Hanwha / Kaspersky Vulnerability Dispute Examined

By: IPVM Team, Published on Mar 29, 2018

IT media ran numerous reports in the past month featuring two prominent companies - Hanwha (previously part of mega manufacturer Samsung) Techwin who sells significant numbers of consumer security cameras and Kaspersky, most known for last year's Russia controversy (e.g., Russia Has Turned Kaspersky Software Into Tool for Spying).

This story was about Kaspersky reporting vulnerabilities in Hanwha's consumer cameras (i.e., Smart eye: Kaspersky Lab discovers severe flaws that could transform smart cameras into surveillance tool) which was reported widely including CNET's Your smart camera may have been spying on you).

However, as we examined this and talked with both parties, there was a significant number of conflicting issues raised about the severity of the vulnerabilities. In this note, we share feedback provided, examining the issues involved.

** ***** *** ******** reports ** *** **** month ********* *** ********* companies - ****** (********** part ** **** ************ Samsung) ******* *** ***** significant ******* ** ******** security ******* *** *********, most ***** *** **** year's ****** *********** (*.*.,****** *** ****** ********* Software **** **** *** Spying).

**** ***** *** ***** Kaspersky ********* *************** ** Hanwha's ******** ******* (*.*.,***** ***: ********* *** discovers ****** ***** **** could ********* ***** ******* into ************ ****) ***** *** ******** widely *************'* **** ***** ****** *** have **** ****** ** you).

*******, ** ** ******** this *** ****** **** both *******, ***** *** a *********** ****** ** conflicting ****** ****** ***** the ******** ** *** vulnerabilities. ** **** ****, we ***** ******** ********, examining *** ****** ********.

[***************]

Consumer ****, *** ********, *** *******

********* ** ****** *** not ******** ** *********, these *************** **** ****** to ******** *******, *** to ******* ******** / professional ******* **** *** a ********* ************.

Kaspersky ******

********* ***** * ****** of ******* *************** ** *************’* ********! **** ******* are **** **** **** ‘smart’ ****:

*** *** ***** *********** in *** ***** ********** risky *** ***** ** focused ** **** ********* with *** *******.

 

Response *********

********* ********* ** ******* how *** ***** ******** could ** ******** *******:

****: ** *** ********** ****, it ********, “* ********** to ******** ****** *** administrator ********.” *** *** disclosing *** *** *** remotely ****** *** ************* password? ** **, *** you ********* ** *** to ** ****? 

*********: ************* ** ****** ******** any ********* ******* ** the ******** *************** ******* we *** ***** *** sure ** *** *** smart *** ****** **** installed ******** *******.

** ******** ** ** asking ** ** ***** be **** ** *** future (*** ** **** or ** ****?) *** no ******** *** ********.

***********, ********* ********* *** 'feature' *** ****** ******* execution *** * *********** of ******* **** / issues:

****: **** ** *** ********** post, ** ********, “* feature *** *** ****** execution ** ******** **** root **********.” *** *** explain **** ** **** feature ** ****?

**** ************* *** ** exploited ******** ***** * combination ** ******* **** and ***** ************ ******. This *****-***** ************* *** hard ** ******** *** it ****** ****** ** the ********* ****** ** use ** **** * computer **** ***** ** on ** **** ****-***** privileges. **** ****** ****** attackers ** ******* *** code ** **: *** it ** ****** ***** point *** *** ****** tools ******* *** ******** network ***** *** ****** is *******, ****** ********* software *** **** *** camera **** * ****, DDoS ** ******-******** ****** botnet.

** ***** ********* ** they **** ** *** ******** to ******** **** * 'combination' ** **** *** issues ** * '*******' but **** ******** ********.

Hanwha ********

****** **** ********* ** these *** ******, ********** technical *******, ******** ** was **** ****** / more ********* **** ********* suggest:

[**: ******** ****** *** administrator *********] **** ******** users ******* ** *** internet *** ***** **** router (** ********* ** the ************).  ** **** case, ******* ****** ***’* access *** ******. *******, if *** ******* *** public ** ** *** user **** ****** **** forwarding ******* ** *** route, ********* *** ******* to *** ****** ** they **** *** ******’* password *** **** ******** commands ** *****. **’** taken ***** ********** ******** and ****** *** **** of ***** ******** ********.
 
[**: ****** ********* ** commands **** ****] ******* would **** ** ******* our ******** **** *** familiarized ********** **** *** XMPP ******* ****** *** command **** *** **** camera. **** ***** **** have ** ***** *** camera’s ****** ** *********. Using **** ***********, **** can **** ***** *** XMPP ******* *** **** send ** ** *** cloud ******. ** **** case, *** ************ ******* can ** ********** ** the ***** *******. **** the **** **** ***** to ******** *** ******, it’ll ****** ** **** “already ********** ******” *******. This ** *** **** impact. ** ******* ****, we’ve ******* *** ********** way ** *** ******** file *** ***** ** authentication ********* ******* *** camera *** ***** ******* side ** ****** ********* packets.

No ******* ******** *********

********* *** *** ******* after ** ********* ******'* response ** ****.

Great ********* / ************ ********

*********, **** ** ***** marketing *** ********* ** it ********* ***** ********* and ***** **** ****** positive **.

*** ****** ******* *** a ************** ** *** vulnerabilities *** ****** ********.

*** *** ********** ******* what ************** *** ********** has ** ***** ** accurately *** ****** ********** vulnerabilities ** **** ** providing ***** ** ***** vulnerabilities. As ***** ** *** "*****'* ***" ***** ** ****, ************* ** becoming * ******** ********* tool *** ************* *****.

Comments (3)

John Honovich

IPVM | 03/29/18 01:43pm

Btw, a note on why we are 'late' reporting (not to the security trade press, which rarely covers such things but to mainstream IT). As noted in the report, we went back forth between both parties and that took time to get answers, check on things, etc.

John Honovich

IPVM | 03/29/18 01:46pm

Two other things that did not make the post but worth commenting on. Kaspersky included this infographic in their press release:

And report from Sputnik News: Kaspersky Lab Researchers Discover Sinister Flaw in Popular Smart Cameras

bashis mcw

03/29/18 10:41pm

But the difficulty becomes what responsibility the researcher has in terms of accurately and fairly disclosing vulnerabilities as well as providing proof of those vulnerabilities. 

I believe it is important to prove the claims, so it can be reproduced and verified by other researchers.

When reading;

Kaspersky: Unfortunately we cannot disclose any technical details of the critical vulnerabilities because we are still not sure if all the smart cam owners have installed security updates.

It becomes in my eyes clear that will never happen, because how to verify that "all the smart cam owners have installed security updates."

 

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Axis Suffers Outage, Provides Postmortem on Aug 15, 2019
This week, Axis suffered an outage impacting their website and cloud services. Inside this note, we examined what happened, what was impacted...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
Verint Victimized By Ransomware on Apr 18, 2019
Verint, which is best known in the physical security industry for video surveillance but has built a sizeable cybersecurity business as well, was...

Most Recent Industry Reports

Embedded Logix Thermal Temperature Detection System Examined on Apr 08, 2020
Embedded Logix has been producing thermal temperature measurement systems for industry and fire detection for over 10 years. Now, they are entering...
Micron 1 TB SD Cards Aim To Eliminate NVRs on Apr 08, 2020
Micron has boldly proclaimed their latest 1TB microSD "eliminates the need for network video recorders", targeting the growing market of...
US DoD Declares "Can No Longer Do Business" With Contractors Using Dahua, Hikvision, Huawei on Apr 08, 2020
The US Department of Defense has confirmed to IPVM that they fully support and intend to proceed with the NDAA 'blacklist clause' covering Dahua,...
IPVM's 12th Anniversary - Thank You! on Apr 07, 2020
IPVM is proud to celebrate it's 12 anniversary expanding our commitment to providing the industry independent and objective information on video...
Mobotix Thermal Body Temperature Detection Examined on Apr 07, 2020
Mobotix has jumped into the Coronavirus temperature detection market, but how do they compare to thermal incumbents like FLIR or ICI who have been...
Verkada Coronavirus Response: Free Temp Systems For Government and Health Care on Apr 07, 2020
Verkada has built a reputation on giving away things for free - free Yeti Tumblers, free trial cameras and now free temporary systems for...
Hikvision USA Refuses, Dahua USA Drives Forward With "Coronavirus Cameras" on Apr 07, 2020
Both have been federally banned, both sanctioned for human rights abuses but only one - Dahua - is taking aim at the booming "coronavirus cameras"...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the West in the past few years, China is now saying those vulnerabilities...
USA ICI Elevated Skin Temperature Detectors Examined on Apr 06, 2020
Infrared Cameras, Inc. (ICI) is aiming to help slow the spread of COVID-19 with "pinpoint accurate skin temperature measurement" using their...
Trade Groups Request NDAA Blacklist Delay Citing Coronavirus on Apr 06, 2020
Two trade groups representing government contractors have asked Congress to delay implementation of the NDAA's 'blacklist' clause from this August...