Hanwha Recorder Vulnerability Analyzed

By: Brian Karas, Published on May 18, 2017

ICS-CERT has released a vulnerability notice for Hanwha SRN-4000 recorders

Hanwha provided additional information to IPVM about this issue, including other models impacted by the same vulnerability that are not listed on the ICS-CERT release. In this report we provide details on the vulnerability, affected products, and firmware builds for these products to resolve this vulnerability.

Vulnerability ********

*** **** ************ ******:

* ********* ******* **** request *** ******** ***** allow ** ******** ** gain ****** ** *** device ********** **** **** admin ********** ******* ****** authentication.

****** **** **** **** ************* is ***** ** ***** cached ** * ********/******* from * ***** ***** admin ***** *******. **** claim **** ** ***** be *********** ********** *** an ******** *** *** not ********** ****** ********** access ** *** ******** through * ****** ***** to ******** **** ************* on * ****** ********.

** ** *******, * random ******** ******* * list ** ****** ********* on****** ***** *** ******* **** vulnerability ** **** "**** door" ****** ** ***** systems.

** ****** **** ** noted **** ** **** never ****** ****** *********, and ****** ***** ** dispute ****.

Units ********

******'* ***-**** ******** [**** ** longer *********] ** ****** ** the **** **** ********, though ****** *** ********* that *** ********* ****** all ****** **** *** the *** ********* *** were ********* ********:

  • ***-**** ******** ***** ** v2.16_170401
  • ***-***** ******** ***** ** v1.08_160811
  • ***-**** ******** ***** ** **.*********
  • ***-**** ******** ***** ** **.*********

******'* ************* ******, ***** **** *** sending ** *********, *** additional *******.

******** *** *** ******** units *** ** ********** from Hanwha's ******* ******** ****** [link ** ****** *********].

Hanwha ***** ******** *** ****

********* ** ******, **** were ***** ******** ***** this ***** ** *** 2016. ******** ****** *** vulnerability *** *** ***-****/***/**** models *** ******** ** August ****, *** ***-**** firmware *** *** ******* at *** **** ****, due ** ******** ******** constraints, *** *** **** released ** ***** ****. To ***** ******, ****** was *********** **** ******* surrounding *** ********* *** release *********, *** *** acknowledge **** ***-**** ******** patches ****** **** **** addressed ** *** **** time ** *** ***** units.

Pledge ****** ******* ** *** ******

****** **** **** *** adding * *************-******** ******* to ***** *******, *** are ********* ** ****** reaction *** ************ ***** for *** ****** *********.

Vulnerability ******/**********

****** **** ************* ** ***** a*********** ***** ** *.* by ***-****, *** ********* ** the **** ** ***** it *** ** ********, the *********** **** * user **** ********** ************ logged **** *** ******** limits **** **** ***** exploited ** ****** *********. Additionally, ******'* ********* *** less ******* **** ***** cameras, *** ** ******** the ***** ****** ** affected ***** ** ** in *** **'* ** thousands (** **********, ****** manufacturers **** ****** **** millions ** *******). ***** customers ****** *** **** this ** * ****** to ***** ********* ******** updates, *** ******** **** to ***** ** ***** recorders, *** *** ******** at ***** ** ***** than *************** **** ***** any ****** ******** ** access * ******.

Call *** ***********

** *** **** ******* have ********** *********** ** the *************, ********** ************* Hanwha's ***********, ****** ******* or ***** ** (****@****.***) and ** **** *********** that.

 

Comments (16)

Notice how much less of a reaction this is getting from everyone, both from proponents and opponents. Hanwha is much less polarizing than Hik or Dahua and is much less in the spotlight these days, but these reporters are still doing their job and reporting on them. While in a few days or weeks, when the next Hikvision or Dahua scandal comes out, shills will complain that somehow the coverage from IPVM is unfair and they don't report on anyone else's problems.

This again, clearly shows that Chinese manufacturers have a persecution complex going on.

Hanwha helped themselves by talking to us and providing input. Of course, that they had an actual explanation helped.

As I have mentioned previously, Hikvision has refused to formally speak to us for over a year, on anything. Ironically, just yesterday a company we had covered mentioned that IPVM was responsive listening and incorporating feedback from them in response to Hikvision criticizing us. I made a comment there that Hikvision is the one who refuses and we are open to talking to them. Hikvision deleted my comment.

I can't believe this article. this is such a super big giant Roving Turret of Disparagement and Denigration.

John could this be a potential vulnerability with HiSillicon based firmware? It seems like a very scary pattern IMO. 

From what Hanwha described of this vulnerability it does not sound like the HiSilicon vulnerabilities, which were buffer overflow and directory traversal exploits.

As for the pattern we are seeing, I think that more end-users, integrators, researchers and others are becoming aware of the number of internet-connected security devices, and the potential for exploit. This is leading to more vulnerabilities being discovered and reported for many vendors.

 

Im curious as this is categorized as a 'vulnerability' but the last HIKVISION incident was described as a 'back door'. What is the IPVM position on the difference between the two? Just curious, please no government or partial owner affiliation with the Government.

The Hikvision incident was also described as a vulnerability, and the vulnerability type was a "backdoor".

The Hikvision and Dahua vulnerabilities that were described as backdoors were ones in which any person armed with knowledge of the vulnerabilities could use it to gain admin-level access to any device they could connect to.

This Hanwha vulnerability is one where session data is not properly deleted from the PC (or from the recorder itself), allowing a person who already logged in as an admin to access the device again without going through standard authentication.

The Hikvision/Dahua backdoor was a weakness open to anyone, the Hanwha exploit listed here requires someone to have already had admin access.

HiSilicon firmware SDK gives a Linux kernel the base libraries for all hardware IO. but does not have it's own web browser functions. Or any samples / sources to develop on, you got to do this yourself!

It seems this is where the network security products fall over, as the developers have -100 skills on security, and rush everything to market so their boss can order the latest Mercedes or BMW

Backdoors with secret passwords based on dates etc are common and normal.

buffer overflows, lack of SSL, poor certificate handling, almost zero checks, cookies which stay long than cookie monster can eat.

Or any samples / sources to develop on, you got to do this yourself!

This statement makes me wonder much of our industry is based on copy/pasting sample code and then modifying from there?

A good portion of this industry's software is probably based off of C&P Code. One of the key things I was taught while getting my computer science degree is you don't reinvent the wheel. 

"Reuse, Recycle, and Return to Gethub" - Direct quote from Professor. 

Hanwha also doesn't have any unofficial spokesmen on here throwing accusations of persecution going on either.  I posit that makes the backlash against Hikvision much more pronounced.

I've mentioned a few times how Dahua and Hik content like this is made a Public article, this one is not. I'm sure there is a way to spin the choice, but it could be spun two ways.

I think it has to do with how widespread the issue is.  The H & D issues effected millions of devices.  The Hanwha issue effects thousands or tens of thousands of units.  A different scale of magnitude.  Furthermore this, effects a limited number of models from a specific time period, vs. dozens of models spanning years of production.

Dahua and Hik content like this is made a Public article, this one is not

Incorrect.

For example, here two recent Hikvision vulnerability posts that are member's only: Hikvision Privilege-Escalating Security Vulnerability and Hikvision Cloud Security Vulnerability Uncovered. And the Dahua backdoor one was half member's only including the test report.

I am sure you would like to 'spun' it pro-Hikvision because you are a Hikvision distributor.

Listen, if you or anyone can get proof that this Hanwha vulnerability is NOT "based on files cached in a computer/browser from a prior valid admin login session", we will happily run it as 'front page' public news. Right now, with what we know that makes it quite limited.

Hanwha supporters, such as myself, are not as tacky as Hik and Dahua supports.  That's not to say that we aren't tacky in our own right, we're just not that tacky.

Look what Saw on the home page there that pooped up this weekend

 

On the home page............

 

 

Hanwha_Main page

Read this IPVM report for free.

This article is part of IPVM's 6,538 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
FLIR Markets Windows Temperature Screening, Violates IEC And Causes Performance Problems on Jul 17, 2020
FLIR, one of the largest thermal screening manufacturers, is marketing...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Panasonic i-PRO Hid Huawei, Does Damage Control on Aug 21, 2020
Panasonic i-PRO hid their usage of Huawei from the public, continues to...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Exit Devices For Access Control Tutorial on Aug 25, 2020
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Density Presents Occupancy Monitoring For Coronavirus Protection on May 22, 2020
Density presented its cloud-based occupancy sensor to deal with Coronavirus...
Thermology Expert: "95-99%" Doing Fever Screening Wrong, Unjustified Compensating Algorithms "Insane" on Aug 27, 2020
A thermology expert tells IPVM "95 to 99% of people" are doing fever...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
HID Presents Mercury Security & Aero Access Controllers on Aug 25, 2020
HID presented Mercury Security & Aero Access Controllers at the 2020 IPVM...
Clinton Public View Monitor (PVM) Mask Detection Tested on Jul 09, 2020
Face mask detection, or more specifically not wearing one, is expanding...
UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020
A UK security firm falsely claimed its Hikvision-based thermal solution could...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...