Why Surveillance Pros Rationally Won't Care About The Massive Dahua Mirai Attack

By: Brian Karas, Published on Oct 05, 2016

The physical security industry has been fairly indifferent to cyber security (e.g., see the Cyber Security For Video Surveillance Study).

Here, we explain why most video surveillance integrators will not care about the massive Dahua attack, even if they understand it, and its effects.

We look at what led to the existence of Mirai, and why they would rationally be indifferent.

*** ******** ******** ******** has **** ****** *********** ** cyber ******** (*.*., *** the ***** ******** *** ***** Surveillance *****).

****, ** ******* *** **** video ************ *********** **** not **** ***** *** massive ***** ******, **** if **** ********** **, and *** *******.

** **** ** **** led ** *** ********* of *****, *** *** **** would ********** ** ***********.

[***************]

Mirai ****** *** ** ************ ********* *** **** *************

***** ******** *** ******* oversights ** ****** ** ideal ****** ********. *** first ** ** *** part ** *** ************, Dahua, ******** * ************* via ******* ** ****** access ** ***** ******* with ** *** *** the **** ** ******* it. *** ****** ** on *** **** ** installers ******* ******* ********* unchanged, ****** ** ********** easy *** ********* ** gain ****** **** **** connect ** ******.

A **** ******** **** *** **** *** ****

***** ** * ********, using *** ********* ** its **** *** *** own ********, *** ** does *** "****" *** host *** ****** ** inoperable. *******, ** ****** the ****** ********** ********** to *** *** ****, still ******** ** ** operate. **** ** *** part ** *** ****** many ** *** ******** industry **** *** **** more ********* ***** *****, it **** *** ****** break ********.

Mirai Is *** ***** ***

**** ******* **** ***** personal ****, ****** ****:

  • ****** *********
  • ****** **** ****
  • **** ******* ****
  • ****** ******** *******/********** ** info
  • *** ****

***** ** *** ****** to *** *** ** this ***********, ** **** infected ******* ** ****** attacks ******* ***** ******** sites.

***** ******** ** ***** do *** ****** *** direct ******* ** ******, this ** *** ***** reason *** ********* *** outrage *** *******, ***** can ****** ***** ******** and **** ** ******* lasting ******* ** ** infection.

Fixes **** *****

******** ********* *** ********** new ******** *** ***** that *** (**** *** users ***********) ******* **** fine ** ** ******* that *** *********** ***** want ** ***, *** even ***** ********* *** likely ** **** ** pay ***. ****, *** Mirai ****** ** ****** to ******** ** ***** for ******, ** **** years, ****** ***** ** some ***** ****** **** causes ****** ** ******** become ********* ** *** it.

Why *** ****** ****

******** ******* ****** **** secure *** ******** ***** they *** *********, *** not ************** *** ******* location (** ******) ** risk. ** ** ******** for **** ** ****** traffic ******, *** *** off ****** ** ********* sites. **** *** **** ******** in *** **** **** smaller ******'* **** ******* problems ** *** ********, and *** *****-******* ****** created ** ***** ** setting *** ******* *** DDoS ******* **********. ********* finding ********** ******** ** their *** ******* ***** security ****** ** ******** may ***** ***** *********** for ********** * "******" system.

Vote - ** *** ****?

Comments (18)

As more contracts start containing indemnification of the client against the fallout of these type of intrusions everyone will start to care more. The theft of credit card data, SSN#s, personal information, and other items have been ramping up the past few years.

You are spot on that this will fly under the radar for nearly everyone. Since there's no visible problem, few (or no one) will invest the effort in hunting for one.

A follow on question to the survey should be:

1. Will you take steps to address in future installs?

2. Will you remedy existing sites which may be affected?

Who should be responsible for paying for these fixes? The customer, the integrator, or the manufacture? The manufacturer may release new firmware but that doesn't actually fix the issue until it's been installed. For the integrator it costs a lot of money to roll a truck to all sites and upgrade the firmware.

These are all great reasons why it would be nice for manufacturers to start figuring out ways for these cameras to securely get automatic updates or have some kind of integrator cloud management upgrade feature.

Actually, remotely pushed updates can also create a whole new set of security risks. Imagine being able to hijack that mechanism. If attacks were bad before, they'd get truly horrendous then.

That might be true, but if done correctly it allows for fixing security wholes which can be much better long term. Think about your mobile phones, and so many of the newer IoT devices that all update through secure connections back to the manufactures servers.

Of course this has to be implemented securely and effectively to reduce the hijacking or impersonating risks that come along with it.

If the manufacturers don't have the knowledge to do this, then they should work with third party security experts to create a solution.

the idea of manually updating firmware to continue keeping up with security issues just doesn't make sense long term.

Funny that you mention the cell phone industry, because they've had multiple instances where firmware updates broke scores of end-user devices and unlike security cameras, they can't just take it with them easily to trade it in.

While ideally it can be secure and seamless; logistically, this could easily devolve into a nightmare situation at any one point.

Suffice to say, we can theorize here all day, but in the real world, there is no easy solution that can fix everything and break nothing else along the way. I like the idea of open-source, community driven development for camera firmware, but I would not like to see automatic updates pushed from my camera manufacturer.

A firmware push system also allows for a certain government sponsored company (*cough* Hikvision *cough*) to use that as a backdoor to introduce new backdoors on a situational basis. If any company turns firmware update pushes into the norm, Hikvision will certainly use that to their advantage and follow the trend, pretending that it is an innocuous new feature.

My vote remains a no.

I can see both sides of push updates. It really comes down to how confident you are in the manufacturer being able to properly push updates.

The Hikvision trojan horse infection of their mobile app is one example of why firmware pushes might not be a good idea. Up until that point I would have said it was a great idea. Brian Karas points out later in this thread that digital signing would help prevent that. My concern is whether that would have helped when it is the manufacturer pushing the update?

Another example is when Mcafee pushed updates that bricked a lot of PCs when pushing an update that falsely identified system files on startup.

Digital signing ensures (if done properly) that the firmware originated from the manufacturer, and has not been tampered with or altered. It does not prevent an issue where the firmware is corrupted directly by the manufacturer (either purposefully or accidentally). In essence, you need to have implicit trust in the manufacturer first.

One way to mitigate this is with signed/encrypted firmware, which is an approach that has been around for quite a while (though not very common in security devices).

There are many ways we can make it work safely if we put our minds to it, but the opposite holds true. No matter how hard we try to secure this, there are minds out there that can take advantage of this as yet another attack vector given enough determination.

And of course, I'll reiterate, Chinese Government + Hikvision.

The issue of trust is central to the core of security, both for real-world and cyber arenas. Using an open source OS with complete code inspection and automatic updates (for the OS) will mitigate part of the problem, but will not mitigate or even begin to mange the issue of a rogue codebase specific to the manufacturers hardware.

For example, everybody has probably heard of the Raspberry Pi computer. You can put whatever Linux distribution you feel like on it if you are comfortable with that sort of thing, BUT, and this is the very important bit, you cannot make the OS work without a specific binary file provided by one of the chip manufacturers. So while the OS might be made secure, you can never know what is in that binary file - what features does it actually possess? Does it have a backdoor? Can we even tell? What about a 'sleeper' command that activates hidden features?

So there are really two parts to this from a hardware point of view - the underlying OS and its features, and then the actual firmware code that makes the particular device work. Unless you can trust the manufacturer you are already boned and there is no way around that.

To be as sure as possible about keeping the devices both up-to-date and maintaining network security simultaneously requires a defence-in-depth approach. This is not something that the electronic security industry has typically engaged in for IT networks and is a separate and specialised skillset. There is no 'black-box' or silver bullet to manage this unfortunately.

The only other way I can think of to secure an IP based camera system is to have it separated entirely from the internet and anything else. You cant attack it if it is isolated in that way.

So in the end the problem is bigger than just firmware alone. Its a whole trust assessment process, design process and risk management. Like all things in security - how far do you go to reasonably mitigate risk?

...you can never know about that binary file...

Not without a lot of effort.

Related: SOC Microcode Vulnerability

Exactly! In some cases you might be breaking the licensing and IP rights by doing the reverse engineering necessary.

"Who should be responsible for paying for these fixes? The customer, the integrator, or the manufacturer?"

That is the real question. Right now, the answer seems to be "nobody". It's easy to see why, there are points that could be argued from each side.

As an integrator: I feel the manufacturer should invest effort in testing the security of their products. Failing that, they should invest in their reputation and pay to have us fix it.

As an manufacturer: We can't close every possible hole. The integrator should design their network to prevent possible oversights from creating an attack vector. We all need to do our part.

As an end user: Why didn't the integrator recommend I purchase a different product with more security features? Why did I buy brand X when recommended by the integrator in lieu of another integrator selling brand Y?

I'm curious as to why there are folks who voted no and what the argument is? Just curious.

Because honestly, closing up these oversights with firmware updates is all fine and dandy and it should definitely happen, but in the end this hack shows that outside of manufacturers needing tougher firmware and forcing installers into cyber security measures, the INSTALLERS need to shut down avenues for attack as well.

Smarter installers are really the key to securing the products that are out there on the field. Manufacturers can only release what they release, but implementation is the key. Everything about this attack hinged on exploiting easily avoidable oversights. Dahua took the easy way out with their equipment to provide ease of setup, administration, and use. This meant their products were not stupid proof in terms of cyber security. Now the climate has changed to where awareness is necessary at all levels.

For example, John Dillabaugh knows wtf he's doing and he actively seeks out firmware updates to correct his installation difficulties, but he's not crazy enough to rely on manufacturers for his cyber security measures. He doesn't care about me or anyone else holding his hand. He locks down the network that the cameras are on by himself. The only time he really needed us was when the firmware updates he wanted were being rejected by the camera.

Otherwise, for him, it's business as usual and don't let the bad guys in. Plain and simple.

FYI, I voted yes, but I still understand no.

IMHO, and what I've seen from a brief past in Software Development I had in the Past, usually people don't care much about Security in IT and Software Development until they are hit by a big disaster.

And in this case they care less than usual, since the devices being hacked are not necessarily impacted, so no disaster for the owners of the device. The cameras just go back to work on Monday morning like everybody else, until they are needed in the next DDOS attack.

Why don't we have a cloud management system yet to manage installed camera's and other security devices? I'm thinking a system such as it exists in WiFi for example with Aerohove, Mojo Networks, etc etc

You can choose to auto update firmwares or to do it manually if and when you believe it's the right time to do it.

Such a system is also much more interesting to deploy new installs and do mass configuration

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Remote Access (DDNS vs P2P vs VPN) Usage Statistics 2019 on Oct 25, 2019
Remote access can make systems more usable but also more vulnerable. How are integrators delivring remote access in 2019? How many are using...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Warning: Windows 7 Update Crashing NVRs on Aug 26, 2019
Windows 7 updates are causing VMS servers to fail to boot. After running the update, impacted systems do not boot as normal, instead display this...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Axis Suffers Outage, Provides Postmortem on Aug 15, 2019
This week, Axis suffered an outage impacting their website and cloud services. Inside this note, we examined what happened, what was impacted...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
Verint Victimized By Ransomware on Apr 18, 2019
Verint, which is best known in the physical security industry for video surveillance but has built a sizeable cybersecurity business as well, was...
HTTPS / SSL Video Surveillance Usage Statistics on Apr 01, 2019
HTTPS / SSL / TLS usage has become commonplace for websites to improve security and, in particular, to help mitigate attackers reading or modifying...

Most Recent Industry Reports

Proxy Presents Mobile Credentials For BLE Devices and Access on May 29, 2020
Proxy presented Mobile Credentials For BLE Devices and Access at the May 2020 IPVM Startups show. Inside this report: A 30-minute video...
ISC West 2020 Moves To The Basement on May 29, 2020
The twice cancelled/postponed show will now not only be held in a different month (October) but on a different floor, moving down to the...
Integrators Avoiding Coronavirus Air Travel on May 29, 2020
IPVM asked integrators if air travel is part of their 2020 plans to see how significantly Coronavirus will impact future...
Viakoo Presents Cyber Hygiene for Cameras on May 28, 2020
Viakoo presented its 'Cyber Hygiene' and 'Service Assurance' products at the April 2020 IPVM New Products show. Inside this report: A...
Seek Scan Thermal Temperature Screening System ReTested on May 28, 2020
Now that IPVM has tested Dahua, Hikvision, and Sunell, we are returning to Seek, the first blackbody system we tested and retested it with our...
Directory of 110 "Fever" Camera Suppliers on May 28, 2020
This directory provides a list of "Fever" scanning thermal camera providers to help you see and research what options are available. There are...
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers use. The US FDA clearly categorizes them as medical devices and...
Wyze Raises $10 Million And Seeks Services Expansion on May 27, 2020
Wyze has raised $10 million, the company's first disclosed raise since the $20 million announced at the beginning of 2019. Inside this note,...
"Fever Camera" Show June 2020 Next Tuesday on May 27, 2020
IPVM is excited for the world's first "Fever Camera" show, to be held next Tuesday June 2nd and Wednesday the 3rd from 11am to 3pm EDT, giving you...
Startup Videoloft Presents Cloud Storage on May 27, 2020
Videoloft presented offsite cloud storage at the May 2020 IPVM Startups show. A 30-minute video from Videoloft including IPVM...