Why Surveillance Pros Rationally Won't Care About The Massive Dahua Mirai Attack

By: Brian Karas, Published on Oct 05, 2016

The physical security industry has been fairly indifferent to cyber security (e.g., see the Cyber Security For Video Surveillance Study).

Here, we explain why most video surveillance integrators will not care about the massive Dahua attack, even if they understand it, and its effects.

We look at what led to the existence of Mirai, and why they would rationally be indifferent.

*** ******** ******** ******** has **** ****** *********** ** cyber ******** (*.*., *** the ***** ******** *** ***** Surveillance *****).

****, ** ******* *** **** video ************ *********** **** not **** ***** *** massive ***** ******, **** if **** ********** **, and *** *******.

** **** ** **** led ** *** ********* of *****, *** *** **** would ********** ** ***********.

[***************]

Mirai ****** *** ** ************ ********* *** **** *************

***** ******** *** ******* oversights ** ****** ** ideal ****** ********. *** first ** ** *** part ** *** ************, Dahua, ******** * ************* via ******* ** ****** access ** ***** ******* with ** *** *** the **** ** ******* it. *** ****** ** on *** **** ** installers ******* ******* ********* unchanged, ****** ** ********** easy *** ********* ** gain ****** **** **** connect ** ******.

A **** ******** **** *** **** *** ****

***** ** * ********, using *** ********* ** its **** *** *** own ********, *** ** does *** "****" *** host *** ****** ** inoperable. *******, ** ****** the ****** ********** ********** to *** *** ****, still ******** ** ** operate. **** ** *** part ** *** ****** many ** *** ******** industry **** *** **** more ********* ***** *****, it **** *** ****** break ********.

Mirai Is *** ***** ***

**** ******* **** ***** personal ****, ****** ****:

  • ****** *********
  • ****** **** ****
  • **** ******* ****
  • ****** ******** *******/********** ** info
  • *** ****

***** ** *** ****** to *** *** ** this ***********, ** **** infected ******* ** ****** attacks ******* ***** ******** sites.

***** ******** ** ***** do *** ****** *** direct ******* ** ******, this ** *** ***** reason *** ********* *** outrage *** *******, ***** can ****** ***** ******** and **** ** ******* lasting ******* ** ** infection.

Fixes **** *****

******** ********* *** ********** new ******** *** ***** that *** (**** *** users ***********) ******* **** fine ** ** ******* that *** *********** ***** want ** ***, *** even ***** ********* *** likely ** **** ** pay ***. ****, *** Mirai ****** ** ****** to ******** ** ***** for ******, ** **** years, ****** ***** ** some ***** ****** **** causes ****** ** ******** become ********* ** *** it.

Why *** ****** ****

******** ******* ****** **** secure *** ******** ***** they *** *********, *** not ************** *** ******* location (** ******) ** risk. ** ** ******** for **** ** ****** traffic ******, *** *** off ****** ** ********* sites. **** *** **** ******** in *** **** **** smaller ******'* **** ******* problems ** *** ********, and *** *****-******* ****** created ** ***** ** setting *** ******* *** DDoS ******* **********. ********* finding ********** ******** ** their *** ******* ***** security ****** ** ******** may ***** ***** *********** for ********** * "******" system.

Vote - ** *** ****?

Comments (18)

As more contracts start containing indemnification of the client against the fallout of these type of intrusions everyone will start to care more. The theft of credit card data, SSN#s, personal information, and other items have been ramping up the past few years.

You are spot on that this will fly under the radar for nearly everyone. Since there's no visible problem, few (or no one) will invest the effort in hunting for one.

A follow on question to the survey should be:

1. Will you take steps to address in future installs?

2. Will you remedy existing sites which may be affected?

Who should be responsible for paying for these fixes? The customer, the integrator, or the manufacture? The manufacturer may release new firmware but that doesn't actually fix the issue until it's been installed. For the integrator it costs a lot of money to roll a truck to all sites and upgrade the firmware.

These are all great reasons why it would be nice for manufacturers to start figuring out ways for these cameras to securely get automatic updates or have some kind of integrator cloud management upgrade feature.

Actually, remotely pushed updates can also create a whole new set of security risks. Imagine being able to hijack that mechanism. If attacks were bad before, they'd get truly horrendous then.

That might be true, but if done correctly it allows for fixing security wholes which can be much better long term. Think about your mobile phones, and so many of the newer IoT devices that all update through secure connections back to the manufactures servers.

Of course this has to be implemented securely and effectively to reduce the hijacking or impersonating risks that come along with it.

If the manufacturers don't have the knowledge to do this, then they should work with third party security experts to create a solution.

the idea of manually updating firmware to continue keeping up with security issues just doesn't make sense long term.

Funny that you mention the cell phone industry, because they've had multiple instances where firmware updates broke scores of end-user devices and unlike security cameras, they can't just take it with them easily to trade it in.

While ideally it can be secure and seamless; logistically, this could easily devolve into a nightmare situation at any one point.

Suffice to say, we can theorize here all day, but in the real world, there is no easy solution that can fix everything and break nothing else along the way. I like the idea of open-source, community driven development for camera firmware, but I would not like to see automatic updates pushed from my camera manufacturer.

A firmware push system also allows for a certain government sponsored company (*cough* Hikvision *cough*) to use that as a backdoor to introduce new backdoors on a situational basis. If any company turns firmware update pushes into the norm, Hikvision will certainly use that to their advantage and follow the trend, pretending that it is an innocuous new feature.

My vote remains a no.

I can see both sides of push updates. It really comes down to how confident you are in the manufacturer being able to properly push updates.

The Hikvision trojan horse infection of their mobile app is one example of why firmware pushes might not be a good idea. Up until that point I would have said it was a great idea. Brian Karas points out later in this thread that digital signing would help prevent that. My concern is whether that would have helped when it is the manufacturer pushing the update?

Another example is when Mcafee pushed updates that bricked a lot of PCs when pushing an update that falsely identified system files on startup.

Digital signing ensures (if done properly) that the firmware originated from the manufacturer, and has not been tampered with or altered. It does not prevent an issue where the firmware is corrupted directly by the manufacturer (either purposefully or accidentally). In essence, you need to have implicit trust in the manufacturer first.

One way to mitigate this is with signed/encrypted firmware, which is an approach that has been around for quite a while (though not very common in security devices).

There are many ways we can make it work safely if we put our minds to it, but the opposite holds true. No matter how hard we try to secure this, there are minds out there that can take advantage of this as yet another attack vector given enough determination.

And of course, I'll reiterate, Chinese Government + Hikvision.

The issue of trust is central to the core of security, both for real-world and cyber arenas. Using an open source OS with complete code inspection and automatic updates (for the OS) will mitigate part of the problem, but will not mitigate or even begin to mange the issue of a rogue codebase specific to the manufacturers hardware.

For example, everybody has probably heard of the Raspberry Pi computer. You can put whatever Linux distribution you feel like on it if you are comfortable with that sort of thing, BUT, and this is the very important bit, you cannot make the OS work without a specific binary file provided by one of the chip manufacturers. So while the OS might be made secure, you can never know what is in that binary file - what features does it actually possess? Does it have a backdoor? Can we even tell? What about a 'sleeper' command that activates hidden features?

So there are really two parts to this from a hardware point of view - the underlying OS and its features, and then the actual firmware code that makes the particular device work. Unless you can trust the manufacturer you are already boned and there is no way around that.

To be as sure as possible about keeping the devices both up-to-date and maintaining network security simultaneously requires a defence-in-depth approach. This is not something that the electronic security industry has typically engaged in for IT networks and is a separate and specialised skillset. There is no 'black-box' or silver bullet to manage this unfortunately.

The only other way I can think of to secure an IP based camera system is to have it separated entirely from the internet and anything else. You cant attack it if it is isolated in that way.

So in the end the problem is bigger than just firmware alone. Its a whole trust assessment process, design process and risk management. Like all things in security - how far do you go to reasonably mitigate risk?

...you can never know about that binary file...

Not without a lot of effort.

Related: SOC Microcode Vulnerability

Exactly! In some cases you might be breaking the licensing and IP rights by doing the reverse engineering necessary.

"Who should be responsible for paying for these fixes? The customer, the integrator, or the manufacturer?"

That is the real question. Right now, the answer seems to be "nobody". It's easy to see why, there are points that could be argued from each side.

As an integrator: I feel the manufacturer should invest effort in testing the security of their products. Failing that, they should invest in their reputation and pay to have us fix it.

As an manufacturer: We can't close every possible hole. The integrator should design their network to prevent possible oversights from creating an attack vector. We all need to do our part.

As an end user: Why didn't the integrator recommend I purchase a different product with more security features? Why did I buy brand X when recommended by the integrator in lieu of another integrator selling brand Y?

I'm curious as to why there are folks who voted no and what the argument is? Just curious.

Because honestly, closing up these oversights with firmware updates is all fine and dandy and it should definitely happen, but in the end this hack shows that outside of manufacturers needing tougher firmware and forcing installers into cyber security measures, the INSTALLERS need to shut down avenues for attack as well.

Smarter installers are really the key to securing the products that are out there on the field. Manufacturers can only release what they release, but implementation is the key. Everything about this attack hinged on exploiting easily avoidable oversights. Dahua took the easy way out with their equipment to provide ease of setup, administration, and use. This meant their products were not stupid proof in terms of cyber security. Now the climate has changed to where awareness is necessary at all levels.

For example, John Dillabaugh knows wtf he's doing and he actively seeks out firmware updates to correct his installation difficulties, but he's not crazy enough to rely on manufacturers for his cyber security measures. He doesn't care about me or anyone else holding his hand. He locks down the network that the cameras are on by himself. The only time he really needed us was when the firmware updates he wanted were being rejected by the camera.

Otherwise, for him, it's business as usual and don't let the bad guys in. Plain and simple.

FYI, I voted yes, but I still understand no.

IMHO, and what I've seen from a brief past in Software Development I had in the Past, usually people don't care much about Security in IT and Software Development until they are hit by a big disaster.

And in this case they care less than usual, since the devices being hacked are not necessarily impacted, so no disaster for the owners of the device. The cameras just go back to work on Monday morning like everybody else, until they are needed in the next DDOS attack.

Why don't we have a cloud management system yet to manage installed camera's and other security devices? I'm thinking a system such as it exists in WiFi for example with Aerohove, Mojo Networks, etc etc

You can choose to auto update firmwares or to do it manually if and when you believe it's the right time to do it.

Such a system is also much more interesting to deploy new installs and do mass configuration

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Open vs End-to-End Systems: Integrator Statistics 2019 on Nov 11, 2019
Preference for open systems is on the decline, according to new IPVM statistics. We asked integrators: For video surveillance systems, do you...
Biggest Low Light Problems 2019 on Nov 08, 2019
Over 150 integrators responded to our survey question: "What are the biggest problems you face getting good low-light images?" Inside, we share...
Axis Cracks Down On Illicit Channel Sales on Nov 01, 2019
Axis has stepped up efforts to crack down on illicit channel sales according to various industry sources, though, Axis denies this. Online sales...
Remote Access (DDNS vs P2P vs VPN) Usage Statistics on Oct 25, 2019
Remote access can make systems more usable but also more vulnerable. How are integrators delivring remote access in 2019? How many are using...
Integrated IR Camera Usage Statistics 2019 on Oct 21, 2019
Virtually every IP camera now comes with integrated IR but how many actually make use of IR or choose 'super' low light cameras without IR? In...
Altronix Claims Tango 'Eliminates Electricians' on Oct 15, 2019
Power supply provider Altronix claims its new Tango power supply 'eliminates the need for an electrician, dedicated conduit and wire runs'. In...
Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Top Ways Security Integrators Improve Their Careers on Sep 03, 2019
With DIY products expanding and the future of integration debated, how do integrators stay sharp so they are not left behind? 180+ integrators...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Security Integrators Outlook On Remaining Integrators In 2025 on Aug 22, 2019
The industry has changed substantially in the last decade, with the rise of IP cameras and the race to the bottom. Indeed, more changes may be...

Most Recent Industry Reports

Hikvision Markets Uyghur Ethnicity Analytics, Now Covers Up on Nov 11, 2019
Hikvision has marketed an AI camera that automatically identifies Uyghurs, on its China website, only covering it up days ago after IPVM questioned...
Open vs End-to-End Systems: Integrator Statistics 2019 on Nov 11, 2019
Preference for open systems is on the decline, according to new IPVM statistics. We asked integrators: For video surveillance systems, do you...
Biggest Low Light Problems 2019 on Nov 08, 2019
Over 150 integrators responded to our survey question: "What are the biggest problems you face getting good low-light images?" Inside, we share...
US Issues Criminal Charges For Fraudulently Selling Hikvision And Other China Products on Nov 07, 2019
The US government has made an unprecedented move on the video surveillance supply chain, charging a US company, Aventura for "having conspired with...
The Access Control Codes Guide: IBC, NFPA 72, 80 & 101 on Nov 07, 2019
For access, there is one basic maxim: Life safety above all else. But how do you know if all applicable codes are being followed? While the...
Rhombus Cameras, VMS and Analytics Tested on Nov 06, 2019
Rhombus boasts they have created "the new standard in Enterprise, cloud-managed video security" and told IPVM in January 2019 they offer twice the...
"Stress in the Residential Market" - Major Lender Exits on Nov 06, 2019
The residential security / 'alarm' market is getting worse, at least for traditional players. Now, one of the biggest lenders in the industry has...
Aiphone Video Intercom Tested (IX Series 2) on Nov 05, 2019
Aiphone was one of integrator's favorite intercom manufacturers but how well do their products work? The company's newest offering, the IX Series 2...
90+ Companies Profile Directory on Nov 05, 2019
While IPVM covers the largest companies in the industry regularly (like Axis, Dahua, Hikvision, etc.), IPVM strives to do a profile post on each...
Hikvision USA Fights LTS on Nov 04, 2019
Hikvision's USA subsidiary is fighting with LTS, having recently quietly dropped LTS as an authorized distributor amidst ongoing face-offs between...