Geovision Unprecedented Security Vulnerabilities And Backdoor

By: John Scanlan, Published on Feb 06, 2018

Cybersecurity vulnerabilities have plagued the video surveillance market.

Now, Bashis, discover of the Dahua backdoor, has discovered 15 security vulnerabilities including a backdoor that widely impact GeoVision's cameras

Inside, we test Bashis proof of concept and report on:

  • Ease or difficulty of exploit
  • Demonstrations of backdoors
  • Link to hack our camera
  • Vulnerability resolution
  • Potential collateral damage
  • Reach of impact compared to others

**************************** **** ******* *** video ************ ******.

***, ******,******** ** *** ***** backdoor, ************* ** ******** *************** including * ******** **** widely impact *********'* *******

******, ** **** ****** ***** of ******* *** ****** on:

  • **** ** ********** ** *******
  • ************** ** *********
  • **** ** **** *** camera
  • ************* **********
  • ********* ********** ******
  • ***** ** ****** ******** to ******

[***************]

Key ********

******** ********* ******* *** have ***** *********** ***** in ***** ***/** ***** along **** ******* ***** exploits ***** *** *** easily ********. ********* ******* with ******** **** ****** ******** 2017 ****** ********* *********** (********* ******** source). ** *********** *** Geovision ******* *** ****** on ***** ******* ** applications, ****** ***** ********* as ****.

NOTE: *** ******* *** ********

**** **** ********* **** several ****** **** ******* (such ** *** ***-**** ****** **********) ***** *** *** ******** ** ***** ********. 

Remote **** ******

**** ****** ** ******* with * ****** **** ******* at *** ********** ******. The ************* ***** *********** that *** ****** ** initially *** ********** **** the *********** ** **** / ****.  *******, ***** running * **** *******, *** credentials *** ******* ** root / **** *** root ****** ** ******* upon *** **** ***** attempt.

**** **** *** ******** on *** ****** ****** camera (****://************.******.***:** [**** ** longer *********]) *** *** ******* **** to ****** ***** ** root *** *** ******** to **** **:

**** -* ****://************.******.***:**/*********.***?**************=****\&*****************=****

*** *** *** ** for ******** ** ****://************.******.***:** [link ** ****** *********].

Clear **** ***********

*** **** ************* ******** * print *** ** ****** credentials ** ***** ****:

**** **** *** ********* on * ****** ** our *** *** *** command **** ** ***** the ******'* ***********, ********* usernames *** ******** ** clear ****, **:

**** -* "****://*******/************.***?********=*********&********=%******%**%**%**%**--%*********%******=%*********%**--%**%**%*****/*****.***%**&*********=*&**********=*&*******=*&******=*&***=*****" ; curl -* "****://*******/***.***/***/*****.***"

*************** *********

**** ** *** *************** *** be ********* **** * curl ******* **** **** *** of *** ******'* *** *******, e.g., **** ****** ***:

Exploit ******

***** *** ******* ****** vulnerabilities **** ****** *** discovered, *** ***** ** a ***** **** ** what *** ** **** with ****.

  • ***** *** ****** '*****' to '****'  *** *** password
  • ****** ****** ****** ******** back ** *******
  • ************ ******* ** ********.
  • ****** ** ******** ****** for ******** ******* ********
  • ****** ** *** (****) and *** (*****), ***** allows ******, ******* *****, etc.
  • **** *** ********, ********* login *** ********* ** clear ****
  • *** * ******** **** the ******

******* **** ** ******** and *********** ****** **** ***** with ***** ******* ******* to *** ********.

Limited ****** *******

** * ****** ********* ** the **** ** *********** there**** *** ****** ****** GeoVision ******* **** ** Shodan.io, ***** ** ***** low, ********** *********'* ******* modest ****** ***** (***** of ********** *********'* ***,***+ ******* ******).

Test **********

** ****** ******' *** with * ********** ********* cameras, *** **-*******: **.** 2017-06-19 *** **-*******: **.** 2017-06-26.

Positive ******** / *********** **** *********

*** ******** ******* ** note, ******, ** ********* in *** ******* *****, reported **** ********* *** cooperative *** ********** ** dealing **** *** ****** that ****** ********:

 

Severity ****

*** ******** ** ***** vulnerabilities ** *************, ***** the ******* ** ****** ******** root ****** *** ** uncover ******** *********. ** concur **** ****** ********** that **** ** **** likely *** *** **** coding, ****** **** **** on *******. *******, ********** of ******, *** ******** and ********** ** ********** ***** vulnerabilities ****** *********** **** in ***** ********* ******** going *******.

Comments (25)

Any Geovision partners out there get a heads up about these exploits? Just curious of how well they took advantages of those 14 days. 

I'm bit interested into what you get 14 days from, Geovision got 90 days to fix the vulnerabilities and inform their customers. The DRAFT Full Disclosure was initially provided at the same time as the first contact was made (with one update some days after), due to I asked around and got reliable contact suggestion. 14 days before FD I sent both revised FD and Python PoC for any objections or comments.

What I know, when Google some I found at least following links, that shows Geovision was not so passive.

GeoVision prompts you to check for firmware updates

Periodic Updates Required For Cybersecurity

 

The 14 days between January 17th and February 1st. I am curious if GeoVision reached out to it's higher level partners about these exploits when they had a correction before the full disclosure. 

Seems they did;

GeoVision have recently sent a mass email prompting all customers to check that their GeoVision devices are using the latest available firmware:

no?

I personally didn't catch the email, but I don't use/have very many GeoVision cameras (less than 50). Wondering if other integrators  who are more deeply involved with GeoVision got a heads up before the full disclosure.

Interesting.

I could find that as actual very good practise to get customers/integrators heads up before full disclosure, as the manufacture knows very well it will happen and when it will happen. (kicks a bit on Axis's narrow leg here too)

Yup. Hence why I am asking others if their experience differed from mine. 

I've joined you in same question.

I received an email from GeoVision on January 24th, which prompted the Post at our Forum linked to above.

I've appended an image of the actual email FYI at that Post now.

(NB - only 48 views to date since Jan 24th)

GeoVision have sent out an email to Partners this morning with an update, and links to firmware updates.

I have added the pdf of the notice provided to our Forum Thread.

NB Their notice cites IPVM:

"In the wake of the security vulnerabilities that have been reported of late, GeoVision has actively responded, as noted by a section within the IPVM disclosure report illustrated below, by releasing a series of firmware upgrades to resolve the issue."

Phil, thanks for sharing. I am quite unhappy about Geovision referencing us. We absolutely did not give them permission and their excerpt clearly misrepresents our overall position, specifically about how bad their security / coding was.

As a response, I am going to include a section in our next newsletter to 50,000 recipients criticizing Geovision both for their cybersecurity problems and misuse of IPVM.

"John recognized the difficulty in getting unbiased, high quality information on what really worked and, especially, what did not."

 

That doesn't seem very "unbiased" there John... Fair-Use dictates they did not need your permission.

Brandon, Geovision misrepresented our analysis of their vulnerabilities. We were clearly critical of the serious problems. However they framed it as if we were endorsing or supporting them.

Secondly, where is that quote from and how is that related to this topic?

 

The quote is from your own profile page (John Honovich) and it's related because you said you were going to put them on blast because they didn't get your permission to cite your article (which they didn't need).

Brandon, The issue is not about permission. We don’t give permission for companies to use us in promotions. Secondly, it is a violation of our terms of service.

I see that you are new to IPVM so I’m happy to explain our policies. Any other questions, let us know.

Got it, but your terms do state "Finally, within the bounds of fair use, you may publicly copy excerpts of our research for criticism, news reporting, teaching, etc."

One could make the argument that a newsletter email containing a PDF "article" complies with your terms.

Not trying to stir the pot here on my first day and I see your point of them citing you in a fashion that makes them look better however they didn't alter your words. You did actually praise them for that 1 aspect even though there were many criticisms they omitted.

Just my 2 cents.

 

Liking the site so far!

Brandon, thanks!

Our terms definitely allow for fair use. That's fundamental American law. However, so too is the right of publicity.

What Geovision did there was not news reporting, teaching nor criticism. It was a message to their customers. By contrast, if Krebs on Security wrote about it and cited us, that certainly would be fair use.

Ultimately, though, that issue is secondary. My main concern is that, for our reputation, I cannot allow manufacturers to misuse your brand to promote themselves, even worse when they are distorting our analysis.

I aim to accomplish 2 things be emailing this in the newsletter: (1) inform people that Geovision misrepresented our analysis and (2) to signal to other manufacturers that doing so comes with the penalty of further criticism.

Brandon, let’s say I ran a lemonade stand. You wrote a review saying John’s lemonade is very inexpensive but it’s terrible. Then I sent out a promotion saying that Brandon praised our lemonade for being inexpensive but I left out the part about you saying the lemonade was terrible. That is analogous to what  happened here.

Got it, you posted this in the middle of my response but in short, I do agree that they picked what made them look better :)

Also, this article is not public, so even more so that Geo should not include a screenshot of a private forum that they are then disseminating to their dealer network. If they want to include anything, it should be THEIR communications with Bashis, as listed on Github, not IPVMs wording of it.

I think that GeoVision did a very sincere correspondence.

In this article, all GeoVision IP camera products are reported as if they have all vulnerabilities.
But I got the some different test result before firmware update.
For example, I was not succeed attack "Remote Root Access" and "Clear Text Credentials" about GV-EBL2100 F/W:1.06.
On the other hand, it was succeed attack to GV-VD320D F/W:3.12.

At least, I think that not all products / version are affected.

To be honest, I began to doubt the accuracy of IPVM articles.

U3, thank you for the comment.  We added a note to the report to provide clarity.  You are correct that not all Geovision cameras are affected by this vulnerability. Geovision OEMs several models from Uniview which are not affected by these vulnerabilities.  The GV-EBL2100 appears to be one of the OEM models (firmware 1.x).

To be clear, these vulnerabilities do affect almost all Geovision cameras.

Can your Uniview clone be vulnerable to this?

Would be interesting to know...

 

Interesting also to note that Geovision issue same notification in the FW release note as most of the other affected:

Version History GV-EBL2100

Certain network security vulnerabilities

Changed: PSIA protocol no longer supported

 Source

 

Read this IPVM report for free.

This article is part of IPVM's 6,438 reports, 865 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Defendry Presents AI Active Shooter Security System on Jul 14, 2020
Defendry presented its Active Shooter security system at the May 2020 IPVM...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Asylon Presents All-Weather Automated Security Drones on Jun 18, 2020
Asylon presented its All-Weather Automated Security Drone, the DroneCore, at...
Startup Videoloft Presents Cloud Storage on May 27, 2020
Videoloft presented offsite cloud storage at the May 2020 IPVM Startups...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Video Surveillance History on May 06, 2020
The video surveillance market has changed significantly since 2000, going...
Leica Launches LIDAR / Thermal / IP Camera on Mar 04, 2020
Swiss manufacturer Leica is launching what it calls a "real-time reality...
Surveillance Storage 101 on Mar 23, 2020
This guide teaches the fundamentals of video surveillance...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud...
WatchNET Presents Long Range Wireless Automation Sensors on May 05, 2020
WatchNet IoT presented its commercial, long-range automation sensor...
Camio Presents Coronavirus Social Distancing Analytics on Apr 20, 2020
Camio presented its social distancing analytics for responding to coronavirus...
Video Surveillance 101 Book Released on Jul 07, 2020
IPVM's unique introduction to video surveillance series is now available as a...

Recent Reports

VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...
US Startup Fever Inspect Examined on Aug 03, 2020
Undoubtedly late to fever cameras, this US company, Fever Inspect, led by a...
Motorola Solutions Acquires Pelco on Aug 03, 2020
Motorola Solutions has acquired Pelco, pledging to bring blue back and make...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...