i heard the latest government ban will now include Axis, Bosch and Sony. Since virtually every manufacturer has had vulnerabilities, The Government now suggests that you should arm your properties via Home Alone style boobytraps. Much less prone to hacking and obviously more effective to deterring bad guys.
Sony Gen 5 IP Cameras Critical Vulnerabilities
Published Jul 26, 2018 16:06 PM
Cybersecurity vulnerabilities remain prevalent in video surveillance devices.
Now Talos researchers have discovered multiple vulnerabilities in Sony Gen 5 cameras. Inside this note we examine:
- Ease or difficulty of exploit
- Vulnerabilities explained
- Impact compared to others
- Manufacturer response
Key ********
***** *** *** *************** (***-****-**** *** ***-****-****) ** **** *** * ******* (~2012 - **** *****), **** ****** a ******** *.* / **.*.
****** ******** *******:
*** *************** ****** **** ***** **** firmware *.**.** **** ** ** ***** 1.79.00 *** ******** ***** ******* ** well. *** *************** ** *** ****** current *** * *******.
**** *********** ******* ************* ******** *** ***************.
Exploit *********
*** ********* ****** ** **** *** the ******* ** ******* ** ********. Because the *************** ***** ****** ***** ******** to ** ******** ******* ******* *** admin ********, ** ****** *** ******* to ** ***** ****, **** ** part ** ***, *******, ***. *******, because *** *** ** **** **** commands ** *******, ** ** *** as ****** ** **** ***** (*.*., the**** ********** ************ ********).
*********, ******, *** **** ** **** and ********** ******* ****** ** ********.
*******
** ************ ****** **** ***** ** concept ** * **** ***-***** **** firmware ******* *.**.** ** **** ** a **** ***-***** ******** ******* *.**.**, as ************ ** *** *** *****:
Response **** ****
**** ********* ** ****:
**** ******** ************** *** *********** ********* ******* security ** * ***** *****.
******** *********** ******* *** ******* *** accordingly, ***** *** ******** ** ****** through *** ******** *** ********.
**** ********* ** ********** ************ ******* ******* security *******, ******* ** *******, *** strive ** ****** **** *** ********/********* are ****** ********
*******, ** **** **** ** ***** done ** * ***** *****, ** does *** *** ******** ** *** these * ******** *************** **** *** found ** **********.
2016 **** ********
**** ** *** *** ***** ******** vulnerability ***** ** ****'* ** *******. In ****, *****-***** ******** *** *********.
Bosch **** ****** ******?
****, ** ****,***** *********** **** **** **** ***** surveillance. *** ** *** ****** ***** promoted ** ***** ******** ** ********** and ************* *** **** **** ***** apply ***** ********* ** ****. ** the *** ****, ***** *** ***** Sony *******, ** *** *****, ** remains ** ** **** **** ******** and ********** ***** **** ***** ** Sony's ** *******.
Comments (38)
Sean Nelson
Jul 26, 2018U
Undisclosed #1
Jul 26, 2018Since virtually every manufacturer has had vulnerabilities
Though none with the frequency and severity of Hikvision and Dahua.
Anton Miller
Jul 27, 2018
Clint Hays
Jul 27, 2018Mobotix devices can't even be reset with a trip to the factory. It's a double-edged sword, security vs convenience, and I'd take securoty.
Jeffrey Hinckley
Jul 26, 2018UD 1, that is a false statement. These types of ongoing statements are similar to the Russian campaign that put us in the presendential mess we are currently in. Why is it I expect to see the word Hikvision in every comment section (no mention in article).
These guys/gals actually believe these things as fact, the more the random UDs post this type of comment, without the stones to identify themselves.
In addition, I get it that “critical vulnerabilities” sells papers, but understand that this only occurs when one exposes these devices to a public network. Who does this? This sensationalism jounalism, without devulging all the facts regarding risks, has many of my clients asking about risks constantly (there are non, closed private networks).
So those of you with Sony Gen 5 cameras, assess your system design before becoming alarmed about system exploits.
JH
John Honovich
Jul 26, 2018I get it that “critical vulnerabilities” sells papers
And if we did not report on this, then you and other Hikvision dealers would attack us for only reporting on Dahua and Hikvision's vulnerabilities.
Secondly, we linked to the full disclosure report in the free / publication, so we are hardly going to sell anything with this.
only occurs when one exposes these devices to a public network. Who does this?
Jeffrey, lots of people - either by design or by mistake. Mirai botnets and Dahua massive hack attacks would not happen if no one did this.
And even if you are on a 'closed private network', better to upgrade devices lest at some future point, network changes (by design or mistake) make them accessible.
U
Undisclosed #1
Jul 27, 2018UD 1, that is a false statement.
Please elaborate. Which manufacturer has had more vulnerabilities and exploits than Hikvision (or Dahua)? Which manufacturer, or vulnerability, has had vulnerabilities with more severity than Hikvision's magic string, or Dahua's built-for-botnets flaws?
Anton Miller
Jul 27, 2018U
Undisclosed #1
Jul 27, 2018Maybe, but that doesn't support the (to me) implied position that "all" manufacturers have had vulnerabilities on part with Hikua.
Nominating TVT makes it seem more like all Chinese manufacturers have produced insecure devices that create an undue amount of risk for the end-user (also, we might as well lump XM in here too, for their part in Mirai at least).
I am not seeing evidence that Hikua's biggest competitors (Axis, Avigilon, Bosch, Hanwha, etc.) in the commercial segment have in any way suffered from the same kind and frequency of vulnerabilities as the Chinese products.
Anton Miller
Jul 27, 2018I'd say nobody is even close to the Big Three.
https://www.shodan.io/search?query=dahua
I think it is because while Western products were initially designed to be used in regulated environments and with the cyber security in mind, at least to some extent, the Chinese products are designed to barely do their job at the lowest possible cost.
U
Undisclosed #2
Jul 27, 2018Mr Hinkley, what mess you speak of. Our GDP is at record high as is my investment returns. Our business is at five months backlog......I am enjoying this mess.
Jeffrey Hinckley
Jul 28, 2018I am a decendant of Governor Thomas Hinckley, Plymouth Colony, so I would hope you can get my name correct.
Sorry it took me so long to respond, I only visit IPVM 1-2 times a week.
I guess my point is that none of the manufacturers is immune to security vulnerabilities if you put their products with all ports open on a public IP. Design on a simple basis is key for all products. Do you need a valid Gateway? Do you need to have a DNS address. In my case (City/Commerical Enterprise Networks) the answer is no. Flat enterprise vlans are the way to go. On smaller systems (single site) dual NICS with one for the cameras (no Gateway) and one to customers data network eliminate any form of vulnerability.
I guess my other gripe is with the pessimism that exists with posts, including comments about the security flaws with Hikvision (and Dahua). I see few articles and posts from IPVM where these names do not come up in some fashion. I am not going to name any manufacturers (to show bias) but you have to realize that the others have similar amount if not more vulnerabilties. Look it up, research it, and you will find that all IoT devices are equally exposed if you give them a public address or route them to networks with "bad guys/gals/kids". You would think Sonicwall or Barracuda would release some cameras with their software providing protection (but not complete protection). This would of course increase CPU/memory needs of the devices.
In the Trump era (by the way, I am an independant neither supporting the USA left or right) we finally have a following that are truly the bad guys. Polls show that only 20% of Republicans were against Trumps speech at Helsinki. How is this possible? Because these followers were groomed by Fox news and Breitbart.
I have been a IPVM member since the begining (when it was on Linkedin groups) so have been around for awhile. It stinks that IPVM have scared away all of the manufacturers from making comments (I get it, I would tell my employees today "your fired if your post") as well as other top level integrators like myself (20 years experience, Electrical Engineer). Now it seems all of the followers, even though many, are the "yeah,what he said"variety with limited technical insight to discussions.
In this discussion, an article was written about a product (which by the way, had a vulnerabilty which the manufacturer corrected via firmware update) with the 2nd comment including (which by the way, was deleted by IPVM) a remark about Hikvision/Dahua vulnerabilities (by a undisclosed contributor). Hows that for manipulating commentary and news feeds. I no longer start threads in the discussion section because IPVM commonly changes my title and words.
Members are missing out on true support and commentary by those in the trenches in this sector by manipulating our wording and subject matter. I expect that this post will be soon edited, so those that read it, chime in to bring back the original and true mission of IP Video Marketplace.
JH
John Honovich
Jul 28, 2018In this discussion, an article was written about a product (which by the way, had a vulnerabilty which the manufacturer corrected via firmware update) with the 2nd comment including (which by the way, was deleted by IPVM) a remark about Hikvision/Dahua vulnerabilities (by a undisclosed contributor).
No comment was deleted here. I get emails for every comment posted on every thread and I just cross-checked that to what is posted here and all comments remain, none were deleted.
Indeed, the 2nd comment about Hikvision/Dahua vulnerabilities is still right there, I'll screencap it for you to make it clear:
I'd appreciate if you acknowledge you made a mistake.
It stinks that IPVM have scared away all of the manufacturers from making comments
What are you talking about?
- Dahua just gave us a statement today about the head of the overseas business unit being removed.
- Axis commented to us earlier this week responding to integrator IPVM members about their product shortage.
- Various Hanwha employees have responded this week to a discussion posted by a federal agency.
As for:
I expect that this post will be soon edited
No, I am happy to leave it as is, errors and all.
U
Undisclosed #1
Jul 28, 2018I guess my point is that none of the manufacturers is immune to security vulnerabilities if you put their products with all ports open on a public IP.
Where has someone claimed another manufacturer is immune? I saw a comment about Mobotix having no reported vulnerabilities so far (I have not spent any time determining if that is correct or not, just to be clear). However, I do not recall seeing claims of vulnerability immunity.
On smaller systems (single site) dual NICS with one for the cameras (no Gateway) and one to customers data network eliminate any form of vulnerability.
This is patently false. It may eliminate vulnerabilities from outside attack, but it will not eliminate "any form of vulnerability". Inside threats are real. And, if you have a Hikvision camera that comes setup by default to connect to a given Wifi SSID, then you have a potential gateway into that "secure" network, then into the recorder, then into the rest of the LAN that you thought was protected. Not saying it is common, or easy, but don't fool yourself into thinking you've built a scenario where you have eliminated "any form of vulnerability".
I am not going to name any manufacturers (to show bias) but you have to realize that the others have similar amount if not more vulnerabilties.
If you're going to make claims like this, you are going to be called out to back them up. Nobody will take it as "bias" if you manage to show how some other manufacturer has been shown to be even less secure than Hikua. Making statements like that and then pretending to ride some high horse to prevent you from backing up your claim seriously diminishes your credibility.
with the 2nd comment including (which by the way, was deleted by IPVM) a remark about Hikvision/Dahua vulnerabilities
Well, that was because the FIRST comment was some utter rubbish commonly spewed by Hik apologists who have either not bothered to look past the surface, or simply don't understand cyber security vulnerabilities with any depth (you know, the kinds of folks who think you can "eliminate any form of vulnerability" with a segmented network).
(by a undisclosed contributor)
Validity of my comments is unaffected by disclosure of my name. Try disputing my claims and comments with specific facts and data inside of offhand comments about what name is, or is not, attributed to the comment. I am probably making it easier for you to sway opinion against my posts by NOT signing them.
U
Undisclosed #1
Jul 28, 2018I am a decendant of Governor Thomas Hinckley, Plymouth Colony, so I would hope you can get my name correct.
Separately, I'm not sure if you are really a funny guy, or if you and Jeff Zwirm would likely be best pals.
U
Undisclosed #3
Jul 28, 2018I am a decendant of Governor Thomas Hinckley, Plymouth Colony, so I would hope you can get my name correct.
Internet Rule #3A: Any post calling someone out for spelling must NOT under any circumstances, itself contain a speling eror.
Anton Miller
Jul 28, 2018bm
bashis mcw
Jul 30, 2018Mobotix doesn't using Linux as OS to my best knowledge, and also therefore not so easy to 'unpack' of the Firmware.
However, with your statement:
which makes them pretty much "immune" to any untargeted attack.
I get extremely tempted to privately purchase one or two units, only for the sake to see your statement are true or not... as far i know, none are 'immune', and I'm sure there are something juicy with Mobotix too.
U
Undisclosed #6
Jul 30, 2018Some information here, a bit more than the datasheet.
bm
bashis mcw
Jul 30, 2018U
Undisclosed #3
Jul 30, 2018U
Undisclosed #6
Jul 30, 2018Had an old Mobotix AG S15D, booted up DHCP here is what I got. Linux Kernal ID as 2.6 :D ...probably hit it up with wireshark and see what phones home.
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-30 16:32 Pacific Daylight Time
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:32
Completed NSE at 16:32, 0.00s elapsed
Initiating NSE at 16:32
Completed NSE at 16:32, 0.00s elapsed
Initiating ARP Ping Scan at 16:32
Scanning 192.168.1.176 [1 port]
Completed ARP Ping Scan at 16:32, 0.66s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:32
Completed Parallel DNS resolution of 1 host. at 16:32, 0.00s elapsed
Initiating SYN Stealth Scan at 16:32
Scanning 192.168.1.176 [65535 ports]
Discovered open port 111/tcp on 192.168.1.176
Discovered open port 80/tcp on 192.168.1.176
Discovered open port 443/tcp on 192.168.1.176
Completed SYN Stealth Scan at 16:32, 4.09s elapsed (65535 total ports)
Initiating Service scan at 16:32
Scanning 3 services on 192.168.1.176
Completed Service scan at 16:32, 12.26s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.176
NSE: Script scanning 192.168.1.176.
Initiating NSE at 16:32
Completed NSE at 16:32, 6.44s elapsed
Initiating NSE at 16:32
Completed NSE at 16:32, 0.01s elapsed
Nmap scan report for 192.168.1.176
Host is up (0.000070s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Mobotix Camera http config
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MOBOTIX Camera User
|_http-favicon: Unknown favicon MD5: D9526978908979FA5018DB0BCC762AA0
| http-methods:
|_ Supported Methods: GET POST
| http-title: Error 401: Unauthorized access
|_Requested resource was /control/userimage.html
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
|_ 100000 2 111/udp rpcbind
443/tcp open ssl/http Mobotix Camera http config
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MOBOTIX Camera User
|_http-favicon: Unknown favicon MD5: D9526978908979FA5018DB0BCC762AA0
| http-methods:
|_ Supported Methods: GET POST
| http-title: Error 401: Unauthorized access
|_Requested resource was /control/userimage.html
| ssl-cert: Subject: commonName=mx10-12-220-241/organizationName=MOBOTIX AG/stateOrProvinceName=Rheinland-Pfalz/countryName=DE
| Subject Alternative Name: DNS:mx10-12-220-241.local, DNS:mx10-12-220-241, DNS:10.12.220.241, IP Address:10.12.220.241
| Issuer: commonName=MX-ProduktionSubCA-1/organizationName=MOBOTIX AG/stateOrProvinceName=Rheinland-Pfalz/countryName=DE
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2013-05-24T18:54:53
| Not valid after: 2033-05-19T18:54:53
| MD5: ffff 7417 2425 8e89 099e 8e3e 4ae8 764c
|_SHA-1: ca56 a650 668e ea0c 09d8 0d53 d748 1319 7ab9 5dc7
|_ssl-date: 2018-07-30T22:16:58+00:00; -1h15m56s from scanner time.
MAC Address: 00:03:C5:0C:DC:F1 (Mobotix AG)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.36 - 2.6.37
Uptime guess: 497.101 days (since Mon Mar 20 14:07:10 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=201 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Device: webcam
Host script results:
|_clock-skew: mean: -1h15m56s, deviation: 0s, median: -1h15m56s
TRACEROUTE
HOP RTT ADDRESS
1 0.07 ms 192.168.1.176
NSE: Script Post-scanning.
Initiating NSE at 16:32
Completed NSE at 16:32, 0.00s elapsed
Initiating NSE at 16:32
Completed NSE at 16:32, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.13 seconds
Raw packets sent: 65555 (2.885MB) | Rcvd: 65556 (2.623MB)
UI
Undisclosed Integrator #7
Jul 31, 2018
U
Undisclosed #3
Jul 30, 2018I am ... Governor Thomas Hinckley, Plymouth Colony, so I would hope you can get my name correct.
Said the Governor to his wife Mrs. Hinkley.
UM
Undisclosed Manufacturer #4
Jul 30, 2018Vulnerabilities detected on the product that are not in the production for ~ 5 years (does not make vulnerabilities less important). Patched firmware released few weeks ago and properly communicated to all customers. Everything is transparent and fixed. In the IP world, vulnerabilities could happen to any products connected to the network. Besides the fact that no damage has been done, so far, the most important topic is how issue would be identified, handled and sorted out by manufacturer. This is one of the things that makes manufacturers different.
JH
John Honovich
Jul 30, 2018Besides the fact that no damage has been done
Dear Sony employee, this is an incredibly naive and irresponsible response. Do you think hackers announce publicly when they use vulnerabilities? Of course not.
That these vulnerabilities existed for many years is a big problem, just like Sony backdoor found 2 years ago.
With these vulnerabilities, who knows how many more are out there, being used by hackers, and not reported by white hats?
UM
Undisclosed Manufacturer #4
Jul 30, 2018Dear John,
I am NOT a Sony employee.
First Vulnerability detected with Sony cameras was treated in the same way. Identified, communicated and sorted out in the shortest possible time. Openly, announced in public, with company logo, even before it was announced on IPVM.
Of course, hackers do not announce their R&D job in public, and that was NOT the topic of may comment. I just mentioned that it can happen to any IP based product, including security cameras.
Regarding possible damage, my comment was on my behalf, and I confirm that no damage, with Sony cameras, know to me. Maybe you can say "do not push your luck" , or maybe my knowledge is not so big as yours, or you can say "this is an incredibly naive and irresponsible response" but this is my personal conclusion based on facts known to me.
JH
John Honovich
Jul 30, 2018I am NOT a Sony employee.
Yes, all Sony employees now work for Bosch but your LinkedIn profile shows you sell Sony for Bosch. Disclose your affiliation or we will do it for you.
UM
Undisclosed Manufacturer #4
Jul 30, 2018It is good to admit a mistake. You made another one with "all Sony employees now work for Bosch" but I believe it was just a generic conclusion you found from the newspaper. Anyway, this conversation went off topic, no need to continue, it is unhelpful, as you mentioned.
JH
John Honovich
Jul 30, 2018Are you saying your LinkedIn profile is wrong and that you no longer work for Bosch nor Sony? If that is true, update your LinkedIn profile and I will issue a full apology.
UM
Undisclosed Manufacturer #4
Jul 30, 2018Dear John ,
You addressed me as "Dear Sony employee....." .
My reply was "I am NOT a Sony employee". And this is 100% correct. At least I know for who I am working for, don't you think ?
JH
John Honovich
Jul 30, 2018You're not helping your cause. You are a Bosch employee selling Sony (poorly) attempting to minimize the significance of a vulnerability impacting your products.
UM
Undisclosed Manufacturer #4
Jul 30, 2018You are journalist attempting to minimize (poorly) the significance of your mistakes. I really do not need to compete with you in counting number of comments on IPVM. For any constructive approach, I am open for discussion.
All the best!
JH
John Honovich
Jul 30, 2018You're employing the logical fallacy of "distinction without a difference". I hope it makes you feel better because I can guarantee you are embarrassing both Sony and Bosch.
U
Undisclosed #3
Jul 30, 2018My reply was "I am NOT a Sony employee". And this is 100% correct. At least I know for who I am working for...
Ok then, what’s the worst thing you can say about Sony surveillance products?
C’mon, really give them a good thrashing!
UM
Undisclosed Manufacturer #5
Jul 30, 2018I would like to coin a term as evidenced here and in other discussions. The Internet has "Goodwin's Law". I think here on IPVM we have "Honovich's Law". As a discussion grows, it will always come back to or be compared to Hikvision and Dahua.
As an example, this discussion is about Sony and it immediately devolved into the typical haters vs fanboys of Hik/Dahua. Drawing the conclusion that if it can happen to Sony, then Hik/Dahua aren't so bad etc. Firewalls and segmented networks are also usually brought up as examples and evidence, as well as links to other discussions and misspellings and undisclosed postings fanning the flames.
U
Undisclosed #6
Jul 30, 2018Does this exploit work in both HTTP/S? Thanks!
bm
bashis mcw
Jul 30, 2018HTTPS are preferred as it gives some privacy ;)
Yes, working with both HTTP/HTTPS.