Geovision Unprecedented Security Vulnerabilities And Backdoor

By John Scanlan, Published Feb 06, 2018, 12:43pm EST

Cybersecurity vulnerabilities have plagued the video surveillance market.

Now, Bashis, discover of the Dahua backdoor, has discovered 15 security vulnerabilities including a backdoor that widely impact GeoVision's cameras

Inside, we test Bashis proof of concept and report on:

  • Ease or difficulty of exploit
  • Demonstrations of backdoors
  • Link to hack our camera
  • Vulnerability resolution
  • Potential collateral damage
  • Reach of impact compared to others

Key ********

******** ********* ******* *** have ***** *********** ***** in ***** ***/** ***** along **** ******* ***** exploits ***** *** *** easily ********. ********* ******* with ******** **** ****** ******** 2017 ****** ********* *********** (********* ******** source). ** *********** *** Geovision ******* *** ****** on ***** ******* ** applications, ****** ***** ********* as ****.

NOTE: *** ******* *** ********

**** **** ********* **** several ****** **** ******* (such ** *** ***-**** ****** **********) ***** *** *** ******** ** ***** ********. 

Remote **** ******

**** ****** ** ******* with * ****** **** ******* at *** ********** ******. The ************* ***** *********** that *** ****** ** initially *** ********** **** the *********** ** **** / ****.  *******, ***** running * **** *******, *** credentials *** ******* ** root / **** *** root ****** ** ******* upon *** **** ***** attempt.

**** **** *** ******** on *** ****** ****** camera (****://************.******.***:** [**** ** longer *********]) *** *** ******* **** to ****** ***** ** root *** *** ******** to **** **:

**** -* ****://************.******.***:**/*********.***?**************=****\&*****************=****

*** *** *** ** for ******** ** ****://************.******.***:** [link ** ****** *********].

Clear **** ***********

*** **** ************* ******** * print *** ** ****** credentials ** ***** ****:

**** **** *** ********* on * ****** ** our *** *** *** command **** ** ***** the ******'* ***********, ********* usernames *** ******** ** clear ****, **:

**** -* "****://*******/************.***?********=*********&********=%******%**%**%**%**--%*********%******=%*********%**--%**%**%*****/*****.***%**&*********=*&**********=*&*******=*&******=*&***=*****" ; curl -* "****://*******/***.***/***/*****.***"

*************** *********

**** ** *** *************** *** be ********* **** * curl ******* **** **** *** of *** ******'* *** *******, e.g., **** ****** ***:

Exploit ******

***** *** ******* ****** vulnerabilities **** ****** *** discovered, *** ***** ** a ***** **** ** what *** ** **** with ****.

  • ***** *** ****** '*****' to '****'  *** *** password
  • ****** ****** ****** ******** back ** *******
  • ************ ******* ** ********.
  • ****** ** ******** ****** for ******** ******* ********
  • ****** ** *** (****) and *** (*****), ***** allows ******, ******* *****, etc.
  • **** *** ********, ********* login *** ********* ** clear ****
  • *** * ******** **** the ******

******* **** ** ******** and *********** ****** **** ***** with ***** ******* ******* to *** ********.

Limited ****** *******

** * ****** ********* ** the **** ** *********** there**** *** ****** ****** GeoVision ******* **** ** Shodan.io, ***** ** ***** low, ********** *********'* ******* modest ****** ***** (***** of ********** *********'* ***,***+ ******* ******).

Test **********

** ****** ******' *** with * ********** ********* cameras, *** **-*******: **.** 2017-06-19 *** **-*******: **.** 2017-06-26.

Positive ******** / *********** **** *********

*** ******** ******* ** note, ******, ** ********* in *** ******* *****, reported **** ********* *** cooperative *** ********** ** dealing **** *** ****** that ****** ********:

 

Severity ****

*** ******** ** ***** vulnerabilities ** *************, ***** the ******* ** ****** ******** root ****** *** ** uncover ******** *********. ** concur **** ****** ********** that **** ** **** likely *** *** **** coding, ****** **** **** on *******. *******, ********** of ******, *** ******** and ********** ** ********** ***** vulnerabilities ****** *********** **** in ***** ********* ******** going *******.

Comments (25)

Any Geovision partners out there get a heads up about these exploits? Just curious of how well they took advantages of those 14 days. 

I'm bit interested into what you get 14 days from, Geovision got 90 days to fix the vulnerabilities and inform their customers. The DRAFT Full Disclosure was initially provided at the same time as the first contact was made (with one update some days after), due to I asked around and got reliable contact suggestion. 14 days before FD I sent both revised FD and Python PoC for any objections or comments.

What I know, when Google some I found at least following links, that shows Geovision was not so passive.

GeoVision prompts you to check for firmware updates

Periodic Updates Required For Cybersecurity

 

The 14 days between January 17th and February 1st. I am curious if GeoVision reached out to it's higher level partners about these exploits when they had a correction before the full disclosure. 

Seems they did;

GeoVision have recently sent a mass email prompting all customers to check that their GeoVision devices are using the latest available firmware:

no?

I personally didn't catch the email, but I don't use/have very many GeoVision cameras (less than 50). Wondering if other integrators  who are more deeply involved with GeoVision got a heads up before the full disclosure.

Interesting.

I could find that as actual very good practise to get customers/integrators heads up before full disclosure, as the manufacture knows very well it will happen and when it will happen. (kicks a bit on Axis's narrow leg here too)

Yup. Hence why I am asking others if their experience differed from mine. 

I've joined you in same question.

I received an email from GeoVision on January 24th, which prompted the Post at our Forum linked to above.

I've appended an image of the actual email FYI at that Post now.

(NB - only 48 views to date since Jan 24th)

GeoVision have sent out an email to Partners this morning with an update, and links to firmware updates.

I have added the pdf of the notice provided to our Forum Thread.

NB Their notice cites IPVM:

"In the wake of the security vulnerabilities that have been reported of late, GeoVision has actively responded, as noted by a section within the IPVM disclosure report illustrated below, by releasing a series of firmware upgrades to resolve the issue."

Phil, thanks for sharing. I am quite unhappy about Geovision referencing us. We absolutely did not give them permission and their excerpt clearly misrepresents our overall position, specifically about how bad their security / coding was.

As a response, I am going to include a section in our next newsletter to 50,000 recipients criticizing Geovision both for their cybersecurity problems and misuse of IPVM.

"John recognized the difficulty in getting unbiased, high quality information on what really worked and, especially, what did not."

 

That doesn't seem very "unbiased" there John... Fair-Use dictates they did not need your permission.

Brandon, Geovision misrepresented our analysis of their vulnerabilities. We were clearly critical of the serious problems. However they framed it as if we were endorsing or supporting them.

Secondly, where is that quote from and how is that related to this topic?

 

The quote is from your own profile page (John Honovich) and it's related because you said you were going to put them on blast because they didn't get your permission to cite your article (which they didn't need).

Brandon, The issue is not about permission. We don’t give permission for companies to use us in promotions. Secondly, it is a violation of our terms of service.

I see that you are new to IPVM so I’m happy to explain our policies. Any other questions, let us know.

Got it, but your terms do state "Finally, within the bounds of fair use, you may publicly copy excerpts of our research for criticism, news reporting, teaching, etc."

One could make the argument that a newsletter email containing a PDF "article" complies with your terms.

Not trying to stir the pot here on my first day and I see your point of them citing you in a fashion that makes them look better however they didn't alter your words. You did actually praise them for that 1 aspect even though there were many criticisms they omitted.

Just my 2 cents.

 

Liking the site so far!

Brandon, thanks!

Our terms definitely allow for fair use. That's fundamental American law. However, so too is the right of publicity.

What Geovision did there was not news reporting, teaching nor criticism. It was a message to their customers. By contrast, if Krebs on Security wrote about it and cited us, that certainly would be fair use.

Ultimately, though, that issue is secondary. My main concern is that, for our reputation, I cannot allow manufacturers to misuse your brand to promote themselves, even worse when they are distorting our analysis.

I aim to accomplish 2 things be emailing this in the newsletter: (1) inform people that Geovision misrepresented our analysis and (2) to signal to other manufacturers that doing so comes with the penalty of further criticism.

Brandon, let’s say I ran a lemonade stand. You wrote a review saying John’s lemonade is very inexpensive but it’s terrible. Then I sent out a promotion saying that Brandon praised our lemonade for being inexpensive but I left out the part about you saying the lemonade was terrible. That is analogous to what  happened here.

Got it, you posted this in the middle of my response but in short, I do agree that they picked what made them look better :)

Also, this article is not public, so even more so that Geo should not include a screenshot of a private forum that they are then disseminating to their dealer network. If they want to include anything, it should be THEIR communications with Bashis, as listed on Github, not IPVMs wording of it.

I think that GeoVision did a very sincere correspondence.

In this article, all GeoVision IP camera products are reported as if they have all vulnerabilities.
But I got the some different test result before firmware update.
For example, I was not succeed attack "Remote Root Access" and "Clear Text Credentials" about GV-EBL2100 F/W:1.06.
On the other hand, it was succeed attack to GV-VD320D F/W:3.12.

At least, I think that not all products / version are affected.

To be honest, I began to doubt the accuracy of IPVM articles.

U3, thank you for the comment.  We added a note to the report to provide clarity.  You are correct that not all Geovision cameras are affected by this vulnerability. Geovision OEMs several models from Uniview which are not affected by these vulnerabilities.  The GV-EBL2100 appears to be one of the OEM models (firmware 1.x).

To be clear, these vulnerabilities do affect almost all Geovision cameras.

Can your Uniview clone be vulnerable to this?

Would be interesting to know...

 

Interesting also to note that Geovision issue same notification in the FW release note as most of the other affected:

Version History GV-EBL2100

Certain network security vulnerabilities

Changed: PSIA protocol no longer supported

 Source

 

Read this IPVM report for free.

This article is part of IPVM's 6,653 reports, 896 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports