Hanwha / Kaspersky Vulnerability Dispute Examined

By: IPVM Team, Published on Mar 29, 2018

IT media ran numerous reports in the past month featuring two prominent companies - Hanwha (previously part of mega manufacturer Samsung) Techwin who sells significant numbers of consumer security cameras and Kaspersky, most known for last year's Russia controversy (e.g., Russia Has Turned Kaspersky Software Into Tool for Spying).

This story was about Kaspersky reporting vulnerabilities in Hanwha's consumer cameras (i.e., Smart eye: Kaspersky Lab discovers severe flaws that could transform smart cameras into surveillance tool) which was reported widely including CNET's Your smart camera may have been spying on you).

However, as we examined this and talked with both parties, there was a significant number of conflicting issues raised about the severity of the vulnerabilities. In this note, we share feedback provided, examining the issues involved.

** ***** *** ******** reports ** *** **** month ********* *** ********* companies - ****** (********** part ** **** ************ Samsung) ******* *** ***** significant ******* ** ******** security ******* *** *********, most ***** *** **** year's ****** *********** (*.*.,****** *** ****** ********* Software **** **** *** Spying).

**** ***** *** ***** Kaspersky ********* *************** ** Hanwha's ******** ******* (*.*.,***** ***: ********* *** discovers ****** ***** **** could ********* ***** ******* into ************ ****) ***** *** ******** widely *************'* **** ***** ****** *** have **** ****** ** you).

*******, ** ** ******** this *** ****** **** both *******, ***** *** a *********** ****** ** conflicting ****** ****** ***** the ******** ** *** vulnerabilities. ** **** ****, we ***** ******** ********, examining *** ****** ********.

[***************]

Consumer ****, *** ********, *** *******

********* ** ****** *** not ******** ** *********, these *************** **** ****** to ******** *******, *** to ******* ******** / professional ******* **** *** a ********* ************.

Kaspersky ******

********* ***** * ****** of ******* *************** ** *************’* ********! **** ******* are **** **** **** ‘smart’ ****:

*** *** ***** *********** in *** ***** ********** risky *** ***** ** focused ** **** ********* with *** *******.

 

Response *********

********* ********* ** ******* how *** ***** ******** could ** ******** *******:

****: ** *** ********** ****, it ********, “* ********** to ******** ****** *** administrator ********.” *** *** disclosing *** *** *** remotely ****** *** ************* password? ** **, *** you ********* ** *** to ** ****? 

*********: ************* ** ****** ******** any ********* ******* ** the ******** *************** ******* we *** ***** *** sure ** *** *** smart *** ****** **** installed ******** *******.

** ******** ** ** asking ** ** ***** be **** ** *** future (*** ** **** or ** ****?) *** no ******** *** ********.

***********, ********* ********* *** 'feature' *** ****** ******* execution *** * *********** of ******* **** / issues:

****: **** ** *** ********** post, ** ********, “* feature *** *** ****** execution ** ******** **** root **********.” *** *** explain **** ** **** feature ** ****?

**** ************* *** ** exploited ******** ***** * combination ** ******* **** and ***** ************ ******. This *****-***** ************* *** hard ** ******** *** it ****** ****** ** the ********* ****** ** use ** **** * computer **** ***** ** on ** **** ****-***** privileges. **** ****** ****** attackers ** ******* *** code ** **: *** it ** ****** ***** point *** *** ****** tools ******* *** ******** network ***** *** ****** is *******, ****** ********* software *** **** *** camera **** * ****, DDoS ** ******-******** ****** botnet.

** ***** ********* ** they **** ** *** ******** to ******** **** * 'combination' ** **** *** issues ** * '*******' but **** ******** ********.

Hanwha ********

****** **** ********* ** these *** ******, ********** technical *******, ******** ** was **** ****** / more ********* **** ********* suggest:

[**: ******** ****** *** administrator *********] **** ******** users ******* ** *** internet *** ***** **** router (** ********* ** the ************).  ** **** case, ******* ****** ***’* access *** ******. *******, if *** ******* *** public ** ** *** user **** ****** **** forwarding ******* ** *** route, ********* *** ******* to *** ****** ** they **** *** ******’* password *** **** ******** commands ** *****. **’** taken ***** ********** ******** and ****** *** **** of ***** ******** ********.
 
[**: ****** ********* ** commands **** ****] ******* would **** ** ******* our ******** **** *** familiarized ********** **** *** XMPP ******* ****** *** command **** *** **** camera. **** ***** **** have ** ***** *** camera’s ****** ** *********. Using **** ***********, **** can **** ***** *** XMPP ******* *** **** send ** ** *** cloud ******. ** **** case, *** ************ ******* can ** ********** ** the ***** *******. **** the **** **** ***** to ******** *** ******, it’ll ****** ** **** “already ********** ******” *******. This ** *** **** impact. ** ******* ****, we’ve ******* *** ********** way ** *** ******** file *** ***** ** authentication ********* ******* *** camera *** ***** ******* side ** ****** ********* packets.

No ******* ******** *********

********* *** *** ******* after ** ********* ******'* response ** ****.

Great ********* / ************ ********

*********, **** ** ***** marketing *** ********* ** it ********* ***** ********* and ***** **** ****** positive **.

*** ****** ******* *** a ************** ** *** vulnerabilities *** ****** ********.

*** *** ********** ******* what ************** *** ********** has ** ***** ** accurately *** ****** ********** vulnerabilities ** **** ** providing ***** ** ***** vulnerabilities. As ***** ** *** "*****'* ***" ***** ** ****, ************* ** becoming * ******** ********* tool *** ************* *****.

Comments (3)

Btw, a note on why we are 'late' reporting (not to the security trade press, which rarely covers such things but to mainstream IT). As noted in the report, we went back forth between both parties and that took time to get answers, check on things, etc.

Two other things that did not make the post but worth commenting on. Kaspersky included this infographic in their press release:

And report from Sputnik News: Kaspersky Lab Researchers Discover Sinister Flaw in Popular Smart Cameras

But the difficulty becomes what responsibility the researcher has in terms of accurately and fairly disclosing vulnerabilities as well as providing proof of those vulnerabilities. 

I believe it is important to prove the claims, so it can be reproduced and verified by other researchers.

When reading;

Kaspersky: Unfortunately we cannot disclose any technical details of the critical vulnerabilities because we are still not sure if all the smart cam owners have installed security updates.

It becomes in my eyes clear that will never happen, because how to verify that "all the smart cam owners have installed security updates."

 

Login to read this IPVM report.

Related Reports

PRC Warns Against China Video Surveillance Hacks, Hikvision Targeted on Feb 14, 2020
Hackers are targeting China video surveillance manufacturers and systems,...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Sunell Panda Cam Body Temperature Measurement Camera Tested on May 14, 2020
Sunell is far less well known than its gargantuan domestic competitors Dahua...
Detecting Coronavirus Fevers With Thermal Cameras on Mar 15, 2020
MAY 2020 Update: This post was our early examination of these systems being...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
The Booming Multi-Billion Coronavirus Fever Camera Market on Apr 21, 2020
The market for elevated body temperature detection cameras, aka 'coronavirus...
The Next Hot Fever Detection Trend - $100 Wall-Mounted Units on Jul 06, 2020
The first wave of the booming fever detecting market was $10,000+ cameras,...
TVT / InVid White Light Camera Tested Vs Hikvision ColorVu on Mar 18, 2020
With mega China manufacturers Dahua and Hikvision facing both bans and human...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
IronYun AI Analytics Tested on Feb 17, 2020
Taiwan / US startup IronYun has raised tens of millions for its "mission to...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...