Hanwha / Kaspersky Vulnerability Dispute Examined

By IPVM Team, Published on Mar 29, 2018

IT media ran numerous reports in the past month featuring two prominent companies - Hanwha (previously part of mega manufacturer Samsung) Techwin who sells significant numbers of consumer security cameras and Kaspersky, most known for last year's Russia controversy (e.g., Russia Has Turned Kaspersky Software Into Tool for Spying).

This story was about Kaspersky reporting vulnerabilities in Hanwha's consumer cameras (i.e., Smart eye: Kaspersky Lab discovers severe flaws that could transform smart cameras into surveillance tool) which was reported widely including CNET's Your smart camera may have been spying on you).

However, as we examined this and talked with both parties, there was a significant number of conflicting issues raised about the severity of the vulnerabilities. In this note, we share feedback provided, examining the issues involved.

Consumer ****, *** ********, *** *******

********* ** ****** *** not ******** ** *********, these *************** **** ****** to ******** *******, *** to ******* ******** / professional ******* **** *** a ********* ************.

Kaspersky ******

********* ***** * ****** of ******* *************** ** *************’* ********! **** ******* are **** **** **** ‘smart’ ****:

*** *** ***** *********** in *** ***** ********** risky *** ***** ** focused ** **** ********* with *** *******.

 

Response *********

********* ********* ** ******* how *** ***** ******** could ** ******** *******:

****: ** *** ********** ****, it ********, “* ********** to ******** ****** *** administrator ********.” *** *** disclosing *** *** *** remotely ****** *** ************* password? ** **, *** you ********* ** *** to ** ****? 

*********: ************* ** ****** ******** any ********* ******* ** the ******** *************** ******* we *** ***** *** sure ** *** *** smart *** ****** **** installed ******** *******.

** ******** ** ** asking ** ** ***** be **** ** *** future (*** ** **** or ** ****?) *** no ******** *** ********.

***********, ********* ********* *** 'feature' *** ****** ******* execution *** * *********** of ******* **** / issues:

****: **** ** *** ********** post, ** ********, “* feature *** *** ****** execution ** ******** **** root **********.” *** *** explain **** ** **** feature ** ****?

**** ************* *** ** exploited ******** ***** * combination ** ******* **** and ***** ************ ******. This *****-***** ************* *** hard ** ******** *** it ****** ****** ** the ********* ****** ** use ** **** * computer **** ***** ** on ** **** ****-***** privileges. **** ****** ****** attackers ** ******* *** code ** **: *** it ** ****** ***** point *** *** ****** tools ******* *** ******** network ***** *** ****** is *******, ****** ********* software *** **** *** camera **** * ****, DDoS ** ******-******** ****** botnet.

** ***** ********* ** they **** ** *** ******** to ******** **** * 'combination' ** **** *** issues ** * '*******' but **** ******** ********.

Hanwha ********

****** **** ********* ** these *** ******, ********** technical *******, ******** ** was **** ****** / more ********* **** ********* suggest:

[**: ******** ****** *** administrator *********] **** ******** users ******* ** *** internet *** ***** **** router (** ********* ** the ************).  ** **** case, ******* ****** ***’* access *** ******. *******, if *** ******* *** public ** ** *** user **** ****** **** forwarding ******* ** *** route, ********* *** ******* to *** ****** ** they **** *** ******’* password *** **** ******** commands ** *****. **’** taken ***** ********** ******** and ****** *** **** of ***** ******** ********.
 
[**: ****** ********* ** commands **** ****] ******* would **** ** ******* our ******** **** *** familiarized ********** **** *** XMPP ******* ****** *** command **** *** **** camera. **** ***** **** have ** ***** *** camera’s ****** ** *********. Using **** ***********, **** can **** ***** *** XMPP ******* *** **** send ** ** *** cloud ******. ** **** case, *** ************ ******* can ** ********** ** the ***** *******. **** the **** **** ***** to ******** *** ******, it’ll ****** ** **** “already ********** ******” *******. This ** *** **** impact. ** ******* ****, we’ve ******* *** ********** way ** *** ******** file *** ***** ** authentication ********* ******* *** camera *** ***** ******* side ** ****** ********* packets.

No ******* ******** *********

********* *** *** ******* after ** ********* ******'* response ** ****.

Great ********* / ************ ********

*********, **** ** ***** marketing *** ********* ** it ********* ***** ********* and ***** **** ****** positive **.

*** ****** ******* *** a ************** ** *** vulnerabilities *** ****** ********.

*** *** ********** ******* what ************** *** ********** has ** ***** ** accurately *** ****** ********** vulnerabilities ** **** ** providing ***** ** ***** vulnerabilities. As ***** ** *** "*****'* ***" ***** ** ****, ************* ** becoming * ******** ********* tool *** ************* *****.

Comments (3)

John Honovich

IPVM | 03/29/18 01:43pm

Btw, a note on why we are 'late' reporting (not to the security trade press, which rarely covers such things but to mainstream IT). As noted in the report, we went back forth between both parties and that took time to get answers, check on things, etc.

John Honovich

IPVM | 03/29/18 01:46pm

Two other things that did not make the post but worth commenting on. Kaspersky included this infographic in their press release:

And report from Sputnik News: Kaspersky Lab Researchers Discover Sinister Flaw in Popular Smart Cameras

bashis mcw

03/29/18 10:41pm

But the difficulty becomes what responsibility the researcher has in terms of accurately and fairly disclosing vulnerabilities as well as providing proof of those vulnerabilities. 

I believe it is important to prove the claims, so it can be reproduced and verified by other researchers.

When reading;

Kaspersky: Unfortunately we cannot disclose any technical details of the critical vulnerabilities because we are still not sure if all the smart cam owners have installed security updates.

It becomes in my eyes clear that will never happen, because how to verify that "all the smart cam owners have installed security updates."

 

Read this IPVM report for free.

This article is part of IPVM's 6,597 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Face Detection Shootout - Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jul 30, 2020
Face detection analytics are available from a number of manufactures...
Hanwha AI Analytics Camera Tested on Aug 11, 2020
Hanwha has released their Wisenet P AI camera, adding person and vehicle...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
Verkada Speaks On Disrupting Security Sales Channel on Aug 28, 2020
Verkada's fast growth has taken the industry by storm and their enterprise...
Sony 61MP Surveillance Sensor Examined on Sep 04, 2020
For a decade, the highest resolution single-imager surveillance cameras have...
Bias In Facial Recognition Varies By Country, NIST Report Shows on Jul 15, 2020
While many argue that face recognition is inherently racist, results from one...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
The Next Hot Fever Detection Trend - $100 Wall-Mounted Units on Jul 06, 2020
The first wave of the booming fever detecting market was $10,000+ cameras,...
Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
YOLOv5 Released Amidst Controversy on Jul 27, 2020
YOLO has gained significant attention within video surveillance for its...
Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...

Recent Reports

Consultants Online Show LIVE Today! on Oct 27, 2020
IPVM's 7th online show will feature 20+ consultants and recruiters presenting...
Eagle Eye Networks Raises $40 Million on Oct 27, 2020
Eagle Eye has raised $40 million aiming to "reinvent video...
Hikvision Q3 2020 Global Revenue Rises, US Revenue Falls on Oct 27, 2020
While Hikvision's global revenue rises driven by domestic recovery, its US...
VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...