"Months passed with several attempts to contact LSP before they finally responded. The timeline below shows this went from December 2018 - March 2019."

Indeed, they are very difficult to communicate with.  Communications with tech support are almost non-existent, they have never returned calls no matter what the question...  Are they just too busy, understaffed or just plain arrogant?

Like the concept of their offerings, but due to their non-responsiveness, our only option is, "next"!

These issues are not uniqie to LSP, this is a industry wide probelm that the C-Suite better get out in front of before its comes back to bite them in the pocketbook. 

I would love to see feedback of the IPVM community to see who else thinks cyber concerns trump (pardon the pun) the functional requirements of devices.  I dont want to turn this LSP post into a cyber discussion but just curious who else thinks cyber is #1 concern when specifying prodcuts.

I specifiy LSP products but right now we are removing the NETLINK until there is full EIT/EIS Evaluation to include pen-tesing dont by someone else other than manufacturer or thier 3rd party.   I like the way LSP made the NETLINK modular so I can use the devices now and add in the '"connectivity" at a later date.

LIfeSafety Power takes full responsibility for the vulnerability found by the researcher Bashis.  Neither LSP nor the multiple third party penetration testing done previously had identified this problem so we greatly value that he did.

After discussion with Bashis, a firmware patch was done and provided to him for conformation of operation. Bashis tested and confirmed quickly (much appreciated) and we released the new firmware mid March.

LSP has built its reputation on service and response to the integrator which has been a key factor in our growth curve since our beginnings.  In keeping with those principals our reaction to the NL2/NL4 issue was received, evaluated, and acted upon within one day of credible notification. Up to that point, there had been one email to LSP advising of a problem with the NL2/NL4. That email sender was unknown to us, had no company identification, no phone number and no discernible industry affiliation and was written in a manner that did not appear credible. There is no record within our plant of a company identified as VDOO and we have never done business with, or had contact with that company.

The IPVM article title uses the word “vulnerabilities” (plural), giving the impression that there are multiple issues with the device but then the text changes the wording to “vulnerability” (singular). “Vulnerabilities” is misleading. The issue of the preassigned password is not a vulnerability but the result of customer request to have access to the NL device for in-house setup and configuration without the need to keep multiple password records prior to the unit going on site and live. This can be changed if customers (or laws) require it.

This incident has resulted in a change within LSP of the procedures involved in firmware generation such that this type of issue is eliminated and a policy that will result in cybersecurity queries being elevated.

Our reputation is always first and foremost in our mind and we will always take whatever steps are necessary to uphold it and our responsibility to our customers. 

John Olliver

Sr VP Sales and Marketing

LifeSafety Power

To Undisclosed Integrator #1...

Our tech team is highly focused on service and support so your comment that you have "never had a return call"  seems highly out of character.  If we have a fundamental problem I'm not aware of I would like to understand that and address it, so please contact me. Direct line (770) 335-0215.

I will return your call.

Power supplies' are not devices that many think about when considering vulnerabilities...

I’m gonna take the fact that bashis is now hacking power supplies as a encouraging sign that ip cameras may have hardened somewhat.

on second thought, I’m an idiot.

First, a (unfortunately necessary) disclaimer -- great work to bashis for finding this vulnerability. I mean it when I say that I would bet that his contributions to the cyber hygiene of the security industry outweigh the entire rest of IPVM combined.

With that said, while it's unacceptable that such a vulnerability existed in the LSP product in the first place, if I am understanding it correctly that the firmware versions where this vulnerability was discovered are 7.x and 8.0x, this is another perfect example of how integrators/customers practicing good cyber hygiene in the first place would mitigate this vulnerability in the first place. From checking release notes, it looks like 7.15 was released in January of 2016, and the last 8.0 revision was in December of 2018. I know that all of mine were upgraded to 9.14 last month.

Every organization is different, but implementing a quarterly check of all firmware revisions for all network-connected devices should be a bare minimum requirement these days. Some will choose to do it more often, but anyone using an enterprise-grade product should be able to do quarterly without any issue.

Again -- kudos to all involved for finding the vulnerability, and to LSP for (eventually) fixing it.

As a sidenote, for those who say that LSP is unresponsive, you literally must be calling the wrong number or just have really bad luck. They're one of the few manufacturers I've dealt with that actually respond quickly almost every time I ever contact them.

1) linux shells are typically case sensitive (unlike windows).

2) it is speculated that the nom de guerre bashis is a portmanteau of bash (the common Linux shell) and Axis (an early target manufacturer).

3) regardless, the researcher clearly has intended an all lower case rendering of his handle, shown by his own usage.

4) even if they don’t express it, Linux hackers are super sensitive to these types of gaffes.

5) continued use of big B Bashis could cause severe cognitive dissonance in the fabled researcher, as he simultaneously feels positive recognition mixed with the thought of the erroneous syntactical slip-up.

therefore the use of the identifier Bashis should be deprecated at once in favor of the canonical bashis, as shown below.

Unrelated:  Bashis is this what you do for a living or is this a hobby?  I'm not certain how this gets monetized is why I ask.  You are doing phenomenal work and I hope there is some reward in this for you.

As a guy who is writing an SSP for a system that will be using at least 85 of these, now I need to verify that they have actually fixed the problem. My head hurts.

I understand that LSP has been sold to Assa Abloy. Do you think this may help or hinder the problems with response?