Btw, a note on why we are 'late' reporting (not to the security trade press, which rarely covers such things but to mainstream IT). As noted in the report, we went back forth between both parties and that took time to get answers, check on things, etc.
Hanwha / Kaspersky Vulnerability Dispute Examined
Published Mar 29, 2018 13:40 PM
IT media ran numerous reports in the past month featuring two prominent companies - Hanwha (previously part of mega manufacturer Samsung) Techwin who sells significant numbers of consumer security cameras and Kaspersky, most known for last year's Russia controversy (e.g., Russia Has Turned Kaspersky Software Into Tool for Spying).
This story was about Kaspersky reporting vulnerabilities in Hanwha's consumer cameras (i.e., Smart eye: Kaspersky Lab discovers severe flaws that could transform smart cameras into surveillance tool) which was reported widely including CNET's Your smart camera may have been spying on you).
However, as we examined this and talked with both parties, there was a significant number of conflicting issues raised about the severity of the vulnerabilities. In this note, we share feedback provided, examining the issues involved.
Consumer ****, *** ********, *** *******
********* ** ****** *** *** ******** by *********, ***** *************** **** ****** to ******** *******, *** ** ******* business / ************ ******* **** *** a ********* ************.
Kaspersky ******
********* ***** * ****** ** ******* *************** in *************’* ********! **** ******* *** **** than **** ‘*****’ ****:
*** *** ***** *********** ** *** where ********** ***** *** ***** ** focused ** **** ********* **** *** parties.
Response *********
********* ********* ** ******* *** *** admin ******** ***** ** ******** *******:
****: ** *** ********** ****, ** ********, “A ********** ** ******** ****** *** administrator ********.” *** *** ********** *** one *** ******** ****** *** ************* password? ** **, *** *** ********* on *** ** ** ****?
*********: ************* ** ****** ******** *** ********* details ** *** ******** *************** ******* we *** ***** *** **** ** all *** ***** *** ****** **** installed ******** *******.
** ******** ** ** ****** ** it ***** ** **** ** *** future (*** ** **** ** ** days?) *** ** ******** *** ********.
***********, ********* ********* *** '*******' *** remote ******* ********* *** * *********** of ******* **** / ******:
****: **** ** *** ********** ****, ** mentions, “* ******* *** *** ****** execution ** ******** **** **** **********.” Can *** ******* **** ** **** feature ** ****?
**** ************* *** ** ********* ******** using * *********** ** ******* **** and ***** ************ ******. **** *****-***** vulnerability *** **** ** ******** *** it ****** ****** ** *** ********* camera ** *** ** **** * computer **** ***** ** ** ** with ****-***** **********. **** ****** ****** attackers ** ******* *** **** ** it: *** ** ** ****** ***** point *** *** ****** ***** ******* the ******** ******* ***** *** ****** is *******, ****** ********* ******** *** turn *** ****** **** * ****, DDoS ** ******-******** ****** ******.
** ***** ********* ** **** **** it *** ******** ** ******** **** * 'combination' ** **** *** ****** ** a '*******' *** **** ******** ********.
Hanwha ********
****** **** ********* ** ***** *** issues, ********** ********* *******, ******** ** was **** ****** / **** ********* than ********* *******:
[**: ******** ****** *** ************* *********] Most ******** ***** ******* ** *** internet *** ***** **** ****** (** suggested ** *** ************). ** **** case, ******* ****** ***’* ****** *** camera. *******, ** *** ******* *** public ** ** *** **** **** proper **** ********** ******* ** *** route, ********* *** ******* ** *** camera ** **** **** *** ******’* password *** **** ******** ******** ** enter. **’** ***** ***** ********** ******** and ****** *** **** ** ***** specific ********.
[**: ****** ********* ** ******** **** root] ******* ***** **** ** ******* our ******** **** *** ************ ********** with *** **** ******* ****** *** command **** *** **** ******. **** would **** **** ** ***** *** camera’s ****** ** *********. ***** **** information, **** *** **** ***** *** XMPP ******* *** **** **** ** to *** ***** ******. ** **** case, *** ************ ******* *** ** registered ** *** ***** *******. **** the **** **** ***** ** ******** the ******, **’** ****** ** **** “already ********** ******” *******. **** ** the **** ******. ** ******* ****, we’ve ******* *** ********** *** ** our ******** **** *** ***** ** authentication ********* ******* *** ****** *** cloud ******* **** ** ****** ********* packets.
No ******* ******** *********
********* *** *** ******* ***** ** forwarded ******'* ******** ** ****.
Great ********* / ************ ********
*********, **** ** ***** ********* *** Kaspersky ** ** ********* ***** ********* and ***** **** ****** ******** **.
*** ****** ******* *** * ************** to *** *************** *** ****** ********.
*** *** ********** ******* **** ************** the ********** *** ** ***** ** accurately *** ****** ********** *************** ** well ** ********* ***** ** ***** vulnerabilities. As ***** ** *** "*****'* ***" ***** ** ****, ************* ** ******** * powerful ********* **** *** ************* *****.
Comments (3)
JH
John Honovich
Mar 29, 2018JH
John Honovich
Mar 29, 2018Two other things that did not make the post but worth commenting on. Kaspersky included this infographic in their press release:
And report from Sputnik News: Kaspersky Lab Researchers Discover Sinister Flaw in Popular Smart Cameras
bm
bashis mcw
Mar 29, 2018But the difficulty becomes what responsibility the researcher has in terms of accurately and fairly disclosing vulnerabilities as well as providing proof of those vulnerabilities.
I believe it is important to prove the claims, so it can be reproduced and verified by other researchers.
When reading;
Kaspersky: Unfortunately we cannot disclose any technical details of the critical vulnerabilities because we are still not sure if all the smart cam owners have installed security updates.
It becomes in my eyes clear that will never happen, because how to verify that "all the smart cam owners have installed security updates."