I'm bit interested into what you get 14 days from, Geovision got 90 days to fix the vulnerabilities and inform their customers. The DRAFT Full Disclosure was initially provided at the same time as the first contact was made (with one update some days after), due to I asked around and got reliable contact suggestion. 14 days before FD I sent both revised FD and Python PoC for any objections or comments.
What I know, when Google some I found at least following links, that shows Geovision was not so passive.
I personally didn't catch the email, but I don't use/have very many GeoVision cameras (less than 50). Wondering if other integrators who are more deeply involved with GeoVision got a heads up before the full disclosure.
I could find that as actual very good practise to get customers/integrators heads up before full disclosure, as the manufacture knows very well it will happen and when it will happen. (kicks a bit on Axis's narrow leg here too)
I have added the pdf of the notice provided to our Forum Thread.
NB Their notice cites IPVM:
"In the wake of the security vulnerabilities that have been reported of late, GeoVision has actively responded, as noted by a section within the IPVM disclosure report illustrated below, by releasing a series of firmware upgrades to resolve the issue."
Phil, thanks for sharing. I am quite unhappy about Geovision referencing us. We absolutely did not give them permission and their excerpt clearly misrepresents our overall position, specifically about how bad their security / coding was.
As a response, I am going to include a section in our next newsletter to 50,000 recipients criticizing Geovision both for their cybersecurity problems and misuse of IPVM.
The quote is from your own profile page (John Honovich) and it's related because you said you were going to put them on blast because they didn't get your permission to cite your article (which they didn't need).
Got it, but your terms do state "Finally, within the bounds of fair use, you may publicly copy excerpts of our research for criticism, news reporting, teaching, etc."
One could make the argument that a newsletter email containing a PDF "article" complies with your terms.
Not trying to stir the pot here on my first day and I see your point of them citing you in a fashion that makes them look better however they didn't alter your words. You did actually praise them for that 1 aspect even though there were many criticisms they omitted.
Our terms definitely allow for fair use. That's fundamental American law. However, so too is the right of publicity.
What Geovision did there was not news reporting, teaching nor criticism. It was a message to their customers. By contrast, if Krebs on Security wrote about it and cited us, that certainly would be fair use.
Ultimately, though, that issue is secondary. My main concern is that, for our reputation, I cannot allow manufacturers to misuse your brand to promote themselves, even worse when they are distorting our analysis.
I aim to accomplish 2 things be emailing this in the newsletter: (1) inform people that Geovision misrepresented our analysis and (2) to signal to other manufacturers that doing so comes with the penalty of further criticism.
Brandon, let’s say I ran a lemonade stand. You wrote a review saying John’s lemonade is very inexpensive but it’s terrible. Then I sent out a promotion saying that Brandon praised our lemonade for being inexpensive but I left out the part about you saying the lemonade was terrible. That is analogous to what happened here.
Also, this article is not public, so even more so that Geo should not include a screenshot of a private forum that they are then disseminating to their dealer network. If they want to include anything, it should be THEIR communications with Bashis, as listed on Github, not IPVMs wording of it.
I think that GeoVision did a very sincere correspondence.
In this article, all GeoVision IP camera products are reported as if they have all vulnerabilities. But I got the some different test result before firmware update. For example, I was not succeed attack "Remote Root Access" and "Clear Text Credentials" about GV-EBL2100 F/W:1.06. On the other hand, it was succeed attack to GV-VD320D F/W:3.12.
At least, I think that not all products / version are affected.
To be honest, I began to doubt the accuracy of IPVM articles.
U3, thank you for the comment. We added a note to the report to provide clarity. You are correct that not all Geovision cameras are affected by this vulnerability. Geovision OEMs several models from Uniview which are not affected by these vulnerabilities. The GV-EBL2100 appears to be one of the OEM models (firmware 1.x).