LifeSafety Power NetLink Vulnerabilities And Problematic Response

Published May 20, 2019 14:08 PM

'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for them need to be considered as well.

Indeed, Security researcher Bashis has discovered various vulnerabilities in LifeSafety Power NetLink devices.

LifeSafety Power NetLink Vulnerability1

IPVM spoke with both Bashis and executives at LifeSafety Power. Inside, we provide details on this vulnerability including:

  • Vulnerabilities overviewed
  • Devices affected
  • Impact of vulnerability
  • Why Life Safety Power failed to respond to multiple reports until IPVM intervened
  • What Life Safety Power says they are doing now to improve their cybersecurity process

Related, see IPVM's Cybersecurity Vulnerability Directory

LifeSafety ***** ******* ************* ********

******* ******* *** **** **** ****** controls ******* ** ****** ******* *** control ****** ***** *** ******* ****** regarding ****** ** ******** *********.

Impact ** *************

********' ***** ** ******* ****** *****, *** ******** ** ****, **** several *************** ********* ************ ****** ** clear **** ***********, ** *** ******* from *** *** *****:

***** ******** ** ** *******, ***** are ****** *** **** ** ***** devices, ***** ******* *** ********* **** in ****** ******** ********** ***** ************ of **** *************** ***** ** **** significant.

Patch *** *************

***** **** ******** ******* *********** ******* ******** **** ***** ******* page. *** ***** ******* ******** ******* ******* on ***** *******, *** ********** *** ** ********** ****, *** ** **** ** ****** and ***** ******* ********.

Devices ********

*** ******* ******** ******* *** *** *** NL4 ******* ******** ******** *.**, *.***-** and *.***-***.

Poor ******** ** ******** *************

****** ****** **** ******* ******** ** contact *** ****** **** ******* *********. The ******** ***** ***** **** **** from ******** **** - ***** ****.

******** **, ****: ****** ******** ******** research **** **** **** *** ********, and **** ******* ** ******* *** with *** ******** ******** ***** ** no *****.

******** **, ****: **** ******* *** work ** *** ***** *** *** failed ** *******. **** *** **** few **** ****** ******** ** ******* LSP *******, ***** **** *******, ******* that **** ******* ** *** * phishing *******.

******** **, ****: ** * ***** effort ** ******* *** * ****** to ****** ***** ******** *** ******* before ********** *** ********, ****** ******* out ** ****. **** *** **** to *** ** ***** ********** ***** and ******* **** **** ******.

***** * ****: *** ******** *** released *** ******** ** ****** *** testing.

***** * ****: ****** ********* *** firmware *** *********.

*** ********* ****:

***** *********** ********** ***** *** * ******* **** came ** ******* * ************* *** found ** ******* *** ** ******** ** look **** * ******** ***** *** ** ****’* ***** **. **** *** our *******.

**** ** ****** ***** ** *** security ***** ** ******** (*** **** Honovich ****** ** *****) ** ***** addressing *** ****** **** ***.

Improvements ********** *******

*** **** *** **** **** ** more ******** ***** ******** ********:

***** ******* *** *** *** *** Executive **** **** ** ****** ** *** ************* ******* *********, ** ****** *** source.

**** ****** ********* ************ ** ***** software *********** *******:

*** ***** *** ********** ****** ******** development. ** **** ******** *** **** review **** * ***** ******** ****** and **** **** ** ********** ********** external ***** ***** *******.

Default ******** *******

*** ******** ******* **** **** ******* credentials ***** *** ********** ** ** changed **** * ***-** ******* *** are *** ******** ** ** *******. Due ** *** **** ********** **** Default ***********, **** **** ********* ** ****************** ** ******* ****.

Response ** ******* ******** *****

*** ********** ** ***** ********* ** default *********:

*** ******* ******** ** ******** ******** *** ******* setup *** ******* ** *** ****** (common ******** ** *** ********). ** ****** users ** ***** ****** ********, ** ***** a “***” ******** **** *** ******* ******** is NOT ****** *** ** ****** ** changed to * ******* ******** ******** ********** by *** ******** ** *** **********. *** warning ******* ******** ***** **** ** login ** **** ** *** ******** has *** **** ***** ********.  **** a ******** ** ******* ** ** required ** **** * -** ********* with * *** ** *******, **** sensitive *******, *** ******* **********. ** **** conduct * ****** ***** *** ******** base *** *** ** ** ****** have *** ******* ******** ***** ***** to ***** ****** ******** *** ***** time **** *****. ********* ** *** survey *******, ** *** ****** *** firmware ** ***** ***** ** ****** the ******* ******** ***** ***** ***** login.

****: ** ******** ***** ** ***** 'commonly ********' ** ****, ************ ********* have ********** *** ******* ********, ******* users ** *** * ******** ** first ***.

Device ********* *****

*********** ********* ************* *** ** ****, ************ ***** a ****** ** ******* ** * cybersecurity **********, ******* ***** ******, *** using **** ****** **** ***** ** you **** **** ******* ** ******:

Reminder ** ******* *****

**** ** * **** ******** **** as **** ******* **** *** '******** of ******', *************, ***********, *** ***** need ** ** ******** ***** ************* vulnerabilities. 

Comments (27)
UI
Undisclosed Integrator #1
May 20, 2019

"****** ****** **** ******* ******** ** contact *** ****** **** ******* *********. The ******** ***** ***** **** **** from ******** **** - ***** ****."

******, **** *** **** ********* ** communicate ****.  ************** **** **** ******* are ****** ***-********, **** **** ***** returned ***** ** ****** **** *** question...  *** **** **** *** ****, understaffed ** **** ***** ********?

**** *** ******* ** ***** *********, but *** ** ***** ***-**************, *** only ****** **, "****"!

(1)
(4)
UM
Undisclosed Manufacturer #2
May 20, 2019

**** ****** **** *** ******* ** cyber-hygiene. ********* ***** ********* ********* ** *** switch ** ******** * ************'* ********. MAC *******/******** **********, ******** **********, ******** turned ***, ***** *********** *** *** help *******/******** ************, **** ** *** absence ** * ***.

(5)
UE
Undisclosed End User #3
May 20, 2019

***** ****** *** *** ****** ** LSP, **** ** * ******** **** probelm **** *** *-***** ****** *** out ** ***** ** ****** *** comes **** ** **** **** ** the **********. 

* ***** **** ** *** ******** of *** **** ********* ** *** who **** ****** ***** ******** ***** (pardon *** ***) *** ********** ************ of *******.  * **** **** ** turn **** *** **** **** * cyber ********** *** **** ******* *** else ****** ***** ** #* ******* when ********** ********.

* ******** *** ******** *** ***** now ** *** ******** *** ******* until ***** ** **** ***/*** ********** to ******* ***-****** **** ** ******* else ***** **** ************ ** ***** 3rd *****.   * **** *** *** LSP **** *** ******* ******* ** I *** *** *** ******* *** and *** ** *** '"************" ** a ***** ****.

JH
John Honovich
May 20, 2019
IPVM

***** *** ** *** ******** *** NETLINK ***** ***** ** **** ***/*** Evaluation ** ******* ***-****** **** ** someone **** ***** **** ************ ** thier *** *****

*** ***** ** ****? 

UE
Undisclosed End User #3
May 22, 2019

** ******** *** "************ *****" ** allows ** ** **** ** * non-technology ***** (********** **********) *** ***** able ** ****** *** *** ******* Solutions ** ******* ********** *** *********** across *** ********** (**** ***+ ********). 

**** ***/*** *** **** ** ******** and **** **** *** ******* *** approves ** ** * "********* ******" then * *** *** **** ** the *** *** **** ********* ** all *** ********** *********.

** ** ***** (********* ************) ********** compliance ** *** **** ** *** game, ** ****** ********** ************ ******!  If ** ** "** *******" **** it ******* ******* ***********, **** **** are *** **** ** **** ***** a ******/******** *** ** **** ***** devices.

bm
bashis mcw
May 20, 2019

**** ****** ** **** *** ******* to ************ *** ******* **** ***, its *** ***** *** **** ******** for **, *** **** ****** ** LSP *** **** ******** *** ******* FW ***** **** ************ ** ****.

(7)
JO
John Olliver
May 20, 2019

********** ***** ***** **** ************** *** the ************* ***** ** *** ********** Bashis.  ******* *** *** *** ******** third ***** *********** ******* **** ********** had ********** **** ******* ** ** greatly ***** **** ** ***.

***** ********** **** ******, * ******** patch *** **** *** ******** ** him *** ************ ** *********. ****** tested *** ********* ******* (**** ***********) and ** ******** *** *** ******** mid *****.

*** *** ***** *** ********** ** service *** ******** ** *** ********** which *** **** * *** ****** in *** ****** ***** ***** *** beginnings.  ** ******* **** ***** ********** our ******** ** *** ***/*** ***** was ********, *********, *** ***** **** within *** *** ** ******** ************. Up ** **** *****, ***** *** been *** ***** ** *** ******** of * ******* **** *** ***/***. That ***** ****** *** ******* ** us, *** ** ******* **************, ** phone ****** *** ** *********** ******** affiliation *** *** ******* ** * manner **** *** *** ****** ********. There ** ** ****** ****** *** plant ** * ******* ********** ** VDOO *** ** **** ***** **** business ****, ** *** ******* **** that *******.

*** **** ******* ***** **** *** word “***************” (******), ****** *** ********** that ***** *** ******** ****** **** the ****** *** **** *** **** changes *** ******* ** “*************” (********). “Vulnerabilities” ** **********. *** ***** ** the *********** ******** ** *** * vulnerability *** *** ****** ** ******** request ** **** ****** ** *** NL ****** *** **-***** ***** *** configuration ******* *** **** ** **** multiple ******** ******* ***** ** *** unit ***** ** **** *** ****. This *** ** ******* ** ********* (or ****) ******* **.

**** ******** *** ******** ** * change ****** *** ** *** ********** involved ** ******** ********** **** **** this **** ** ***** ** ********** and * ****** **** **** ****** in ************* ******* ***** ********.

*** ********** ** ****** ***** *** foremost ** *** **** *** ** will ****** **** ******** ***** *** necessary ** ****** ** *** *** responsibility ** *** *********. 

**** *******

** ** ***** *** *********

********** *****

 

** *********** ********** #*...

*** **** **** ** ****** ******* on ******* *** ******* ** **** comment **** *** ****"***** *** * ****** ****"  ***** ****** *** ** *********.  ** we **** * *********** ******* *'* not ***** ** * ***** **** to ********** **** *** ******* **, so ****** ******* **. ****** **** (770) ***-****.

* **** ****** **** ****.

(2)
JH
John Honovich
May 20, 2019
IPVM

*** **** ******* ***** **** *** word “***************” (******), ****** *** ********** that ***** *** ******** ****** **** the ******

***, ****'* ************* *** ***** ******** ***************(******), ** ************ *****:

** *** *** ** **** *** details ** **** ************* *** ****** of ***** *** ********* ********** *** there *** ******** ***************.

U
Undisclosed #4
May 20, 2019

******* *** *** *** ******** ***** party *********** ******* **** ********** *** identified **** ******* ** ** ******* value **** ** ***.

** *** *** ******* *** *** include ****** **** ******, **** ** is ******** *** ***** **** **** vulnerabilities **** ****. ******** *** ******* tends ** ****** ***** ** ******* for ***** ******** *** ****** ****** like *** ********* ** **** ************. 

** **** *** ******* ******** ****** code *******, **** *** ****** ******** ask *** * ****** (*** ******** these *************** **** **** ** ****, but * ****** **** ****** **** found ** ***** **** ** *** basics.

(1)
U
Undisclosed #5
May 21, 2019
IPVMU Certified

***** ********' *** *** ******* **** many ***** ***** **** *********** ***************...

*’* ***** **** *** **** **** bashis ** *** ******* ***** ******** as * *********** **** **** ** cameras *** **** ******** ********.

** ****** *******, *’* ** *****.

 

(4)
U
Undisclosed #6
May 21, 2019

*****, * (************* *********) ********** -- great **** ** ****** *** ******* this *************. * **** ** **** I *** **** * ***** *** that *** ************* ** *** ***** hygiene ** *** ******** ******** ******** the ****** **** ** **** ********.

**** **** ****, ***** **'* ************ that **** * ************* ******* ** the *** ******* ** *** ***** place, ** * ** ************* ** correctly **** *** ******** ******** ***** this ************* *** ********** *** *.* and *.**, **** ** ******* ******* example ** *** ***********/********* ********** **** cyber ******* ** *** ***** ***** would ******** **** ************* ** *** first *****. **** ******** ******* *****, it ***** **** *.** *** ******** in ******* ** ****, *** *** last *.* ******** *** ** ******** of ****. * **** **** *** of **** **** ******** ** *.** last *****.

***** ************ ** *********, *** ************ a ********* ***** ** *** ******** revisions *** *** *******-********* ******* ****** be * **** ******* *********** ***** days. **** **** ****** ** ** it **** *****, *** ****** ***** an **********-***** ******* ****** ** **** to ** ********* ******* *** *****.

***** -- ***** ** *** ******** for ******* *** *************, *** ** LSP *** (**********) ****** **.

** * ********, *** ***** *** say **** *** ** ************, *** literally **** ** ******* *** ***** number ** **** **** ****** *** luck. ****'** *** ** *** *** manufacturers *'** ***** **** **** ******** respond ******* ****** ***** **** * ever ******* ****.

(2)
JH
John Honovich
May 21, 2019
IPVM

* ***** *** **** *** ************* to *** ***** ******* ** *** security ******** ******** *** ****** **** of **** ********.

****** ************* *** **** *********** **** the ****** ******** ********. **'* ********** vulnerabilities ******,*****,*********,*******,***, ** **** **** * ***, that *** **** *** ******** *** more ***** ** ***** *****.

** *** *** **************, *** **** that **** ****** ** ***** **** 'bahis' *** ******** ** * **** demonstration ** *** ********* ** ************* issues ** **** ******** *** ****, more *************, ***** ******* ******** '******'***** ***** *** ******** ********* ********** to *** ****.

U
Undisclosed #6
May 21, 2019

****, ******* ****** *** ********* ** what ******** ****** **** ** ***** out ** ****, * ***** ******** it ** *** **** ***** ********* that ****** *** ******* *** ********* intercepted ** ** ***** ******** ** that ** *** **** ** * low-level ******** ******* ****** *** *********, either ******* **** *** ** **** what ** *** ****** ** ******* they **** **** ** *** **********. Again, *** *** ****** ** *** world ** ****** ****, *** * don't ***** **'* ********** ** ****** to *** **** ******'* ******* ******* can ********* **** ****** ** *********** from ****** ** *** ******* **** ** Nigeria ** ********* *******...** ********** ********, *** I'm **** ******...

****** ***, ** ***** ** **** I ***** **** **** **** ******* doesn't ******* *** ** ** ****** negative ***** ** "************" ** *** caring ***** ***** ******. ** ********** -- *** ********* *** ********** ** others -- ** ******* *** ******** in **** *******, *** ****'* ******* evidenced ** *** ********** ***** *** that **** ******** **** **** ******** it *** *****.

JH
John Honovich
May 21, 2019
IPVM

** **** ** *** **** ** a ***-***** ******** ******* ****** *** discarded

****'* * **** *******. **** ***** they **** *** ***** *** ***** vulnerabilities *** ** ***** **** ****** put *** **** *****. ***** ** them ** **** *** *** **** who ****** ** *** *** *** think ***** ******** ***, ***** ***** have ****** *** ******* ********* **** it ****** ** ** ******** *******.

* ***'* ****** ***, * ***'* know **** *******, ** * ** not ****** **** *** **** ** bad *********, **** **** ***** *********** for *** ********** ** *** ************* email(s) **** *** **** **** ***** to **.

U
Undisclosed #5
May 22, 2019
IPVMU Certified

*) ***** ****** *** ********* **** sensitive (****** *******).

*) ** ** ********** **** ****** ** ************ ** * *********** ******(*** ****** ***** *****) *** ****(** ***** ****** ************).

*) **********, *** ********** ******* *** intended ** *** ***** **** ********* of *** ******, ***** ** *** own *****.

*) **** ** **** ***’* ******* it, ***** ******* *** ***** ********* to ***** ***** ** ******.

*) ********* *** ** *** ************ ***** ****** ********* ********** ** the ****** **********, ** ** ************** feels ******** *********** ***** **** *** thought ** *** ********* *********** ****-**.

********* *** *** ** *** ********** ****** ****** ** ********** ** **** ** favor ** *** ***************, ** ***** *****.

 

bm
bashis mcw
May 22, 2019

*** *** *** *** ** *** track, *** ** ******* *** * bit **** **** ********* *** 

*****://***.********.***/****-******?*******=******

 

U
Undisclosed #5
May 23, 2019
IPVMU Certified

* ***** *********, **. *.

bm
bashis mcw
Jun 06, 2019

*** * * *****, ** **** is ******* "******" *** *** "******", however *'* *** ** ********* ***** that  ;)

UI
Undisclosed Integrator #7
May 24, 2019

*********:  ****** ** **** **** *** do *** * ****** ** ** this * *****?  *'* *** ******* how **** **** ********* ** *** I ***.  *** *** ***** ********** work *** * **** ***** ** some ****** ** **** *** ***.

bm
bashis mcw
May 24, 2019

** ** **** ****, ****** ** gaining **********.

Avatar
Scott Napier
Aug 26, 2019

** * *** *** ** ******* an *** *** * ****** **** will ** ***** ** ***** ** of *****, *** * **** ** verify **** **** **** ******** ***** the *******. ** **** *****.

bm
bashis mcw
Aug 26, 2019

* ***** ********* *** ** **** up-to **** **** ****** **, **** you “******” ** **.

U
Undisclosed
Aug 26, 2019

*********** ******** ********* ** * *********** anyway. ** *** ***'* **** ** verify **'* *** ****** *******, *** you ****** **** ******* **** ******** the *******...

Avatar
Scott Napier
Aug 26, 2019

**** ** * ****** *****. **** are ********* ***.

JE
Jim Elder
Sep 11, 2019
IPVMU Certified

* ********** **** *** *** **** sold ** **** *****. ** *** think **** *** **** ** ****** the ******** **** ********?

Avatar
Brian Rhodes
Sep 11, 2019
IPVMU Certified

***** ***, *** *** **** ** the ****:**** ******** ********** *****.

** ** ********* ** ** ******** whether *** *** ***** ** ***** LSP ****** *********, *** ** ** worth ******** *** **** **** **** week ****** * '***** ******** *******' ************* **** *** ** ******.

*** ****** ********* *** ************** ** cybersecurity ** * ********** ***** ** people ****** **** ** ****** ** result ** * *********** ***** ****** brands, ****** **** ********** ** ******** and ******** ****** * ***** ******* like ********** ***** *****.

(1)
U
Undisclosed
Sep 11, 2019

*** *** * **** *** "***** Security ****** (*******)" **** ** **** Long *****. ***** ** *** * bad *****, ******* *** ***** ***** "we **** *****" ********* ***** ;-)