Hanwha / Kaspersky Vulnerability Dispute Examined

By: IPVM Team, Published on Mar 29, 2018

IT media ran numerous reports in the past month featuring two prominent companies - Hanwha (previously part of mega manufacturer Samsung) Techwin who sells significant numbers of consumer security cameras and Kaspersky, most known for last year's Russia controversy (e.g., Russia Has Turned Kaspersky Software Into Tool for Spying).

This story was about Kaspersky reporting vulnerabilities in Hanwha's consumer cameras (i.e., Smart eye: Kaspersky Lab discovers severe flaws that could transform smart cameras into surveillance tool) which was reported widely including CNET's Your smart camera may have been spying on you).

However, as we examined this and talked with both parties, there was a significant number of conflicting issues raised about the severity of the vulnerabilities. In this note, we share feedback provided, examining the issues involved.

** ***** *** ******** reports ** *** **** month ********* *** ********* companies - ****** (********** part ** **** ************ Samsung) ******* *** ***** significant ******* ** ******** security ******* *** *********, most ***** *** **** year's ****** *********** (*.*.,****** *** ****** ********* Software **** **** *** Spying).

**** ***** *** ***** Kaspersky ********* *************** ** Hanwha's ******** ******* (*.*.,***** ***: ********* *** discovers ****** ***** **** could ********* ***** ******* into ************ ****) ***** *** ******** widely *************'* **** ***** ****** *** have **** ****** ** you).

*******, ** ** ******** this *** ****** **** both *******, ***** *** a *********** ****** ** conflicting ****** ****** ***** the ******** ** *** vulnerabilities. ** **** ****, we ***** ******** ********, examining *** ****** ********.

[***************]

Consumer ****, *** ********, *** *******

********* ** ****** *** not ******** ** *********, these *************** **** ****** to ******** *******, *** to ******* ******** / professional ******* **** *** a ********* ************.

Kaspersky ******

********* ***** * ****** of ******* *************** ** *************’* ********! **** ******* are **** **** **** ‘smart’ ****:

*** *** ***** *********** in *** ***** ********** risky *** ***** ** focused ** **** ********* with *** *******.

 

Response *********

********* ********* ** ******* how *** ***** ******** could ** ******** *******:

****: ** *** ********** ****, it ********, “* ********** to ******** ****** *** administrator ********.” *** *** disclosing *** *** *** remotely ****** *** ************* password? ** **, *** you ********* ** *** to ** ****? 

*********: ************* ** ****** ******** any ********* ******* ** the ******** *************** ******* we *** ***** *** sure ** *** *** smart *** ****** **** installed ******** *******.

** ******** ** ** asking ** ** ***** be **** ** *** future (*** ** **** or ** ****?) *** no ******** *** ********.

***********, ********* ********* *** 'feature' *** ****** ******* execution *** * *********** of ******* **** / issues:

****: **** ** *** ********** post, ** ********, “* feature *** *** ****** execution ** ******** **** root **********.” *** *** explain **** ** **** feature ** ****?

**** ************* *** ** exploited ******** ***** * combination ** ******* **** and ***** ************ ******. This *****-***** ************* *** hard ** ******** *** it ****** ****** ** the ********* ****** ** use ** **** * computer **** ***** ** on ** **** ****-***** privileges. **** ****** ****** attackers ** ******* *** code ** **: *** it ** ****** ***** point *** *** ****** tools ******* *** ******** network ***** *** ****** is *******, ****** ********* software *** **** *** camera **** * ****, DDoS ** ******-******** ****** botnet.

** ***** ********* ** they **** ** *** ******** to ******** **** * 'combination' ** **** *** issues ** * '*******' but **** ******** ********.

Hanwha ********

****** **** ********* ** these *** ******, ********** technical *******, ******** ** was **** ****** / more ********* **** ********* suggest:

[**: ******** ****** *** administrator *********] **** ******** users ******* ** *** internet *** ***** **** router (** ********* ** the ************).  ** **** case, ******* ****** ***’* access *** ******. *******, if *** ******* *** public ** ** *** user **** ****** **** forwarding ******* ** *** route, ********* *** ******* to *** ****** ** they **** *** ******’* password *** **** ******** commands ** *****. **’** taken ***** ********** ******** and ****** *** **** of ***** ******** ********.
 
[**: ****** ********* ** commands **** ****] ******* would **** ** ******* our ******** **** *** familiarized ********** **** *** XMPP ******* ****** *** command **** *** **** camera. **** ***** **** have ** ***** *** camera’s ****** ** *********. Using **** ***********, **** can **** ***** *** XMPP ******* *** **** send ** ** *** cloud ******. ** **** case, *** ************ ******* can ** ********** ** the ***** *******. **** the **** **** ***** to ******** *** ******, it’ll ****** ** **** “already ********** ******” *******. This ** *** **** impact. ** ******* ****, we’ve ******* *** ********** way ** *** ******** file *** ***** ** authentication ********* ******* *** camera *** ***** ******* side ** ****** ********* packets.

No ******* ******** *********

********* *** *** ******* after ** ********* ******'* response ** ****.

Great ********* / ************ ********

*********, **** ** ***** marketing *** ********* ** it ********* ***** ********* and ***** **** ****** positive **.

*** ****** ******* *** a ************** ** *** vulnerabilities *** ****** ********.

*** *** ********** ******* what ************** *** ********** has ** ***** ** accurately *** ****** ********** vulnerabilities ** **** ** providing ***** ** ***** vulnerabilities. As ***** ** *** "*****'* ***" ***** ** ****, ************* ** becoming * ******** ********* tool *** ************* *****.

Comments (3)

***, * **** ** why ** *** '****' reporting (*** ** *** security ***** *****, ***** rarely ****** **** ****** but ** ********** **). As ***** ** *** report, ** **** **** forth ******* **** ******* and **** **** **** to *** *******, ***** on ******, ***.

*** ***** ****** **** did *** **** *** post *** ***** ********** on. ********* ******** **** infographic ** ***** ***** release:

*** ****** *********** ****: ********* *** *********** ******** Sinister **** ** ******* Smart *******

*** *** ********** ******* what ************** *** ********** has ** ***** ** accurately *** ****** ********** vulnerabilities ** **** ** providing ***** ** ***** vulnerabilities. 

* ******* ** ** important ** ***** *** claims, ** ** *** be ********** *** ******** by ***** ***********.

**** *******;

*********: ************* ** ****** disclose *** ********* ******* of *** ******** *************** because ** *** ***** not **** ** *** the ***** *** ****** have ********* ******** *******.

** ******* ** ** eyes ***** **** **** never ******, ******* *** to ****** **** "*** the ***** *** ****** have ********* ******** *******."

 

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Camect "Worlds Smartest Camera Hub" Tested on Oct 18, 2019
Camect is a Silicon Valley startup that claims the "Smartest AI Object Detection On The Market", detecting not only people and vehicles, but...
Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Hikvision ColorVu is Smart Marketing on Oct 03, 2019
Hikvision ColorVu (see IPVM test results) is smart marketing, a lesson to be learned by competitors and a rising trend. Inside this note, we...
Consumer IP Camera Analytics Shootout - Arlo, Google / Nest, Amazon / Ring, Hikvision / Ezviz, Wyze Cam, Yi Home on Sep 26, 2019
AI analytics are hitting the mainstream in the consumer camera market, with entrants Wyze and Yi Home releasing free people detection on their...
Directory of 70 Video Surveillance Startups on Sep 18, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
ASIS GSX 2019 Final Show Report on Sep 12, 2019
IPVM went to Chicago for ASIS GSX 2019, with many exhibitors disappointed about traffic and the exhibitor schedule changing next year. However,...
Yi Home Camera 3 AI Analytics Tested on Sep 10, 2019
Yi Technology is claiming "new AI features" in its $50 Home Camera 3 "eliminates 'false positives' caused by flying insects, small pets, or light...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
China Dahua To Replace Their Software With US Pepper on Aug 22, 2019
What does a US government banned company do to improve its security positioning in the US? Well, Dahua is unveiling a novel solution, partnering...
JCI Sues Wyze on Aug 21, 2019
The mega manufacturer / integrator JCI has sued the fast-growing $20 camera Seattle startup Wyze. Inside this note: Share the court...

Most Recent Industry Reports

Access Control Door Controllers Guide on Oct 22, 2019
Door controllers are at the center of physical access control systems connecting software, readers, and locks. Despite being buried inside...
Alarm.com Acquires OpenEye on Oct 21, 2019
Alarm.com is targeting commercial expansion and now they have a commercial cloud VMS with the acquisition of OpenEye. In this note, based on...
Government-Owned Hikvision Wants To Keep Politics Out Of Security on Oct 21, 2019
'Politics' made Hikvision the goliath it is today. It was PRC China 'politics' that created Hikvision, funded it, and blocked its foreign...
Integrated IR Camera Usage Statistics 2019 on Oct 21, 2019
Virtually every IP camera now comes with integrated IR but how many actually make use of IR or choose 'super' low light cameras without IR? In...
Alarm Veteran "Demands A Criminal Investigation" Of UL on Oct 18, 2019
The Interceptor's Project pressure against UL continues to rise. Following Keith Jentoft's allegation that "UL Has Blood On Their Hands", Jentoft...
Camect "Worlds Smartest Camera Hub" Tested on Oct 18, 2019
Camect is a Silicon Valley startup that claims the "Smartest AI Object Detection On The Market", detecting not only people and vehicles, but...
Hikvision Global News Reports Directory on Oct 17, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Camera Calculator V3.1 Release Improves User Experience on Oct 17, 2019
IPVM has released a new version of our Camera Calculator, V3.1, with significant user experience improvements, a new development plan, and an...
Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be...
Access Control Course Fall 2019 - Last Chance on Oct 17, 2019
Register Now - Fall 2019 Access Control Course. Thursday, October 17th is the last day to register. IPVM offers the most comprehensive access...