Why Surveillance Pros Rationally Won't Care About The Massive Dahua Mirai Attack

By: Brian Karas, Published on Oct 05, 2016

The physical security industry has been fairly indifferent to cyber security (e.g., see the Cyber Security For Video Surveillance Study).

Here, we explain why most video surveillance integrators will not care about the massive Dahua attack, even if they understand it, and its effects.

We look at what led to the existence of Mirai, and why they would rationally be indifferent.

*** ******** ******** ******** has **** ****** *********** ** cyber ******** (*.*., *** the ***** ******** *** ***** Surveillance *****).

****, ** ******* *** **** video ************ *********** **** not **** ***** *** massive ***** ******, **** if **** ********** **, and *** *******.

** **** ** **** led ** *** ********* of *****, *** *** **** would ********** ** ***********.

[***************]

Mirai ****** *** ** ************ ********* *** **** *************

***** ******** *** ******* oversights ** ****** ** ideal ****** ********. *** first ** ** *** part ** *** ************, Dahua, ******** * ************* via ******* ** ****** access ** ***** ******* with ** *** *** the **** ** ******* it. *** ****** ** on *** **** ** installers ******* ******* ********* unchanged, ****** ** ********** easy *** ********* ** gain ****** **** **** connect ** ******.

A **** ******** **** *** **** *** ****

***** ** * ********, using *** ********* ** its **** *** *** own ********, *** ** does *** "****" *** host *** ****** ** inoperable. *******, ** ****** the ****** ********** ********** to *** *** ****, still ******** ** ** operate. **** ** *** part ** *** ****** many ** *** ******** industry **** *** **** more ********* ***** *****, it **** *** ****** break ********.

Mirai Is *** ***** ***

**** ******* **** ***** personal ****, ****** ****:

****** *********
****** **** ****
**** ******* ****
****** ******** *******/********** ** info
*** ****

***** ** *** ****** to *** *** ** this ***********, ** **** infected ******* ** ****** attacks ******* ***** ******** sites.

***** ******** ** ***** do *** ****** *** direct ******* ** ******, this ** *** ***** reason *** ********* *** outrage *** *******, ***** can ****** ***** ******** and **** ** ******* lasting ******* ** ** infection.

Fixes **** *****

******** ********* *** ********** new ******** *** ***** that *** (**** *** users ***********) ******* **** fine ** ** ******* that *** *********** ***** want ** ***, *** even ***** ********* *** likely ** **** ** pay ***. ****, *** Mirai ****** ** ****** to ******** ** ***** for ******, ** **** years, ****** ***** ** some ***** ****** **** causes ****** ** ******** become ********* ** *** it.

Why *** ****** ****

******** ******* ****** **** secure *** ******** ***** they *** *********, *** not ************** *** ******* location (** ******) ** risk. ** ** ******** for **** ** ****** traffic ******, *** *** off ****** ** ********* sites. **** *** **** ******** in *** **** **** smaller ******'* **** ******* problems ** *** ********, and *** *****-******* ****** created ** ***** ** setting *** ******* *** DDoS ******* **********. ********* finding ********** ******** ** their *** ******* ***** security ****** ** ******** may ***** ***** *********** for ********** * "******" system.

Vote - ** *** ****?

Comments (18)

Undisclosed #1

10/05/16 02:22pm

As more contracts start containing indemnification of the client against the fallout of these type of intrusions everyone will start to care more. The theft of credit card data, SSN#s, personal information, and other items have been ramping up the past few years.

You are spot on that this will fly under the radar for nearly everyone. Since there's no visible problem, few (or no one) will invest the effort in hunting for one.

A follow on question to the survey should be:

1. Will you take steps to address in future installs?

2. Will you remedy existing sites which may be affected?

Undisclosed Integrator #2

10/05/16 02:36pm

Who should be responsible for paying for these fixes? The customer, the integrator, or the manufacture? The manufacturer may release new firmware but that doesn't actually fix the issue until it's been installed. For the integrator it costs a lot of money to roll a truck to all sites and upgrade the firmware.

These are all great reasons why it would be nice for manufacturers to start figuring out ways for these cameras to securely get automatic updates or have some kind of integrator cloud management upgrade feature.

Robert Shih

Independent
In reply to Undisclosed Integrator #2 | 10/05/16 03:09pm

Actually, remotely pushed updates can also create a whole new set of security risks. Imagine being able to hijack that mechanism. If attacks were bad before, they'd get truly horrendous then.

Undisclosed Integrator #2

In reply to Robert Shih | 10/05/16 04:13pm

That might be true, but if done correctly it allows for fixing security wholes which can be much better long term. Think about your mobile phones, and so many of the newer IoT devices that all update through secure connections back to the manufactures servers.

Of course this has to be implemented securely and effectively to reduce the hijacking or impersonating risks that come along with it.

If the manufacturers don't have the knowledge to do this, then they should work with third party security experts to create a solution.

the idea of manually updating firmware to continue keeping up with security issues just doesn't make sense long term.

Robert Shih

Independent
In reply to Undisclosed Integrator #2 | 10/05/16 04:39pm

Funny that you mention the cell phone industry, because they've had multiple instances where firmware updates broke scores of end-user devices and unlike security cameras, they can't just take it with them easily to trade it in.

While ideally it can be secure and seamless; logistically, this could easily devolve into a nightmare situation at any one point.

Suffice to say, we can theorize here all day, but in the real world, there is no easy solution that can fix everything and break nothing else along the way. I like the idea of open-source, community driven development for camera firmware, but I would not like to see automatic updates pushed from my camera manufacturer.

A firmware push system also allows for a certain government sponsored company (*cough* Hikvision *cough*) to use that as a backdoor to introduce new backdoors on a situational basis. If any company turns firmware update pushes into the norm, Hikvision will certainly use that to their advantage and follow the trend, pretending that it is an innocuous new feature.

My vote remains a no.

Undisclosed #1

In reply to Robert Shih | 10/05/16 10:25pm

I can see both sides of push updates. It really comes down to how confident you are in the manufacturer being able to properly push updates.

The Hikvision trojan horse infection of their mobile app is one example of why firmware pushes might not be a good idea. Up until that point I would have said it was a great idea. Brian Karas points out later in this thread that digital signing would help prevent that. My concern is whether that would have helped when it is the manufacturer pushing the update?

Another example is when Mcafee pushed updates that bricked a lot of PCs when pushing an update that falsely identified system files on startup.

Brian Karas

IPVM | In reply to Undisclosed #1 | 10/05/16 11:05pm

Digital signing ensures (if done properly) that the firmware originated from the manufacturer, and has not been tampered with or altered. It does not prevent an issue where the firmware is corrupted directly by the manufacturer (either purposefully or accidentally). In essence, you need to have implicit trust in the manufacturer first.

Brian Karas

IPVM | In reply to Robert Shih | 10/05/16 05:03pm

One way to mitigate this is with signed/encrypted firmware, which is an approach that has been around for quite a while (though not very common in security devices).

Robert Shih

Independent
In reply to Brian Karas | 10/05/16 06:15pm

There are many ways we can make it work safely if we put our minds to it, but the opposite holds true. No matter how hard we try to secure this, there are minds out there that can take advantage of this as yet another attack vector given enough determination.

And of course, I'll reiterate, Chinese Government + Hikvision.

Andrew Hogendijk

In reply to Robert Shih | 10/18/16 12:56am

The issue of trust is central to the core of security, both for real-world and cyber arenas. Using an open source OS with complete code inspection and automatic updates (for the OS) will mitigate part of the problem, but will not mitigate or even begin to mange the issue of a rogue codebase specific to the manufacturers hardware.

For example, everybody has probably heard of the Raspberry Pi computer. You can put whatever Linux distribution you feel like on it if you are comfortable with that sort of thing, BUT, and this is the very important bit, you cannot make the OS work without a specific binary file provided by one of the chip manufacturers. So while the OS might be made secure, you can never know what is in that binary file - what features does it actually possess? Does it have a backdoor? Can we even tell? What about a 'sleeper' command that activates hidden features?

So there are really two parts to this from a hardware point of view - the underlying OS and its features, and then the actual firmware code that makes the particular device work. Unless you can trust the manufacturer you are already boned and there is no way around that.

To be as sure as possible about keeping the devices both up-to-date and maintaining network security simultaneously requires a defence-in-depth approach. This is not something that the electronic security industry has typically engaged in for IT networks and is a separate and specialised skillset. There is no 'black-box' or silver bullet to manage this unfortunately.

The only other way I can think of to secure an IP based camera system is to have it separated entirely from the internet and anything else. You cant attack it if it is isolated in that way.

So in the end the problem is bigger than just firmware alone. Its a whole trust assessment process, design process and risk management. Like all things in security - how far do you go to reasonably mitigate risk?

Undisclosed #3

IPVMU Certified | In reply to Andrew Hogendijk | 10/18/16 01:03am

...you can never know about that binary file...

Not without a lot of effort.

Related: SOC Microcode Vulnerability

Andrew Hogendijk

In reply to Undisclosed #3 | 10/18/16 01:44am

Exactly! In some cases you might be breaking the licensing and IP rights by doing the reverse engineering necessary.

Undisclosed #1

In reply to Undisclosed Integrator #2 | 10/05/16 10:16pm

"Who should be responsible for paying for these fixes? The customer, the integrator, or the manufacturer?"

That is the real question. Right now, the answer seems to be "nobody". It's easy to see why, there are points that could be argued from each side.

As an integrator: I feel the manufacturer should invest effort in testing the security of their products. Failing that, they should invest in their reputation and pay to have us fix it.

As an manufacturer: We can't close every possible hole. The integrator should design their network to prevent possible oversights from creating an attack vector. We all need to do our part.

As an end user: Why didn't the integrator recommend I purchase a different product with more security features? Why did I buy brand X when recommended by the integrator in lieu of another integrator selling brand Y?

Marco Sanchez

10/05/16 04:32pm

I'm curious as to why there are folks who voted no and what the argument is? Just curious.

Robert Shih

Independent
In reply to Marco Sanchez | 10/05/16 06:29pm

Because honestly, closing up these oversights with firmware updates is all fine and dandy and it should definitely happen, but in the end this hack shows that outside of manufacturers needing tougher firmware and forcing installers into cyber security measures, the INSTALLERS need to shut down avenues for attack as well.

Smarter installers are really the key to securing the products that are out there on the field. Manufacturers can only release what they release, but implementation is the key. Everything about this attack hinged on exploiting easily avoidable oversights. Dahua took the easy way out with their equipment to provide ease of setup, administration, and use. This meant their products were not stupid proof in terms of cyber security. Now the climate has changed to where awareness is necessary at all levels.

For example, John Dillabaugh knows wtf he's doing and he actively seeks out firmware updates to correct his installation difficulties, but he's not crazy enough to rely on manufacturers for his cyber security measures. He doesn't care about me or anyone else holding his hand. He locks down the network that the cameras are on by himself. The only time he really needed us was when the firmware updates he wanted were being rejected by the camera.

Otherwise, for him, it's business as usual and don't let the bad guys in. Plain and simple.

FYI, I voted yes, but I still understand no.

Ricardo Souza

IndigoVision Ltd
IPVMU Certified | 10/13/16 07:27pm

IMHO, and what I've seen from a brief past in Software Development I had in the Past, usually people don't care much about Security in IT and Software Development until they are hit by a big disaster.

Undisclosed #3

IPVMU Certified | In reply to Ricardo Souza | 10/14/16 03:33am

And in this case they care less than usual, since the devices being hacked are not necessarily impacted, so no disaster for the owners of the device. The cameras just go back to work on Monday morning like everybody else, until they are needed in the next DDOS attack.

Gert Molkens

IPVMU Certified | 10/14/16 05:11am

Why don't we have a cloud management system yet to manage installed camera's and other security devices? I'm thinking a system such as it exists in WiFi for example with Aerohove, Mojo Networks, etc etc

You can choose to auto update firmwares or to do it manually if and when you believe it's the right time to do it.

Such a system is also much more interesting to deploy new installs and do mass configuration