes. It helps me dissuade clients from running to Harbor Freight and buying a DIY crap kit. These are the types of flaws you should come to expect from non-professional products.

(1)
Avatar
Oleksiy Zayonchkovskyy
Feb 19, 2016
IPVMU Certified

I think that publishing credentials in mass media in such a way is a very bad decision...

Imagine you are a CISO and suddenly you discover that your cameras are just completely off security. Questions emerging in the head:

Has anybody hacked them already?

Is someone spying in real-time?

I can't wait for the patch to come, I don't know how long I have to wait, I have to get rid of them all, do I have the budget?

How will I tell to general management that our security can be or already compromised?

I understand to publish a report stating that cameras have CRITICAL severity vulnerability which allows complete control. Then OK, my partner will tell me that (for example) and I will plan migration. And in described situation I need to migrate NOW! Cause any script kiddie who just completed school would like to "test" my security cause he knows that it is vulnerable...

Someone can just be fired from job cause he or she has missed to read a single article and some other employee accidentally has read it and made "a joke" on security department.

Re-sellers will suffer too. I as a CISO will ask them: why have they sold me such piece of garbage? They should have had a competence and expertise while consulting me on surveillance solution... Will I forget or forgive? (typically no) Will I buy something else from them? (typically no again, cause I've paid them wanting them to solve my problems and it turned into another greater problem) How do you think?

It's like publishing an exact drawing of a master key which will bypass security and open your car. Will your first thought will be about the vendor and marketing nightmare that awaits that company? Will you be happy about it? Or you will think, God, anyone anywhere can break into my car and steal it... what I am gonna do now?

Publishing credentials is not a vendor punishment... but worldwide customer's security Risk rise.

(1)
U
Undisclosed #1
Feb 19, 2016
IPVMU Certified

Oleksiy, please understand that this problem has been reported to the manufacturer years ago, on multiple occasions, and yet Raysharp continued to pump out firmware with hard-coded string passwords.

So they weren't doing anything about it.

And anybody who was CISO and paying attention shoukd have known by now.

Hackers certainly knew it already, so...

And, at some point you need to do something to get the attention of both the manufacturer and those at risk, by evoking the reaction that you describe.

NOT publishing the Raysharp credentials would most likely resulted in us NOT having this discussion right now, as well as hundreds like it around the world.

Which, though not perfect, is better than the alternative of continued apathy.

Avatar
Oleksiy Zayonchkovskyy
Feb 19, 2016
IPVMU Certified

First of all, if this problem has been reported years ago, then market should have had a proper reaction which dramatic sales decrease. That would lead the vendor to think of the future and change the way it is moving. But as I understand it is just not happening... and it is strange...

Just the exact same situation with a service account was with Fortinet Firewalls a year or a bit more ago... Credentials were not published but spreading talks about possible firewall compromise forced Fortinet to patch the hole.

I personally never heard of this brand before and hopefully will not deal with it in future and discovered the problem from this post... The problem is that different people get information in different way and many of them are not well informed. For example here where I am now in Kazakhstan the majority of physical security staff are former policeman who are veeery far from networks and English... ))) (that is a main reason why I extend my career to physical security from IT and InfoSec) And the problem is that even after years they don't know... And in fact this situation in not just in CIS countries (Ukraine, Russia, Belarus, Kazakhstan and others) but surely would touch developing counties in Africa, South America and Asia.

Few words about hackers... the majority of so called hackers (about 90%) are young guys who just want to have some fun... they are not PROs and don't know about such tools like Kali, Metasploit, Nessus and so on... they will find out the root password in article and just will want to try it anywhere. PRO hackers surely know all of that but they will not target random SMB company cause it is not profitable for them.

U
Undisclosed #1
Feb 19, 2016
IPVMU Certified

...they are not PROs... and they will find out the root password in article and just will want to try it anywhere. PRO hackers surely know all of that but they will not target random SMB company cause it is not profitable for them.

Disagree. This IS exactly the type of thing that script kiddies would know and care about. It is already well known as a default root password, along with 'root', 'pass' and 'admin', '12345'.

That is not the new knowledge, the new knowledge is the fact that you CAN'T CHANGE IT. But it's already in the scripts as a default password to try, so...

Avatar
Oleksiy Zayonchkovskyy
Feb 19, 2016
IPVMU Certified

Less knowledge to complete the attack, more people to try it... more "direct password marketing", more incidents... this is like "just do it" for the laziest...

and OK I will not argue about knowledge on default passwords, but still even if I know the default password I will hesitate cause "they probably have changed it" and understanding that it is impossible to change it will encourage me.

U
Undisclosed #1
Feb 19, 2016
IPVMU Certified

...but still even if I know the default password I will hesitate cause "they probably have changed it"

If there is a single hacker in the world who will not try default passwords because "they probably changed it", surely he would die from loneliness... ;)

(1)
U
Undisclosed #2
Feb 19, 2016

I'm posting this with the very real knowledge that it may cause Ari's head explode:

Why are DVR's sending video stills to Frank Law via a Chinese email account?

(2)
KA
Konstantin Avramenko
Feb 19, 2016

U
Undisclosed #1
Feb 19, 2016
IPVMU Certified

I'm posting this with the very real knowledge that it may cause Ari's head explode.

I wouldn't worry, he can still write in ALLCAPSBOLDNOSPACES if necessary. ;)

Avatar
Ari Erenthal
Feb 19, 2016
Chesapeake & Midlantic

Well, that's it. My head has exploded. Now I have no way to wear a hat. Thanks, pal.

Avatar
Oleksiy Zayonchkovskyy
Feb 19, 2016
IPVMU Certified

probably:-)... they mostly not hackers just curious users...

U
Undisclosed #1
Feb 19, 2016
IPVMU Certified

Sounds like a job for Robin Hack...

UI
Undisclosed Integrator #3
Feb 21, 2016

thats what dear customers get if they choose wannabe security installers with their underpriced chinese crap instead of professionals...

KT
Karoly Turoczi
Feb 21, 2016

KT
Karoly Turoczi
Feb 21, 2016

Imagine the Internet of Things with all the Chinese low cost equipment from Aliexpress :)))

Avatar
Oleksiy Zayonchkovskyy
Feb 21, 2016
IPVMU Certified

In general, security systems now are not ready to mitigate threats for IoT...

AT
Andrew Thomas
Feb 21, 2016

We in the sales/support side of the business can't fix stupid. This is simply another example of how costs are engineered out of a product.

However, if the WEB VIEW / REMOTE APP VIEW runs on a separate account, and the smart end user or integrator knows how to properly pin-hole a file wall, if using a dyndns type access, then the hard coded root makes for easy support.

As my friend in the used car biz says, "There's an Ass for every Seat."

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions