Hanwha / Kaspersky Vulnerability Dispute Examined

By IPVM Team, Published Mar 29, 2018, 09:40am EDT (Info+)

IT media ran numerous reports in the past month featuring two prominent companies - Hanwha (previously part of mega manufacturer Samsung) Techwin who sells significant numbers of consumer security cameras and Kaspersky, most known for last year's Russia controversy (e.g., Russia Has Turned Kaspersky Software Into Tool for Spying).

This story was about Kaspersky reporting vulnerabilities in Hanwha's consumer cameras (i.e., Smart eye: Kaspersky Lab discovers severe flaws that could transform smart cameras into surveillance tool) which was reported widely including CNET's Your smart camera may have been spying on you).

However, as we examined this and talked with both parties, there was a significant number of conflicting issues raised about the severity of the vulnerabilities. In this note, we share feedback provided, examining the issues involved.

Consumer ****, *** ********, *** *******

********* ** ****** *** *** ******** by *********, ***** *************** **** ****** to ******** *******, *** ** ******* business / ************ ******* **** *** a ********* ************.

Kaspersky ******

********* ***** * ****** ** ******* *************** in *************’* ********! **** ******* *** **** than **** ‘*****’ ****:

*** *** ***** *********** ** *** where ********** ***** *** ***** ** focused ** **** ********* **** *** parties.

 

Response *********

********* ********* ** ******* *** *** admin ******** ***** ** ******** *******:

****: ** *** ********** ****, ** ********, “A ********** ** ******** ****** *** administrator ********.” *** *** ********** *** one *** ******** ****** *** ************* password? ** **, *** *** ********* on *** ** ** ****? 

*********: ************* ** ****** ******** *** ********* details ** *** ******** *************** ******* we *** ***** *** **** ** all *** ***** *** ****** **** installed ******** *******.

** ******** ** ** ****** ** it ***** ** **** ** *** future (*** ** **** ** ** days?) *** ** ******** *** ********.

***********, ********* ********* *** '*******' *** remote ******* ********* *** * *********** of ******* **** / ******:

****: **** ** *** ********** ****, ** mentions, “* ******* *** *** ****** execution ** ******** **** **** **********.” Can *** ******* **** ** **** feature ** ****?

**** ************* *** ** ********* ******** using * *********** ** ******* **** and ***** ************ ******. **** *****-***** vulnerability *** **** ** ******** *** it ****** ****** ** *** ********* camera ** *** ** **** * computer **** ***** ** ** ** with ****-***** **********. **** ****** ****** attackers ** ******* *** **** ** it: *** ** ** ****** ***** point *** *** ****** ***** ******* the ******** ******* ***** *** ****** is *******, ****** ********* ******** *** turn *** ****** **** * ****, DDoS ** ******-******** ****** ******.

** ***** ********* ** **** **** it *** ******** ** ******** **** * 'combination' ** **** *** ****** ** a '*******' *** **** ******** ********.

Hanwha ********

****** **** ********* ** ***** *** issues, ********** ********* *******, ******** ** was **** ****** / **** ********* than ********* *******:

[**: ******** ****** *** ************* *********] Most ******** ***** ******* ** *** internet *** ***** **** ****** (** suggested ** *** ************).  ** **** case, ******* ****** ***’* ****** *** camera. *******, ** *** ******* *** public ** ** *** **** **** proper **** ********** ******* ** *** route, ********* *** ******* ** *** camera ** **** **** *** ******’* password *** **** ******** ******** ** enter. **’** ***** ***** ********** ******** and ****** *** **** ** ***** specific ********.
 
[**: ****** ********* ** ******** **** root] ******* ***** **** ** ******* our ******** **** *** ************ ********** with *** **** ******* ****** *** command **** *** **** ******. **** would **** **** ** ***** *** camera’s ****** ** *********. ***** **** information, **** *** **** ***** *** XMPP ******* *** **** **** ** to *** ***** ******. ** **** case, *** ************ ******* *** ** registered ** *** ***** *******. **** the **** **** ***** ** ******** the ******, **’** ****** ** **** “already ********** ******” *******. **** ** the **** ******. ** ******* ****, we’ve ******* *** ********** *** ** our ******** **** *** ***** ** authentication ********* ******* *** ****** *** cloud ******* **** ** ****** ********* packets.

No ******* ******** *********

********* *** *** ******* ***** ** forwarded ******'* ******** ** ****.

Great ********* / ************ ********

*********, **** ** ***** ********* *** Kaspersky ** ** ********* ***** ********* and ***** **** ****** ******** **.

*** ****** ******* *** * ************** to *** *************** *** ****** ********.

*** *** ********** ******* **** ************** the ********** *** ** ***** ** accurately *** ****** ********** *************** ** well ** ********* ***** ** ***** vulnerabilities. As ***** ** *** "*****'* ***" ***** ** ****, ************* ** ******** * powerful ********* **** *** ************* *****.

Comments (3)

John Honovich

IPVM | 03/29/18 01:43pm

Btw, a note on why we are 'late' reporting (not to the security trade press, which rarely covers such things but to mainstream IT). As noted in the report, we went back forth between both parties and that took time to get answers, check on things, etc.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

John Honovich

IPVM | 03/29/18 01:46pm

Two other things that did not make the post but worth commenting on. Kaspersky included this infographic in their press release:

And report from Sputnik News: Kaspersky Lab Researchers Discover Sinister Flaw in Popular Smart Cameras

Agree
Disagree
Informative: 1
Unhelpful
Funny

bashis mcw

03/29/18 10:41pm

But the difficulty becomes what responsibility the researcher has in terms of accurately and fairly disclosing vulnerabilities as well as providing proof of those vulnerabilities. 

I believe it is important to prove the claims, so it can be reproduced and verified by other researchers.

When reading;

Kaspersky: Unfortunately we cannot disclose any technical details of the critical vulnerabilities because we are still not sure if all the smart cam owners have installed security updates.

It becomes in my eyes clear that will never happen, because how to verify that "all the smart cam owners have installed security updates."

 

Agree: 4
Disagree
Informative: 1
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports