Why Surveillance Pros Rationally Won't Care About The Massive Dahua Mirai Attack

By: Brian Karas, Published on Oct 05, 2016

The physical security industry has been fairly indifferent to cyber security (e.g., see the Cyber Security For Video Surveillance Study).

Here, we explain why most video surveillance integrators will not care about the massive Dahua attack, even if they understand it, and its effects.

We look at what led to the existence of Mirai, and why they would rationally be indifferent.

*** ******** ******** ******** has **** ****** *********** ** cyber ******** (*.*., *** the ***** ******** *** ***** Surveillance *****).

****, ** ******* *** **** video ************ *********** **** not **** ***** *** massive ***** ******, **** if **** ********** **, and *** *******.

** **** ** **** led ** *** ********* of *****, *** *** **** would ********** ** ***********.

[***************]

Mirai ****** *** ** ************ ********* *** **** *************

***** ******** *** ******* oversights ** ****** ** ideal ****** ********. *** first ** ** *** part ** *** ************, Dahua, ******** * ************* via ******* ** ****** access ** ***** ******* with ** *** *** the **** ** ******* it. *** ****** ** on *** **** ** installers ******* ******* ********* unchanged, ****** ** ********** easy *** ********* ** gain ****** **** **** connect ** ******.

A **** ******** **** *** **** *** ****

***** ** * ********, using *** ********* ** its **** *** *** own ********, *** ** does *** "****" *** host *** ****** ** inoperable. *******, ** ****** the ****** ********** ********** to *** *** ****, still ******** ** ** operate. **** ** *** part ** *** ****** many ** *** ******** industry **** *** **** more ********* ***** *****, it **** *** ****** break ********.

Mirai Is *** ***** ***

**** ******* **** ***** personal ****, ****** ****:

  • ****** *********
  • ****** **** ****
  • **** ******* ****
  • ****** ******** *******/********** ** info
  • *** ****

***** ** *** ****** to *** *** ** this ***********, ** **** infected ******* ** ****** attacks ******* ***** ******** sites.

***** ******** ** ***** do *** ****** *** direct ******* ** ******, this ** *** ***** reason *** ********* *** outrage *** *******, ***** can ****** ***** ******** and **** ** ******* lasting ******* ** ** infection.

Fixes **** *****

******** ********* *** ********** new ******** *** ***** that *** (**** *** users ***********) ******* **** fine ** ** ******* that *** *********** ***** want ** ***, *** even ***** ********* *** likely ** **** ** pay ***. ****, *** Mirai ****** ** ****** to ******** ** ***** for ******, ** **** years, ****** ***** ** some ***** ****** **** causes ****** ** ******** become ********* ** *** it.

Why *** ****** ****

******** ******* ****** **** secure *** ******** ***** they *** *********, *** not ************** *** ******* location (** ******) ** risk. ** ** ******** for **** ** ****** traffic ******, *** *** off ****** ** ********* sites. **** *** **** ******** in *** **** **** smaller ******'* **** ******* problems ** *** ********, and *** *****-******* ****** created ** ***** ** setting *** ******* *** DDoS ******* **********. ********* finding ********** ******** ** their *** ******* ***** security ****** ** ******** may ***** ***** *********** for ********** * "******" system.

Vote - ** *** ****?

Comments (18)

As more contracts start containing indemnification of the client against the fallout of these type of intrusions everyone will start to care more. The theft of credit card data, SSN#s, personal information, and other items have been ramping up the past few years.

You are spot on that this will fly under the radar for nearly everyone. Since there's no visible problem, few (or no one) will invest the effort in hunting for one.

A follow on question to the survey should be:

1. Will you take steps to address in future installs?

2. Will you remedy existing sites which may be affected?

Who should be responsible for paying for these fixes? The customer, the integrator, or the manufacture? The manufacturer may release new firmware but that doesn't actually fix the issue until it's been installed. For the integrator it costs a lot of money to roll a truck to all sites and upgrade the firmware.

These are all great reasons why it would be nice for manufacturers to start figuring out ways for these cameras to securely get automatic updates or have some kind of integrator cloud management upgrade feature.

Actually, remotely pushed updates can also create a whole new set of security risks. Imagine being able to hijack that mechanism. If attacks were bad before, they'd get truly horrendous then.

That might be true, but if done correctly it allows for fixing security wholes which can be much better long term. Think about your mobile phones, and so many of the newer IoT devices that all update through secure connections back to the manufactures servers.

Of course this has to be implemented securely and effectively to reduce the hijacking or impersonating risks that come along with it.

If the manufacturers don't have the knowledge to do this, then they should work with third party security experts to create a solution.

the idea of manually updating firmware to continue keeping up with security issues just doesn't make sense long term.

Funny that you mention the cell phone industry, because they've had multiple instances where firmware updates broke scores of end-user devices and unlike security cameras, they can't just take it with them easily to trade it in.

While ideally it can be secure and seamless; logistically, this could easily devolve into a nightmare situation at any one point.

Suffice to say, we can theorize here all day, but in the real world, there is no easy solution that can fix everything and break nothing else along the way. I like the idea of open-source, community driven development for camera firmware, but I would not like to see automatic updates pushed from my camera manufacturer.

A firmware push system also allows for a certain government sponsored company (*cough* Hikvision *cough*) to use that as a backdoor to introduce new backdoors on a situational basis. If any company turns firmware update pushes into the norm, Hikvision will certainly use that to their advantage and follow the trend, pretending that it is an innocuous new feature.

My vote remains a no.

I can see both sides of push updates. It really comes down to how confident you are in the manufacturer being able to properly push updates.

The Hikvision trojan horse infection of their mobile app is one example of why firmware pushes might not be a good idea. Up until that point I would have said it was a great idea. Brian Karas points out later in this thread that digital signing would help prevent that. My concern is whether that would have helped when it is the manufacturer pushing the update?

Another example is when Mcafee pushed updates that bricked a lot of PCs when pushing an update that falsely identified system files on startup.

Digital signing ensures (if done properly) that the firmware originated from the manufacturer, and has not been tampered with or altered. It does not prevent an issue where the firmware is corrupted directly by the manufacturer (either purposefully or accidentally). In essence, you need to have implicit trust in the manufacturer first.

One way to mitigate this is with signed/encrypted firmware, which is an approach that has been around for quite a while (though not very common in security devices).

There are many ways we can make it work safely if we put our minds to it, but the opposite holds true. No matter how hard we try to secure this, there are minds out there that can take advantage of this as yet another attack vector given enough determination.

And of course, I'll reiterate, Chinese Government + Hikvision.

The issue of trust is central to the core of security, both for real-world and cyber arenas. Using an open source OS with complete code inspection and automatic updates (for the OS) will mitigate part of the problem, but will not mitigate or even begin to mange the issue of a rogue codebase specific to the manufacturers hardware.

For example, everybody has probably heard of the Raspberry Pi computer. You can put whatever Linux distribution you feel like on it if you are comfortable with that sort of thing, BUT, and this is the very important bit, you cannot make the OS work without a specific binary file provided by one of the chip manufacturers. So while the OS might be made secure, you can never know what is in that binary file - what features does it actually possess? Does it have a backdoor? Can we even tell? What about a 'sleeper' command that activates hidden features?

So there are really two parts to this from a hardware point of view - the underlying OS and its features, and then the actual firmware code that makes the particular device work. Unless you can trust the manufacturer you are already boned and there is no way around that.

To be as sure as possible about keeping the devices both up-to-date and maintaining network security simultaneously requires a defence-in-depth approach. This is not something that the electronic security industry has typically engaged in for IT networks and is a separate and specialised skillset. There is no 'black-box' or silver bullet to manage this unfortunately.

The only other way I can think of to secure an IP based camera system is to have it separated entirely from the internet and anything else. You cant attack it if it is isolated in that way.

So in the end the problem is bigger than just firmware alone. Its a whole trust assessment process, design process and risk management. Like all things in security - how far do you go to reasonably mitigate risk?

...you can never know about that binary file...

Not without a lot of effort.

Related: SOC Microcode Vulnerability

Exactly! In some cases you might be breaking the licensing and IP rights by doing the reverse engineering necessary.

"Who should be responsible for paying for these fixes? The customer, the integrator, or the manufacturer?"

That is the real question. Right now, the answer seems to be "nobody". It's easy to see why, there are points that could be argued from each side.

As an integrator: I feel the manufacturer should invest effort in testing the security of their products. Failing that, they should invest in their reputation and pay to have us fix it.

As an manufacturer: We can't close every possible hole. The integrator should design their network to prevent possible oversights from creating an attack vector. We all need to do our part.

As an end user: Why didn't the integrator recommend I purchase a different product with more security features? Why did I buy brand X when recommended by the integrator in lieu of another integrator selling brand Y?

I'm curious as to why there are folks who voted no and what the argument is? Just curious.

Because honestly, closing up these oversights with firmware updates is all fine and dandy and it should definitely happen, but in the end this hack shows that outside of manufacturers needing tougher firmware and forcing installers into cyber security measures, the INSTALLERS need to shut down avenues for attack as well.

Smarter installers are really the key to securing the products that are out there on the field. Manufacturers can only release what they release, but implementation is the key. Everything about this attack hinged on exploiting easily avoidable oversights. Dahua took the easy way out with their equipment to provide ease of setup, administration, and use. This meant their products were not stupid proof in terms of cyber security. Now the climate has changed to where awareness is necessary at all levels.

For example, John Dillabaugh knows wtf he's doing and he actively seeks out firmware updates to correct his installation difficulties, but he's not crazy enough to rely on manufacturers for his cyber security measures. He doesn't care about me or anyone else holding his hand. He locks down the network that the cameras are on by himself. The only time he really needed us was when the firmware updates he wanted were being rejected by the camera.

Otherwise, for him, it's business as usual and don't let the bad guys in. Plain and simple.

FYI, I voted yes, but I still understand no.

IMHO, and what I've seen from a brief past in Software Development I had in the Past, usually people don't care much about Security in IT and Software Development until they are hit by a big disaster.

And in this case they care less than usual, since the devices being hacked are not necessarily impacted, so no disaster for the owners of the device. The cameras just go back to work on Monday morning like everybody else, until they are needed in the next DDOS attack.

Why don't we have a cloud management system yet to manage installed camera's and other security devices? I'm thinking a system such as it exists in WiFi for example with Aerohove, Mojo Networks, etc etc

You can choose to auto update firmwares or to do it manually if and when you believe it's the right time to do it.

Such a system is also much more interesting to deploy new installs and do mass configuration

Login to read this IPVM report.

Related Reports

Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers...
Beware Of Feevr on Apr 14, 2020
Beware of "Feevr". The company is marketing a 'Feevr' solution that...
"He Is An Idiot!" Exclaims SIA Director John Mack on Mar 23, 2020
Here is another inside look into the "leaders" of the security industry. SIA...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Facial Recognition: Weak Sales, Anti Regulation, No Favorite, Says Security Integrators on Jul 07, 2020
While facial recognition has gained greater prominence, a new IPVM study of...
Video Analytics 101 on Mar 16, 2020
This guide teaches the fundamentals of video surveillance...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Avigilon Now Available At ADI In EMEA, Not Americas on Jul 21, 2020
ADI, the home for Dahua and Hikvision flash sales, is now selling Motorola...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
Fever Camera Sales From Integrators Surveyed on Jun 01, 2020
Fever cameras are the hottest trend in video surveillance currently but how...
Monitoreal "Completely Autonomous" Home AI Tested on Feb 12, 2020
Monitoreal claims to allow users to "see the things you want (people,...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...