Geovision Unprecedented Security Vulnerabilities And Backdoor

By: John Scanlan, Published on Feb 06, 2018

Cybersecurity vulnerabilities have plagued the video surveillance market.

Now, Bashis, discover of the Dahua backdoor, has discovered 15 security vulnerabilities including a backdoor that widely impact GeoVision's cameras

Inside, we test Bashis proof of concept and report on:

  • Ease or difficulty of exploit
  • Demonstrations of backdoors
  • Link to hack our camera
  • Vulnerability resolution
  • Potential collateral damage
  • Reach of impact compared to others

**************************** **** ******* *** video ************ ******.

***, ******,******** ** *** ***** backdoor, ************* ** ******** *************** including * ******** **** widely impact *********'* *******

******, ** **** ****** ***** of ******* *** ****** on:

  • **** ** ********** ** *******
  • ************** ** *********
  • **** ** **** *** camera
  • ************* **********
  • ********* ********** ******
  • ***** ** ****** ******** to ******

[***************]

Key ********

******** ********* ******* *** have ***** *********** ***** in ***** ***/** ***** along **** ******* ***** exploits ***** *** *** easily ********. ********* ******* with ******** **** ****** ******** 2017 ****** ********* *********** (********* ******** source). ** *********** *** Geovision ******* *** ****** on ***** ******* ** applications, ****** ***** ********* as ****.

NOTE: *** ******* *** ********

**** **** ********* **** several ****** **** ******* (such ** *** ***-**** ****** **********) ***** *** *** ******** ** ***** ********. 

Remote **** ******

**** ****** ** ******* with * ****** **** ******* at *** ********** ******. The ************* ***** *********** that *** ****** ** initially *** ********** **** the *********** ** **** / ****.  *******, ***** running * **** *******, *** credentials *** ******* ** root / **** *** root ****** ** ******* upon *** **** ***** attempt.

**** **** *** ******** on *** ****** ****** camera (****://************.******.***:** [**** ** longer *********]) *** *** ******* **** to ****** ***** ** root *** *** ******** to **** **:

**** -* ****://************.******.***:**/*********.***?**************=****\&*****************=****

*** *** *** ** for ******** ** ****://************.******.***:** [link ** ****** *********].

Clear **** ***********

*** **** ************* ******** * print *** ** ****** credentials ** ***** ****:

**** **** *** ********* on * ****** ** our *** *** *** command **** ** ***** the ******'* ***********, ********* usernames *** ******** ** clear ****, **:

**** -* "****://*******/************.***?********=*********&********=%******%**%**%**%**--%*********%******=%*********%**--%**%**%*****/*****.***%**&*********=*&**********=*&*******=*&******=*&***=*****" ; curl -* "****://*******/***.***/***/*****.***"

*************** *********

**** ** *** *************** *** be ********* **** * curl ******* **** **** *** of *** ******'* *** *******, e.g., **** ****** ***:

Exploit ******

***** *** ******* ****** vulnerabilities **** ****** *** discovered, *** ***** ** a ***** **** ** what *** ** **** with ****.

  • ***** *** ****** '*****' to '****'  *** *** password
  • ****** ****** ****** ******** back ** *******
  • ************ ******* ** ********.
  • ****** ** ******** ****** for ******** ******* ********
  • ****** ** *** (****) and *** (*****), ***** allows ******, ******* *****, etc.
  • **** *** ********, ********* login *** ********* ** clear ****
  • *** * ******** **** the ******

******* **** ** ******** and *********** ****** **** ***** with ***** ******* ******* to *** ********.

Limited ****** *******

** * ****** ********* ** the **** ** *********** there**** *** ****** ****** GeoVision ******* **** ** Shodan.io, ***** ** ***** low, ********** *********'* ******* modest ****** ***** (***** of ********** *********'* ***,***+ ******* ******).

Test **********

** ****** ******' *** with * ********** ********* cameras, *** **-*******: **.** 2017-06-19 *** **-*******: **.** 2017-06-26.

Positive ******** / *********** **** *********

*** ******** ******* ** note, ******, ** ********* in *** ******* *****, reported **** ********* *** cooperative *** ********** ** dealing **** *** ****** that ****** ********:

 

Severity ****

*** ******** ** ***** vulnerabilities ** *************, ***** the ******* ** ****** ******** root ****** *** ** uncover ******** *********. ** concur **** ****** ********** that **** ** **** likely *** *** **** coding, ****** **** **** on *******. *******, ********** of ******, *** ******** and ********** ** ********** ***** vulnerabilities ****** *********** **** in ***** ********* ******** going *******.

Comments (25)

Any Geovision partners out there get a heads up about these exploits? Just curious of how well they took advantages of those 14 days. 

I'm bit interested into what you get 14 days from, Geovision got 90 days to fix the vulnerabilities and inform their customers. The DRAFT Full Disclosure was initially provided at the same time as the first contact was made (with one update some days after), due to I asked around and got reliable contact suggestion. 14 days before FD I sent both revised FD and Python PoC for any objections or comments.

What I know, when Google some I found at least following links, that shows Geovision was not so passive.

GeoVision prompts you to check for firmware updates

Periodic Updates Required For Cybersecurity

 

The 14 days between January 17th and February 1st. I am curious if GeoVision reached out to it's higher level partners about these exploits when they had a correction before the full disclosure. 

Seems they did;

GeoVision have recently sent a mass email prompting all customers to check that their GeoVision devices are using the latest available firmware:

no?

I personally didn't catch the email, but I don't use/have very many GeoVision cameras (less than 50). Wondering if other integrators  who are more deeply involved with GeoVision got a heads up before the full disclosure.

Interesting.

I could find that as actual very good practise to get customers/integrators heads up before full disclosure, as the manufacture knows very well it will happen and when it will happen. (kicks a bit on Axis's narrow leg here too)

Yup. Hence why I am asking others if their experience differed from mine. 

I've joined you in same question.

I received an email from GeoVision on January 24th, which prompted the Post at our Forum linked to above.

I've appended an image of the actual email FYI at that Post now.

(NB - only 48 views to date since Jan 24th)

GeoVision have sent out an email to Partners this morning with an update, and links to firmware updates.

I have added the pdf of the notice provided to our Forum Thread.

NB Their notice cites IPVM:

"In the wake of the security vulnerabilities that have been reported of late, GeoVision has actively responded, as noted by a section within the IPVM disclosure report illustrated below, by releasing a series of firmware upgrades to resolve the issue."

Phil, thanks for sharing. I am quite unhappy about Geovision referencing us. We absolutely did not give them permission and their excerpt clearly misrepresents our overall position, specifically about how bad their security / coding was.

As a response, I am going to include a section in our next newsletter to 50,000 recipients criticizing Geovision both for their cybersecurity problems and misuse of IPVM.

"John recognized the difficulty in getting unbiased, high quality information on what really worked and, especially, what did not."

 

That doesn't seem very "unbiased" there John... Fair-Use dictates they did not need your permission.

Brandon, Geovision misrepresented our analysis of their vulnerabilities. We were clearly critical of the serious problems. However they framed it as if we were endorsing or supporting them.

Secondly, where is that quote from and how is that related to this topic?

 

The quote is from your own profile page (John Honovich) and it's related because you said you were going to put them on blast because they didn't get your permission to cite your article (which they didn't need).

Brandon, The issue is not about permission. We don’t give permission for companies to use us in promotions. Secondly, it is a violation of our terms of service.

I see that you are new to IPVM so I’m happy to explain our policies. Any other questions, let us know.

Got it, but your terms do state "Finally, within the bounds of fair use, you may publicly copy excerpts of our research for criticism, news reporting, teaching, etc."

One could make the argument that a newsletter email containing a PDF "article" complies with your terms.

Not trying to stir the pot here on my first day and I see your point of them citing you in a fashion that makes them look better however they didn't alter your words. You did actually praise them for that 1 aspect even though there were many criticisms they omitted.

Just my 2 cents.

 

Liking the site so far!

Brandon, thanks!

Our terms definitely allow for fair use. That's fundamental American law. However, so too is the right of publicity.

What Geovision did there was not news reporting, teaching nor criticism. It was a message to their customers. By contrast, if Krebs on Security wrote about it and cited us, that certainly would be fair use.

Ultimately, though, that issue is secondary. My main concern is that, for our reputation, I cannot allow manufacturers to misuse your brand to promote themselves, even worse when they are distorting our analysis.

I aim to accomplish 2 things be emailing this in the newsletter: (1) inform people that Geovision misrepresented our analysis and (2) to signal to other manufacturers that doing so comes with the penalty of further criticism.

Brandon, let’s say I ran a lemonade stand. You wrote a review saying John’s lemonade is very inexpensive but it’s terrible. Then I sent out a promotion saying that Brandon praised our lemonade for being inexpensive but I left out the part about you saying the lemonade was terrible. That is analogous to what  happened here.

Got it, you posted this in the middle of my response but in short, I do agree that they picked what made them look better :)

Also, this article is not public, so even more so that Geo should not include a screenshot of a private forum that they are then disseminating to their dealer network. If they want to include anything, it should be THEIR communications with Bashis, as listed on Github, not IPVMs wording of it.

I think that GeoVision did a very sincere correspondence.

In this article, all GeoVision IP camera products are reported as if they have all vulnerabilities.
But I got the some different test result before firmware update.
For example, I was not succeed attack "Remote Root Access" and "Clear Text Credentials" about GV-EBL2100 F/W:1.06.
On the other hand, it was succeed attack to GV-VD320D F/W:3.12.

At least, I think that not all products / version are affected.

To be honest, I began to doubt the accuracy of IPVM articles.

U3, thank you for the comment.  We added a note to the report to provide clarity.  You are correct that not all Geovision cameras are affected by this vulnerability. Geovision OEMs several models from Uniview which are not affected by these vulnerabilities.  The GV-EBL2100 appears to be one of the OEM models (firmware 1.x).

To be clear, these vulnerabilities do affect almost all Geovision cameras.

Can your Uniview clone be vulnerable to this?

Would be interesting to know...

 

Interesting also to note that Geovision issue same notification in the FW release note as most of the other affected:

Version History GV-EBL2100

Certain network security vulnerabilities

Changed: PSIA protocol no longer supported

 Source

 

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Subnetting for Video Surveillance on Apr 30, 2019
This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range,...
Verint Victimized By Ransomware on Apr 18, 2019
Verint, which is best known in the physical security industry for video surveillance but has built a sizeable cybersecurity business as well, was...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 22, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...

Most Recent Industry Reports

Favorite Video Analytic Manufacturers 2020 on Feb 25, 2020
Video analytics is now as hot as ever, driven by the excitement of advancing deep learning offers. But what are actually integrator's...
Latest London Police Facial Recognition Suffers Serious Issues on Feb 24, 2020
On February 20, IPVM visited another live face rec deployment by London police, but this time the system was thwarted by technical problems and...
Masks Cause Major Facial Recognition Problems on Feb 24, 2020
Coronavirus is spurring an increase in the use of medical masks, which new IPVM test results show cause major problems for facial recognition...
Every VMS Will Become a VSaaS on Feb 21, 2020
VMS is ending. Soon every VMS will be a VSaaS. Competitive dynamics will be redrawn. What does this mean? VMS Historically...
Video Surveillance 101 Course - Last Chance on Feb 20, 2020
This is the last chance to join IPVM's first Video Surveillance 101 course, designed to help those new to the industry to quickly understand the...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see, especially because most look and feel the same. Even insecure 125 kHz...
AI/Smart Camera Tutorial on Feb 20, 2020
Cameras with video analytics, sometimes called 'Smart' camera or 'AI' cameras, etc. are one of the most promising growth areas of video...
China Manufacturer Suffers Coronavirus Scare on Feb 20, 2020
Uniview suffered a significant health scare last week after one of its employees reported a fever and initially tested positive for coronavirus....
Cheap Camera Problems at Night on Feb 19, 2020
Cheap cameras generally have problems at night, despite the common perception that integrated IR makes cameras mostly the same, according to new...