Why Surveillance Pros Rationally Won't Care About The Massive Dahua Mirai Attack

Author: Brian Karas, Published on Oct 05, 2016

The physical security industry has been fairly indifferent to cyber security (e.g., see the Cyber Security For Video Surveillance Study).

Here, we explain why most video surveillance integrators will not care about the massive Dahua attack, even if they understand it, and its effects.

We look at what led to the existence of Mirai, and why they would rationally be indifferent.

*** ******** ******** ******** *** **** ****** *********** ** ***** security (*.*., *** ******** ******** *** ***** ************ *****).

****, ** ******* *** **** ***** ************ *********** **** *** care ***** *** ******* ***** ******, **** ** **** ********** it, *** *** *******.

** **** ** **** *** ** *** ********* ** *****, and *** **** ***** ********** ** ***********.

[***************]

Mirai ****** *** ** ************ ********* *** **** *************

***** ******** *** ******* ********** ** ****** ** ***** ****** scenario. *** ***** ** ** *** **** ** *** ************, Dahua, ******** * ************* *** ******* ** ****** ****** ** their ******* **** ** *** *** *** **** ** ******* it. *** ****** ** ** *** **** ** ********** ******* default ********* *********, ****** ** ********** **** *** ********* ** gain ****** **** **** ******* ** ******.

A **** ******** **** *** **** *** ****

***** ** * ********, ***** *** ********* ** *** **** for *** *** ********, *** ** **** *** "****" *** host *** ****** ** **********. *******, ** ****** *** ****** relatively ********** ** *** *** ****, ***** ******** ** ** operate. **** ** *** **** ** *** ****** **** ** the ******** ******** **** *** **** **** ********* ***** *****, it **** *** ****** ***** ********.

Mirai ** *** ***** ***

**** ******* **** ***** ******** ****, ****** ****:

  • ****** *********
  • ****** **** ****
  • **** ******* ****
  • ****** ******** *******/********** ** ****
  • *** ****

***** ** *** ****** ** *** *** ** **** ***********, it **** ******** ******* ** ****** ******* ******* ***** ******** sites.

***** ******** ** ***** ** *** ****** *** ****** ******* or ******, **** ** *** ***** ****** *** ********* *** outrage *** *******, ***** *** ****** ***** ******** *** **** on ******* ******* ******* ** ** *********.

Fixes **** *****

******** ********* *** ********** *** ******** *** ***** **** *** (from *** ***** ***********) ******* **** **** ** ** ******* that *** *********** ***** **** ** ***, *** **** ***** customers *** ****** ** **** ** *** ***. ****, *** Mirai ****** ** ****** ** ******** ** ***** *** ******, or **** *****, ****** ***** ** **** ***** ****** **** causes ****** ** ******** ****** ********* ** *** **.

Why *** ****** ****

******** ******* ****** **** ****** *** ******** ***** **** *** installed, *** *** ************** *** ******* ******** (** ******) ** risk. ** ** ******** *** **** ** ****** ******* ******, and *** *** ****** ** ********* *****. **** *** **** proposed ** *** **** **** ******* ******'* **** ******* ******** on *** ********, *** *** *****-******* ****** ******* ** ***** is ******* *** ******* *** **** ******* **********. ********* ******* themselves ******** ** ***** *** ******* ***** ******** ****** ** infected *** ***** ***** *********** *** ********** * "******" ******.

Vote - ** *** ****?

Comments (18)

As more contracts start containing indemnification of the client against the fallout of these type of intrusions everyone will start to care more. The theft of credit card data, SSN#s, personal information, and other items have been ramping up the past few years.

You are spot on that this will fly under the radar for nearly everyone. Since there's no visible problem, few (or no one) will invest the effort in hunting for one.

A follow on question to the survey should be:

1. Will you take steps to address in future installs?

2. Will you remedy existing sites which may be affected?

Who should be responsible for paying for these fixes? The customer, the integrator, or the manufacture? The manufacturer may release new firmware but that doesn't actually fix the issue until it's been installed. For the integrator it costs a lot of money to roll a truck to all sites and upgrade the firmware.

These are all great reasons why it would be nice for manufacturers to start figuring out ways for these cameras to securely get automatic updates or have some kind of integrator cloud management upgrade feature.

Actually, remotely pushed updates can also create a whole new set of security risks. Imagine being able to hijack that mechanism. If attacks were bad before, they'd get truly horrendous then.

That might be true, but if done correctly it allows for fixing security wholes which can be much better long term. Think about your mobile phones, and so many of the newer IoT devices that all update through secure connections back to the manufactures servers.

Of course this has to be implemented securely and effectively to reduce the hijacking or impersonating risks that come along with it.

If the manufacturers don't have the knowledge to do this, then they should work with third party security experts to create a solution.

the idea of manually updating firmware to continue keeping up with security issues just doesn't make sense long term.

Funny that you mention the cell phone industry, because they've had multiple instances where firmware updates broke scores of end-user devices and unlike security cameras, they can't just take it with them easily to trade it in.

While ideally it can be secure and seamless; logistically, this could easily devolve into a nightmare situation at any one point.

Suffice to say, we can theorize here all day, but in the real world, there is no easy solution that can fix everything and break nothing else along the way. I like the idea of open-source, community driven development for camera firmware, but I would not like to see automatic updates pushed from my camera manufacturer.

A firmware push system also allows for a certain government sponsored company (*cough* Hikvision *cough*) to use that as a backdoor to introduce new backdoors on a situational basis. If any company turns firmware update pushes into the norm, Hikvision will certainly use that to their advantage and follow the trend, pretending that it is an innocuous new feature.

My vote remains a no.

I can see both sides of push updates. It really comes down to how confident you are in the manufacturer being able to properly push updates.

The Hikvision trojan horse infection of their mobile app is one example of why firmware pushes might not be a good idea. Up until that point I would have said it was a great idea. Brian Karas points out later in this thread that digital signing would help prevent that. My concern is whether that would have helped when it is the manufacturer pushing the update?

Another example is when Mcafee pushed updates that bricked a lot of PCs when pushing an update that falsely identified system files on startup.

Digital signing ensures (if done properly) that the firmware originated from the manufacturer, and has not been tampered with or altered. It does not prevent an issue where the firmware is corrupted directly by the manufacturer (either purposefully or accidentally). In essence, you need to have implicit trust in the manufacturer first.

One way to mitigate this is with signed/encrypted firmware, which is an approach that has been around for quite a while (though not very common in security devices).

There are many ways we can make it work safely if we put our minds to it, but the opposite holds true. No matter how hard we try to secure this, there are minds out there that can take advantage of this as yet another attack vector given enough determination.

And of course, I'll reiterate, Chinese Government + Hikvision.

The issue of trust is central to the core of security, both for real-world and cyber arenas. Using an open source OS with complete code inspection and automatic updates (for the OS) will mitigate part of the problem, but will not mitigate or even begin to mange the issue of a rogue codebase specific to the manufacturers hardware.

For example, everybody has probably heard of the Raspberry Pi computer. You can put whatever Linux distribution you feel like on it if you are comfortable with that sort of thing, BUT, and this is the very important bit, you cannot make the OS work without a specific binary file provided by one of the chip manufacturers. So while the OS might be made secure, you can never know what is in that binary file - what features does it actually possess? Does it have a backdoor? Can we even tell? What about a 'sleeper' command that activates hidden features?

So there are really two parts to this from a hardware point of view - the underlying OS and its features, and then the actual firmware code that makes the particular device work. Unless you can trust the manufacturer you are already boned and there is no way around that.

To be as sure as possible about keeping the devices both up-to-date and maintaining network security simultaneously requires a defence-in-depth approach. This is not something that the electronic security industry has typically engaged in for IT networks and is a separate and specialised skillset. There is no 'black-box' or silver bullet to manage this unfortunately.

The only other way I can think of to secure an IP based camera system is to have it separated entirely from the internet and anything else. You cant attack it if it is isolated in that way.

So in the end the problem is bigger than just firmware alone. Its a whole trust assessment process, design process and risk management. Like all things in security - how far do you go to reasonably mitigate risk?

...you can never know about that binary file...

Not without a lot of effort.

Related: SOC Microcode Vulnerability

Exactly! In some cases you might be breaking the licensing and IP rights by doing the reverse engineering necessary.

"Who should be responsible for paying for these fixes? The customer, the integrator, or the manufacturer?"

That is the real question. Right now, the answer seems to be "nobody". It's easy to see why, there are points that could be argued from each side.

As an integrator: I feel the manufacturer should invest effort in testing the security of their products. Failing that, they should invest in their reputation and pay to have us fix it.

As an manufacturer: We can't close every possible hole. The integrator should design their network to prevent possible oversights from creating an attack vector. We all need to do our part.

As an end user: Why didn't the integrator recommend I purchase a different product with more security features? Why did I buy brand X when recommended by the integrator in lieu of another integrator selling brand Y?

I'm curious as to why there are folks who voted no and what the argument is? Just curious.

Because honestly, closing up these oversights with firmware updates is all fine and dandy and it should definitely happen, but in the end this hack shows that outside of manufacturers needing tougher firmware and forcing installers into cyber security measures, the INSTALLERS need to shut down avenues for attack as well.

Smarter installers are really the key to securing the products that are out there on the field. Manufacturers can only release what they release, but implementation is the key. Everything about this attack hinged on exploiting easily avoidable oversights. Dahua took the easy way out with their equipment to provide ease of setup, administration, and use. This meant their products were not stupid proof in terms of cyber security. Now the climate has changed to where awareness is necessary at all levels.

For example, John Dillabaugh knows wtf he's doing and he actively seeks out firmware updates to correct his installation difficulties, but he's not crazy enough to rely on manufacturers for his cyber security measures. He doesn't care about me or anyone else holding his hand. He locks down the network that the cameras are on by himself. The only time he really needed us was when the firmware updates he wanted were being rejected by the camera.

Otherwise, for him, it's business as usual and don't let the bad guys in. Plain and simple.

FYI, I voted yes, but I still understand no.

IMHO, and what I've seen from a brief past in Software Development I had in the Past, usually people don't care much about Security in IT and Software Development until they are hit by a big disaster.

And in this case they care less than usual, since the devices being hacked are not necessarily impacted, so no disaster for the owners of the device. The cameras just go back to work on Monday morning like everybody else, until they are needed in the next DDOS attack.

Why don't we have a cloud management system yet to manage installed camera's and other security devices? I'm thinking a system such as it exists in WiFi for example with Aerohove, Mojo Networks, etc etc

You can choose to auto update firmwares or to do it manually if and when you believe it's the right time to do it.

Such a system is also much more interesting to deploy new installs and do mass configuration

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Integrator Laptop Guide on Oct 16, 2018
This 18-page guide provides guidance and statistics about integrator laptop use. 150 integrators explained to IPVM in detail about their laptops,...
"New Zealand Govt Uses Chinese Cameras Banned In US", Considers Security Audit on Oct 12, 2018
Newsroom NZ has issued a report: "NZ Govt uses Chinese cameras banned in US": This comes after the US federal government banned purchases of...
Security System Health Monitoring Usage Statistics 2018 on Oct 09, 2018
How well and quickly do integrators know if devices are offline or broken? New IPVM statistics show that typically no health monitoring is...
China Hacks Video Servers Causing Uproar on Oct 05, 2018
An incident causing an international uproar is hitting home in the video surveillance industry as a Bloomberg report, "The Big Hack: How China...
Network Cable Testing Guide on Oct 02, 2018
Proper cable installation is key to trouble-free surveillance systems. However, testing is often an afterthought, with problems only discovered...
Genetec Takes Aim At 'Untrustworthy' 'Foreign Government-Owned Vendors' on Sep 24, 2018
Genetec is taking aim at 'untrustworthy' 'foreign government-owned vendors'. This is not a new theme for Genetec as nearly 2 years ago, Genetec...
Favorite Request-to-Exit (RTE) Manufacturers 2018 on Sep 19, 2018
Request To Exit devices like motion sensors and lock releasing push-buttons are a part of almost every access install, but who makes the equipment...
Favorite Intercom Manufacturers 2018 on Sep 14, 2018
Intercoms are certainly increasing in popularity, driven by the integration of video and IP networking. But who is the favorite? On the one side,...
Stanley Security Acquires 3xLogic, Kushner Becomes Product President on Sep 10, 2018
Stanley Security acquired 3xLogic a few months ago. However, the company has still not officially publicly announced it, leading many to wonder...
Dell Launches IoT for Surveillance on Sep 05, 2018
Historically, Dell has been a PC and server provider (e.g., "Dude, you're getting a Dell") and widely used for surveillance storage. However, in...

Most Recent Industry Reports

Startup SafePass Profile on Oct 19, 2018
A major problem with visitor management is that the systems mostly require adhesive printed paper labels and paper logs, creating waste and an...
China Is Not A Security Megatrend, Says SIA on Oct 19, 2018
The US Security Industry Association has released its 10 "Security Megatrends" for 2019. SIA declares that these megatrends, such as "Advanced...
Hanwha Dual Imager Dome Camera Tested (PNM-7000VD) on Oct 18, 2018
Hanwha has introduced their first dual-imager model, the PNM-7000VD, a twin 1080p model featuring independently positionable sensors and a snap-in...
Camera Height / Blind Spot Added to IPVM Camera Calculator on Oct 18, 2018
IPVM has added camera height and blind spot estimation to the Camera Calculator. This is especially helpful for those who need to mount cameras up...
Axis Strong US Growth, Flat EMEA - Q3 2018 Financials on Oct 18, 2018
This spring, Axis had its best financials in many years (see Axis Strong Q2 2018 Results). However, over the summer, Axis had many products sold...
Best Alternatives to Banned Dahua and Hikvision on Oct 17, 2018
With the US government ban and a growing number of users banning Dahua and Hikvision, one key question is what to use for low cost? While Dahua and...
Video Quality / Compression Tutorial on Oct 17, 2018
While CODECs, like H.264, H.265, and MJPEG, get a lot of attention, a camera's 'quality' or compression setting has a big impact on overall...
Knightscope Winning Investors, Struggling With Growth on Oct 16, 2018
While Knightscope's new financials show the company only winning 11 new customers in the past 12 months, the company continues to win new...
Integrator Laptop Guide on Oct 16, 2018
This 18-page guide provides guidance and statistics about integrator laptop use. 150 integrators explained to IPVM in detail about their laptops,...
Huawei Admits AI "Bubble" on Oct 16, 2018
A fascinating article from the Chinese government's Global Times: Huawei’s AI ambition to reshape industries. While the Global Times talks about...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact