Hanwha Recorder Vulnerability Analyzed

By: Brian Karas, Published on May 18, 2017

ICS-CERT has released a vulnerability notice for Hanwha SRN-4000 recorders.

Hanwha provided additional information to IPVM about this issue, including other models impacted by the same vulnerability that are not listed on the ICS-CERT release. In this report we provide details on the vulnerability, affected products, and firmware builds for these products to resolve this vulnerability.

***-**** *** ******** ************** ****** *** ****** SRN-4000 *********.

****** ******** ********** *********** to **** ***** **** issue, ********* ***** ****** impacted ** *** **** vulnerability **** *** *** listed ** *** ***-**** release. ** **** ****** we ******* ******* ** the *************, ******** ********, and ******** ****** *** these ******** ** ******* this *************.

[***************]

Vulnerability ********

*** **** ************ ******:

* ********* ******* **** request *** ******** ***** allow ** ******** ** gain ****** ** *** device ********** **** **** admin ********** ******* ****** authentication.

****** **** **** **** vulnerability ** ***** ** files ****** ** * computer/browser **** * ***** valid ***** ***** *******. They ***** **** ** would ** *********** ********** for ** ******** *** had *** ********** ****** authorized ****** ** *** recorder ******* * ****** login ** ******** **** vulnerability ** * ****** recorder.

** ** *******, * random ******** ******* * list ** ****** ********* on*********** *** ******* **** vulnerability ** **** "**** door" ****** ** ***** systems.

** ****** **** ** noted **** ** **** never ****** ****** *********, and ****** ***** ** dispute ****.

Units ********

******'****-**** ********** ****** ** *** only **** ********, ****** Hanwha *** ********* **** the ********* ****** *** shared **** *** *** web ********* *** **** initially ********:

  • ***-**** ******** ***** ** v2.16_170401
  • ***-***** ******** ***** ** v1.08_160811
  • ***-************ ***** ** **.*********
  • ***-************ ***** ** **.*********

******'* ************* ******, ***** **** *** sending ** *********, *** additional *******.

******** *** *** ******** units *** ** ********** from******'* ******* ******** ******.

Hanwha ***** ******** *** ****

********* ** ******, **** were ***** ******** ***** this ***** ** *** 2016. ******** ****** *** vulnerability *** *** ***-****/***/**** models *** ******** ** August ****, *** ***-**** firmware *** *** ******* at *** **** ****, due ** ******** ******** constraints, *** *** **** released ** ***** ****. To ***** ******, ****** was *********** **** ******* surrounding *** ********* *** release *********, *** *** acknowledge **** ***-**** ******** patches ****** **** **** addressed ** *** **** time ** *** ***** units.

Pledge ****** ******* ** *** ******

****** **** **** *** adding * *************-******** ******* to ***** *******, *** are ********* ** ****** reaction *** ************ ***** for *** ****** *********.

Vulnerability ******/**********

****** **** ************* ** given ************ ***** ** *.* by ***-****, *** ********* ** the **** ** ***** it *** ** ********, the *********** **** * user **** ********** ************ logged **** *** ******** limits **** **** ***** exploited ** ****** *********. Additionally, ******'* ********* *** less ******* **** ***** cameras, *** ** ******** the ***** ****** ** affected ***** ** ** in *** **'* ** thousands (** **********, ****** manufacturers **** ****** **** millions ** *******). ***** customers ****** *** **** this ** * ****** to ***** ********* ******** updates, *** ******** **** to ***** ** ***** recorders, *** *** ******** at ***** ** ***** than *************** **** ***** any ****** ******** ** access * ******.

Call *** ***********

** *** **** ******* have ********** *********** ** the *************, ********** ************* Hanwha's ***********, ****** ******* or ***** ** (****@****.***) and ** **** *********** that.

Comments (16)

Robert Shih

IPVM | 05/18/17 06:49pm

Notice how much less of a reaction this is getting from everyone, both from proponents and opponents. Hanwha is much less polarizing than Hik or Dahua and is much less in the spotlight these days, but these reporters are still doing their job and reporting on them. While in a few days or weeks, when the next Hikvision or Dahua scandal comes out, shills will complain that somehow the coverage from IPVM is unfair and they don't report on anyone else's problems.

This again, clearly shows that Chinese manufacturers have a persecution complex going on.

John Honovich

IPVM | In reply to Robert Shih | 05/18/17 07:37pm

Hanwha helped themselves by talking to us and providing input. Of course, that they had an actual explanation helped.

As I have mentioned previously, Hikvision has refused to formally speak to us for over a year, on anything. Ironically, just yesterday a company we had covered mentioned that IPVM was responsive listening and incorporating feedback from them in response to Hikvision criticizing us. I made a comment there that Hikvision is the one who refuses and we are open to talking to them. Hikvision deleted my comment.

Undisclosed Manufacturer #1

In reply to John Honovich | 05/18/17 09:27pm

I can't believe this article. this is such a super big giant Roving Turret of Disparagement and Denigration.

Undisclosed Integrator #3

In reply to John Honovich | 05/18/17 11:14pm

John could this be a potential vulnerability with HiSillicon based firmware? It seems like a very scary pattern IMO.

Avatar

Brian Karas

IPVM | In reply to Undisclosed Integrator #3 | 05/18/17 11:40pm

From what Hanwha described of this vulnerability it does not sound like the HiSilicon vulnerabilities, which were buffer overflow and directory traversal exploits.

As for the pattern we are seeing, I think that more end-users, integrators, researchers and others are becoming aware of the number of internet-connected security devices, and the potential for exploit. This is leading to more vulnerabilities being discovered and reported for many vendors.

Marty Calhoun

IPVMU Certified | In reply to Brian Karas | 05/19/17 10:17am

Im curious as this is categorized as a 'vulnerability' but the last HIKVISION incident was described as a 'back door'. What is the IPVM position on the difference between the two? Just curious, please no government or partial owner affiliation with the Government.

Avatar

Brian Karas

IPVM | In reply to Marty Calhoun | 05/19/17 11:45am

The Hikvision incident was also described as a vulnerability, and the vulnerability type was a "backdoor".

The Hikvision and Dahua vulnerabilities that were described as backdoors were ones in which any person armed with knowledge of the vulnerabilities could use it to gain admin-level access to any device they could connect to.

This Hanwha vulnerability is one where session data is not properly deleted from the PC (or from the recorder itself), allowing a person who already logged in as an admin to access the device again without going through standard authentication.

The Hikvision/Dahua backdoor was a weakness open to anyone, the Hanwha exploit listed here requires someone to have already had admin access.

Undisclosed Manufacturer #4

In reply to Undisclosed Integrator #3 | 05/19/17 04:48am

HiSilicon firmware SDK gives a Linux kernel the base libraries for all hardware IO. but does not have it's own web browser functions. Or any samples / sources to develop on, you got to do this yourself!

It seems this is where the network security products fall over, as the developers have -100 skills on security, and rush everything to market so their boss can order the latest Mercedes or BMW

Backdoors with secret passwords based on dates etc are common and normal.

buffer overflows, lack of SSL, poor certificate handling, almost zero checks, cookies which stay long than cookie monster can eat.

Undisclosed Integrator #2

In reply to Undisclosed Manufacturer #4 | 05/19/17 07:08am

Or any samples / sources to develop on, you got to do this yourself!

This statement makes me wonder much of our industry is based on copy/pasting sample code and then modifying from there?

Undisclosed Integrator #3

In reply to Undisclosed Integrator #2 | 05/19/17 06:56pm

A good portion of this industry's software is probably based off of C&P Code. One of the key things I was taught while getting my computer science degree is you don't reinvent the wheel.

"Reuse, Recycle, and Return to Gethub" - Direct quote from Professor.

Undisclosed Integrator #2

In reply to Robert Shih | 05/18/17 11:00pm

Hanwha also doesn't have any unofficial spokesmen on here throwing accusations of persecution going on either. I posit that makes the backlash against Hikvision much more pronounced.

Undisclosed Distributor #5

In reply to Robert Shih | 05/19/17 09:30am

I've mentioned a few times how Dahua and Hik content like this is made a Public article, this one is not. I'm sure there is a way to spin the choice, but it could be spun two ways.

Undisclosed Manufacturer #6

In reply to Undisclosed Distributor #5 | 05/19/17 02:30pm

I think it has to do with how widespread the issue is. The H & D issues effected millions of devices. The Hanwha issue effects thousands or tens of thousands of units. A different scale of magnitude. Furthermore this, effects a limited number of models from a specific time period, vs. dozens of models spanning years of production.

John Honovich

IPVM | In reply to Undisclosed Distributor #5 | 05/19/17 02:44pm

Dahua and Hik content like this is made a Public article, this one is not

Incorrect.

For example, here two recent Hikvision vulnerability posts that are member's only: Hikvision Privilege-Escalating Security Vulnerability and Hikvision Cloud Security Vulnerability Uncovered. And the Dahua backdoor one was half member's only including the test report.

I am sure you would like to 'spun' it pro-Hikvision because you are a Hikvision distributor.

Listen, if you or anyone can get proof that this Hanwha vulnerability is NOT "based on files cached in a computer/browser from a prior valid admin login session", we will happily run it as 'front page' public news. Right now, with what we know that makes it quite limited.

Undisclosed Manufacturer #7

In reply to Robert Shih | 05/19/17 03:45pm

Hanwha supporters, such as myself, are not as tacky as Hik and Dahua supports. That's not to say that we aren't tacky in our own right, we're just not that tacky.

Eddie Perry

05/22/17 01:09pm

Look what Saw on the home page there that pooped up this weekend

On the home page............

Hanwha_Main page

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

Security Dealer 'Social Media Contractor' Program on Jun 25, 2019
A $20,000 video surveillance system can be yours for free if you are willing to post on social media about the security dealer. Good deal, bad...
Axis Live Privacy Shield Analytics Tested on Jun 25, 2019
Privacy is becoming a bigger factor in video surveillance, driven both by increased public awareness and by GDPR. Now, Axis has released Live...
Directory of 55 Video Surveillance Startups on Jun 25, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
Hikvision ColorVu Camera Tested on Jun 24, 2019
Hikvision says their new ColorVu line captures "vivid chromatic images in darkness", with unconventional white light illuminations whereas most...
China Subway Facial Recognition System Examined on Jun 24, 2019
A China city of 6+ million people has installed facial recognition-enabled gates in subways, allowing commuters to enter stations by simply showing...
HID Mobile Tested on Jun 21, 2019
HID Global is one of the largest access brands, but their mobile access has had challenges. Indeed, the company has already restructured their...
Genetec Beats Milestone For IHS #1 on Jun 21, 2019
For years, Milestone has touted that they are the #1 VMS. Now, Genetec has beaten them in IHS rankings. But what is this? Even other manufacturers...
Risk of Amazon Alexa Guard: No Battery Or Cell Backup on Jun 20, 2019
Amazon positions its Alexa Guard Service as a "smart home security system" and says it can help you "keep your home safe". However, the...
Exacq Remote Cloud Access Tested on Jun 20, 2019
Remote cloud access has been missing from most VMSes (including Exacq and Milestone). Now, Exacq, after releasing Cloud Drive Storage earlier in...
Briefcam Buys Frost Award* on Jun 20, 2019
Frost 'awards' are well-known and widely disrespected. Now Briefcam is touting their win. The way it has worked for many years is that Frost...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact