LifeSafety Power NetLink Vulnerabilities And Problematic Response

By John Scanlan, Published May 20, 2019, 10:08am EDT

'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for them need to be considered as well.

Indeed, Security researcher Bashis has discovered various vulnerabilities in LifeSafety Power NetLink devices.

LifeSafety Power NetLink Vulnerability1

IPVM spoke with both Bashis and executives at LifeSafety Power. Inside, we provide details on this vulnerability including:

  • Vulnerabilities overviewed
  • Devices affected
  • Impact of vulnerability
  • Why Life Safety Power failed to respond to multiple reports until IPVM intervened
  • What Life Safety Power says they are doing now to improve their cybersecurity process

Related, see IPVM's Cybersecurity Vulnerability Directory

LifeSafety ***** ******* ************* ********

******* ******* *** **** with ****** ******** ******* to ****** ******* *** control ****** ***** *** receive ****** ********* ****** or ******** *********.

Impact ** *************

********' ***** ** ******* report *****, *** ******** ** high, **** ******* *************** including ************ ****** ** clear **** ***********, ** the ******* **** *** PoC *****:

***** ******** ** ** cameras, ***** *** ****** far **** ** ***** devices, ***** ******* *** generally **** ** ****** security ********** ***** ************ of **** *************** ***** be **** ***********.

Patch *** *************

***** **** ******** ******* can******** ******* ******** **** their ******* ****. *** ***** ******* ******** NetLink ******* ** ***** network, *** ********** *** ** downloaded ****, *** ** **** to ****** *** ***** upgrade ********.

Devices ********

*** ******* ******** ******* the NL2 *** *** ******* firmware ******** *.**, *.***-** and *.***-***.

Poor ******** ** ******** *************

****** ****** **** ******* attempts ** ******* *** before **** ******* *********. The ******** ***** ***** this **** **** ******** 2018 - ***** ****.

******** **, ****: ****** contacts ******** ******** **** VDOO **** *** ********, and **** ******* ** contact *** **** *** findings ******** ***** ** no *****.

******** **, ****: **** returns *** **** ** him ***** *** *** failed ** *******. **** the **** *** **** Bashis ******** ** ******* LSP *******, ***** **** ignored, ******* **** **** thought ** *** * phishing *******.

******** **, ****: ** a ***** ****** ** provide *** * ****** to ****** ***** ******** and ******* ****** ********** his ********, ****** ******* out ** ****. **** was **** ** *** in ***** ********** ***** and ******* **** **** Bashis.

***** * ****: *** firmware *** ******** *** provided ** ****** *** testing.

***** * ****: ****** confirmed *** ******** *** corrected.

*** ********* ****:

***** *********** ********** ***** was * ******* **** **** ** stating * ************* *** found ** ******* *** ** appeared ** **** **** a phishing email and so wasn’t ***** **. **** *** our *******.

**** ** ****** ***** of *** ******** ***** in ******** (*** **** Honovich ****** ** *****) we ***** ********** *** matter **** ***.

Improvements ********** *******

*** **** *** **** will ** **** ******** about ******** ********:

***** ******* *** *** and *** ********* **** will ** ****** ** *** ************* ******* *********, ** matter *** ******.

**** ****** ********* ************ in ***** ******** *********** process:

*** ***** *** ********** during ******** ***********. ** have ******** *** **** review **** * ***** security ****** *** **** plan ** ********** ********** external ***** ***** *******.

Default ******** *******

*** ******** ******* **** with ******* *********** ***** are ********** ** ** changed **** * ***-** message *** *** *** required ** ** *******. Due ** *** **** associated **** ******* ***********, they **** ********* ** ****************** ** ******* ****.

Response ** ******* ******** *****

*** ********** ** ***** allowance ** ******* *********:

*** ******* ******** ** ******** provided for ******* ***** *** testing ** *** ****** (common ******** ** *** industry). To ****** ***** ** setup ****** ********, ** ***** a “***” ******** **** *** default ******** ** *** ****** and ** ****** ** changed to * ******* ******** password ********** ** *** customer ** *** **********. *** warning ******* ******** ***** time ** ***** ** long ** *** ******** has *** **** ***** properly.  **** * ******** is ******* ** ** required ** **** * -14 ********* **** * mix ** *******, **** sensitive *******, *** ******* characters. We **** ******* * survey ***** *** ******** base *** *** ** we ****** **** *** Netlink ******** ***** ***** to ***** ****** ******** the ***** **** **** login. ********* ** *** survey *******, ** *** change *** ******** ** force ***** ** ****** the ******* ******** ***** their ***** *****.

****: ** ******** ***** it ***** '******** ********' in ****, ************ ********* have ********** *** ******* password, ******* ***** ** set * ******** ** first ***.

Device ********* *****

*********** ********* ************* *** ** ****, recommending ***** * ****** IP ******* ** * cybersecurity **********, ******* ***** alerts, *** ***** **** rather **** ***** ** you **** **** ******* is ******:

Reminder ** ******* *****

**** ** * **** reminder **** ** **** devices **** *** '******** of ******', *************, ***********, and ***** **** ** be ******** ***** ************* vulnerabilities. 

Comments (27)

"Months passed with several attempts to contact LSP before they finally responded. The timeline below shows this went from December 2018 - March 2019."

Indeed, they are very difficult to communicate with.  Communications with tech support are almost non-existent, they have never returned calls no matter what the question...  Are they just too busy, understaffed or just plain arrogant?

Like the concept of their offerings, but due to their non-responsiveness, our only option is, "next"!

Agree: 1
Disagree
Informative: 4
Unhelpful
Funny

This drives home the message of cyber-hygiene. Following basic hardening practices at the switch to mitigate a manufacturer's mistakes. MAC binding/spoofing prevention, password complexity, services turned off, VLANs implemented all can help prevent/mitigate exploitation, even in the absence of a fix.

Agree: 5
Disagree
Informative
Unhelpful
Funny

These issues are not uniqie to LSP, this is a industry wide probelm that the C-Suite better get out in front of before its comes back to bite them in the pocketbook. 

I would love to see feedback of the IPVM community to see who else thinks cyber concerns trump (pardon the pun) the functional requirements of devices.  I dont want to turn this LSP post into a cyber discussion but just curious who else thinks cyber is #1 concern when specifying prodcuts.

I specifiy LSP products but right now we are removing the NETLINK until there is full EIT/EIS Evaluation to include pen-tesing dont by someone else other than manufacturer or thier 3rd party.   I like the way LSP made the NETLINK modular so I can use the devices now and add in the '"connectivity" at a later date.

Agree
Disagree
Informative
Unhelpful
Funny

right now we are removing the NETLINK until there is full EIT/EIS Evaluation to include pen-tesing dont by someone else other than manufacturer or thier 3rd party

Who would do that? 

Agree
Disagree
Informative
Unhelpful
Funny

By removing the "Connectivity Piece" it allows us to call it a non-technology asset (regulatory compliance) and still able to deploy the LSP ProWire Solutions to provide uniformity and consistency across the enterprise (over 10K+ openings). 

Once EIT/EIS has time to evaluate and PENN Test the NETLINK and approves it as a "Connected Device" then I can add them to the mix and take advantage of all the monitoring functions.

In my world (financial institutions) regulatory compliance is the name of the game, it trumps functional requirements period!  If it is "IP Capable" then it becomes heavily scrutinized, long gone are the days of just using a closed/isolated LAN to host those devices.

Agree
Disagree
Informative
Unhelpful
Funny

Many thanks to IPVM for helping to establishing the contact with LSP, its was truly the last resource for me, and also thanks to LSP for fast response and updated FW after this intervention by IPVM.

Agree
Disagree
Informative: 7
Unhelpful
Funny

LIfeSafety Power takes full responsibility for the vulnerability found by the researcher Bashis.  Neither LSP nor the multiple third party penetration testing done previously had identified this problem so we greatly value that he did.

After discussion with Bashis, a firmware patch was done and provided to him for conformation of operation. Bashis tested and confirmed quickly (much appreciated) and we released the new firmware mid March.

LSP has built its reputation on service and response to the integrator which has been a key factor in our growth curve since our beginnings.  In keeping with those principals our reaction to the NL2/NL4 issue was received, evaluated, and acted upon within one day of credible notification. Up to that point, there had been one email to LSP advising of a problem with the NL2/NL4. That email sender was unknown to us, had no company identification, no phone number and no discernible industry affiliation and was written in a manner that did not appear credible. There is no record within our plant of a company identified as VDOO and we have never done business with, or had contact with that company.

The IPVM article title uses the word “vulnerabilities” (plural), giving the impression that there are multiple issues with the device but then the text changes the wording to “vulnerability” (singular). “Vulnerabilities” is misleading. The issue of the preassigned password is not a vulnerability but the result of customer request to have access to the NL device for in-house setup and configuration without the need to keep multiple password records prior to the unit going on site and live. This can be changed if customers (or laws) require it.

This incident has resulted in a change within LSP of the procedures involved in firmware generation such that this type of issue is eliminated and a policy that will result in cybersecurity queries being elevated.

Our reputation is always first and foremost in our mind and we will always take whatever steps are necessary to uphold it and our responsibility to our customers. 

John Olliver

Sr VP Sales and Marketing

LifeSafety Power

 

To Undisclosed Integrator #1...

Our tech team is highly focused on service and support so your comment that you have "never had a return call"  seems highly out of character.  If we have a fundamental problem I'm not aware of I would like to understand that and address it, so please contact me. Direct line (770) 335-0215.

I will return your call.

Agree
Disagree
Informative: 2
Unhelpful
Funny

The IPVM article title uses the word “vulnerabilities” (plural), giving the impression that there are multiple issues with the device

Yes, that's because Bashis PoC lists multiple vulnerabilities (plural), as screencapped below:

We did not go into the details of each vulnerability for issues of space and technical complexity but there are multiple vulnerabilities.

Agree
Disagree
Informative
Unhelpful
Funny

Neither LSP nor the multiple third party penetration testing done previously had identified this problem so we greatly value that he did.

If the PEN testing did not include source code review, then it is unlikely you would ever find vulnerabilities like this. External PEN testing tends to mostly focus on testing for known exploits and common things like SQL injection or form manipulation. 

If your PEN testing included source code reviews, then you should probably ask for a refund (not implying these vulnerabilities were easy to find, but a decent firm should have found at least some of the basics.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Power supplies' are not devices that many think about when considering vulnerabilities...

I’m gonna take the fact that bashis is now hacking power supplies as a encouraging sign that ip cameras may have hardened somewhat.

on second thought, I’m an idiot.

 

Agree
Disagree
Informative
Unhelpful
Funny: 4

First, a (unfortunately necessary) disclaimer -- great work to bashis for finding this vulnerability. I mean it when I say that I would bet that his contributions to the cyber hygiene of the security industry outweigh the entire rest of IPVM combined.

With that said, while it's unacceptable that such a vulnerability existed in the LSP product in the first place, if I am understanding it correctly that the firmware versions where this vulnerability was discovered are 7.x and 8.0x, this is another perfect example of how integrators/customers practicing good cyber hygiene in the first place would mitigate this vulnerability in the first place. From checking release notes, it looks like 7.15 was released in January of 2016, and the last 8.0 revision was in December of 2018. I know that all of mine were upgraded to 9.14 last month.

Every organization is different, but implementing a quarterly check of all firmware revisions for all network-connected devices should be a bare minimum requirement these days. Some will choose to do it more often, but anyone using an enterprise-grade product should be able to do quarterly without any issue.

Again -- kudos to all involved for finding the vulnerability, and to LSP for (eventually) fixing it.

As a sidenote, for those who say that LSP is unresponsive, you literally must be calling the wrong number or just have really bad luck. They're one of the few manufacturers I've dealt with that actually respond quickly almost every time I ever contact them.

Agree
Disagree
Informative: 2
Unhelpful
Funny

I would bet that his contributions to the cyber hygiene of the security industry outweigh the entire rest of IPVM combined.

Bashis contributions are more significant than the entire industry combined. He's discovered vulnerabilities in Axis, Dahua, Geovision, Vivotek, TVT, to name just a few, that has made the industry far more aware of these risks.

As for LSP responsiveness, the fact that they though an email from 'bahis' was phishing is a poor demonstration of the awareness of cybersecurity issues in this industry and even, more fundamentally, their ability to google 'bashis' where there are numerous prominent references to his work.

Agree
Disagree
Informative
Unhelpful
Funny

John, without having any knowledge of what channels Bashis used to reach out to them, I would consider it at the very least plausible that either the message was literally intercepted by an email provider OR that it was read by a low-level customer service person and discarded, either because they had no idea what he was saying or because they felt like it was suspicious. Again, all the credit in the world to Bashis here, but I don't think it's inaccurate or unfair to say that Bashis's written English can sometimes come across as originating from the son of the deposed King of Nigeria or something similar...no disrespect intended, but I'm just saying...

Either way, my point is that I would hope that this article doesn't portray LSP in an overly negative light as "unresponsive" or not caring about these things. My experience -- and obviously the experience of others -- is exactly the opposite in both regards, and that's further evidenced by the relatively quick fix that they released once they realized it was legit.

Agree
Disagree
Informative
Unhelpful
Funny

OR that it was read by a low-level customer service person and discarded

That's a poor defense. They admit they knew the email was about vulnerabilities and we agree that Bashis put his name there. Shame on them if they did not know who Bashis is and did not think about googling him, which would have easily and quickly confirmed that it needed to be examined further.

I don't follow LSP, I don't know John Olliver, so I am not saying they are good or bad generally, just that their explanation for not responding to the vulnerability email(s) does not make good sense to me.

Agree
Disagree
Informative
Unhelpful
Funny

1) linux shells are typically case sensitive (unlike windows).

2) it is speculated that the nom de guerre bashis is a portmanteau of bash (the common Linux shell) and Axis (an early target manufacturer).

3) regardless, the researcher clearly has intended an all lower case rendering of his handle, shown by his own usage.

4) even if they don’t express it, Linux hackers are super sensitive to these types of gaffes.

5) continued use of big B Bashis could cause severe cognitive dissonance in the fabled researcher, as he simultaneously feels positive recognition mixed with the thought of the erroneous syntactical slip-up.

therefore the use of the identifier Bashis should be deprecated at once in favor of the canonical bashis, as shown below.

 

Agree
Disagree
Informative
Unhelpful
Funny

You are bit out of the track, let me confuse you a bit more with following URL 

https://www.ancestry.com/name-origin?surname=bashis

 

Agree
Disagree
Informative
Unhelpful
Funny

I stand corrected, Mr. w.

Agree
Disagree
Informative
Unhelpful
Funny

but u r right, my nick is spelled "bashis" and not "Bashis", however I'm not so sensitive about that  ;)

Agree
Disagree
Informative
Unhelpful
Funny

Unrelated:  Bashis is this what you do for a living or is this a hobby?  I'm not certain how this gets monetized is why I ask.  You are doing phenomenal work and I hope there is some reward in this for you.

Agree
Disagree
Informative
Unhelpful
Funny

On my free time, reward is gaining experience.

Agree
Disagree
Informative
Unhelpful
Funny

As a guy who is writing an SSP for a system that will be using at least 85 of these, now I need to verify that they have actually fixed the problem. My head hurts.

Agree
Disagree
Informative
Unhelpful
Funny

I would recommend you to keep up-to date with latest FW, then you “should” be ok.

Agree
Disagree
Informative
Unhelpful
Funny

maintaining accurate inventory is a requirement anyway. so yes you'd have to verify it's the proper version, but you should have already been checking the version...

Agree
Disagree
Informative
Unhelpful
Funny

This is a future thing. none are installed yet.

Agree
Disagree
Informative
Unhelpful
Funny

I understand that LSP has been sold to Assa Abloy. Do you think this may help or hinder the problems with response?

Agree
Disagree
Informative
Unhelpful
Funny

Hello Jim, see our post on the deal: Assa Acquires LifeSafety Power.

It is difficult to be definite whether the buy helps or hurts LSP future responses, but it is worth pointing out that Assa this week posted a 'Cyber Security Officer' headquartered with HID in Austin.

The formal structure and responsibility of cybersecurity to a particular group of people within Assa is likely to result in a coordinated focus across brands, rather than invariably be informal and sporadic within a small company like LifeSafety Power alone.

Agree: 1
Disagree
Informative
Unhelpful
Funny

The way I read the "Cyber Security Office (HID5442)" post it says Long Beach. Which is not a bad thing, Mercury has upped their "we know cyber" marketing noise ;-)

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,334 reports and 972 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports