ONVIF Exposure To "Devastating DDoS Attacks" Examined

By: Ethan Ace and John Scanlan, Published on Sep 06, 2019

ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices.

soap ONVIF issue_2

And after an IPVM discussion asking about ONVIF being 'dangerous', Verkada launched a Facebook ad declaring that:

IPVM investigated the vulnerability, speaking with the researcher, examining:

  • What the risks are and how severe it is for ONVIF devices
  • How the vulnerability works and what conditions must be met
  • ONVIF response to vulnerability
  • Input from the researcher
  • Potential for abuse
  • Mitigation steps

***** ******** "******** **** ** ***,*** devices *** ** ****** for *********** **** *******", ****** ******** ** ONVIF *******.

soap ONVIF issue_2

*** ***** ****** ********** ****** ***** ONVIF ***** '*********', ******* ******** * Facebook ** ********* ****:

**** ************ *** *************, speaking **** *** **********, examining:

  • **** *** ***** *** and *** ****** ** is *** ***** *******
  • *** *** ************* ***** and **** ********** **** be ***
  • ***** ******** ** *************
  • ***** **** *** **********
  • ********* *** *****
  • ********** *****

[***************]

Executive *******

*** **** ** ********** ONVIF ***** ** ********* low ** ** ******** a *********** ** ******** errors: (*) * ******, non-standard, **-********* ************** **** (2) ******* * ***-********, uncommon **** ** *** public ********.

** *** ***** ****, devices **** **** **** conditions ** ********* * threat ** ***** *********** used ** **** *******.

No ******* ** ****** ** ******

** ******** ***** ***** not ** **** ** take ******* ** *** device, **** *****, ****** to *****, ***., **** if * ****** ***** both **********.

Faulty **-********* ******** *** *******

** ***** ** ** vulnerable ** **** *******, cameras **** *** * faulty **-********* ************** ***** allows ********* ** ** sent **** *** ********.********* ** **-*********'* **************, ** **** ********* and ************* ** ******** **** the ********:

************, ***** ** ***** disabled ** ******* ** current *******, ********* ****, Dahua, *** *********, ** it **** ** ******** enabled ** ***** *** WS-Discovery ** *** **** locally.

Uncommon **** **** ** **** (***/****)

******, ******* **** ********-****-********** (**** ********, *** not ***********, **** ** ONVIF) *** *** **** 3702 **** ** *** internet (** ******** ****).

*** **** **** **** allow ******** ******* **** the ******** ** **** attackers *** **** **-********* requests. **** ***** **** port **** **** ** forwarded ********, ********* ****, ** ** ******** connected ** *** ******** without * ******** ******** ports (*.*., ******** ********* to * *****).

**** **** ** ********,*** * ****** ****, *** ******** ** be ******** ********* ** anyone ***** **** ****** users. ****** ***** ** or *** ***** *** commonly ******** *** ****** access ** ******* *** open ** *******/*********, **** is ************* ****** ******** to ** ****.

UPnP ********* ******** ** *******

************,***** ** *** *******, **** ************* ******* UPnP ** *******. *******, it ** ******** **** older ********* *** **** enabled **** *** ****** port ****.

Low **** / *********** ** **** ******* ********

***** **** ***** ******* are ************ **** ***********, all ** **** ***** true ** ****** ******** in *** **** ******** of *************.

ONVIF ********

**** ******* ***** *** more *********** ** **** exploit. ***** ******** *****, in *****, **** ** contact ************* *** ********* guides:

***** ******** ********** *** selects ********* **** ******* integration *** ********** ** physical ******** *******. **** manufacturer **** **** ******** hardening *** ******* ********** to ***** ***** ******** to ** **** ** a ****** ****** ** various ******* ************. ** a ******* **** ***** profiles **** ******** *** use ** ******** ******** where ********** ******** ******** were ** ***** ** help ***** (******* ****’* and *********) ** ******* eliminate (******* *******) ****** to *** ********* **** an ******* ******. ** users ******* ********** ********** ******* **** *********** about *** ** ******** harden ***** ******** *** deployment, **** ****** ******* the ****** ************.

Axis ********

**** ********* **** **** were ********** ***** *** analysis *** ******:

** *********** **** ** is ******** ** **** the ********* **** ****** using ******* **-********* *******. This ** ******** ** the **-********* ******. ***** did *** ****** **, ONVIF **** ********* ** use **-********* ** ******** deployment.

*** ****** ** ******* devices *** *** ********** of **** ****** *** always ** **********. ** the ****** *** ******* it ** ********** - not **** *** ****. We *** ******* ******** to ****** *** ****** of ********-****** ******* ********* hardening ***** *** ****** Remote ***** ****** (**** Companion). ** ******** ********** customers *** ******** ******** devices ** ********.

Manufacturers ********

********* ** ****** *******, the ********** ****** ** the ***** *******, **** percentages ** *** ******** exposed ******* ** *** found *** **** **** and *****. *** *** searches ******* **** ****** 100,000 ***** ******* ******* to ******** *** **** UDP **** ****. *******, we ***** *** **** such ******* ** **** devices *******. ** **** not ********* ***** ******* are ********** ** ********** to ****** **-********* ********, but ******* *** ****** multiple ******* ***** ** these ******** *** *********.

*******, ** *** *******, current ***** ****** ** not **** *** ******* by *******, *** ** they **** **** ***** enabled.

Exploit ********

****** ***** ******** ** this ******* **** ********* ~350 ****, *** **** recently, ******* ** ***+ Gbps **** ****. *** reference, *** **** ** approaching *** ********* ** the **** ********* **** ***** ** Security (*** ****)*** ***** ** **** that ***** **** ********** ** **** (*.* Tbps), *** ******* **** ever ********.

** *** **** ** writing, ***** **** ***,*** public ****** ******* **** UDP **** **** **** responding ** "*****" *******, shown *****:

*** **********, *******, **** us **** **** ** these ****** ********* ********* to **-********* ******* ****. He **** **** **** sending * ***** ******* often ****** * **** larger ********, **** ************* of **** ********.

Potential ******

****** ******* ************* *** unlikely ** ** ********* using **** *************, ~***,*** rogue ******* **** *********** potential *** ******. *** example, *** ***** ******, which ********** ******** ~***,*** devices ** *******, *** used ****** **** * *******'* internet,******* ******, *** ****.

**********

*** ********** *****, ***** are *** ***** ***** which *** ** ***** to ****** **** *** not ********** ** **** exploit:

  • ******* ****:******** **** ************* ******* UPnP ** *******, ** may **** **** ******* by ******* ** *** older ********.
  • ****** **** **** ** closed:***** ****** **** **** sure **** *** **** 3702 ** ****** ** their ****** ** ******** and *** ***** ******** traffic ** **** **** to *** ********.

*** ***** *** *** unaware ** *** ******* enough ** **** ***** changes, ********** *** ********* impact ** ***** ******* will ****** **** ** ISPs, ** **** *** choose ** ***** ** rate ***** ***** ********.

Comments (24)

* ***** **** "*** risk" ******* *** **** that **** **** ***** 627 ******** ******* ** the ******** ***** ****, over *** ******** **** report ********** ** ***** device.

* ****** *** ******** to ** ******* ******** exposed ** *** ********, but **** ****** ** simple ** *****. ** the ****** **** ******** to ******** ** *** multicast *******, **** **** makes ** **** ****** for *** ******** ** send *** *******.

* ***** **** "*** risk" ******* *** ****

*** **** ** ****** who **** ***** *******. The ********** **** ***'* ONVIF ****** ** **** of **** **** ** extremely *** ******* ** this ****** ******** ************.

**'* ********* * ****** risk ** ******* **** might ** *** ***** these *******.

* ***** *** ***** not **** ** *** it ** *** **** because ** ******* ********** requirements *** ****** ** the ****** ******; *** vulnerability ** ***** *** exploitable. **** ********** ****** having ***** ***** ****, and **** *** ******* networking ********* ** *****, the ****** **** ** a ****** ****** ***** discoverable ****** ***** **** in * ****** ** extremely ****.

********* *** **** ** a ************* ***** ** an ********** ******-**** ** experiencing ** ** ***** sighted. ** ***** ** akin ** *** ******** about * ******* ************* update ******* *** **** have * * ** 10000 ****** ** *** specific ******* ***** **** to ****** **** ********. You ***** **** ** take ** ********* *** update.

**** ** **** ******* version ** *** *** amplification ******. *** ***** everyone ****** ** *** a ****** ********, ***** people ********** **** *** could ***** *** *** server ** ****** * target.

*** ****** **** ** a ****** ****** ***** discoverable ******”

*** *** *** ********** of * ******** ****** ONVIF ****** ** *** specific **** ******, **** no ************ ********** ** use, ** **** ***.

********* *** **** ** a ************* ***** ** an ********** ******-**** ** experiencing ** ** ***** sighted.

**, **’* **** ***** human ***** **** ***** day. ***** *** * vast ***** ** ***** every **** *** **** out *** **** *** most *** *** *** you *** ****** ******.

** **** ****, ** is ***** ** *** what *** *** ******** to *** ******** *** in *** *************** **** case **** ** ****, close **.

********** ** **** ********** risk ** ****, ** is ***** * ****** concern, *** ******* **** a ******** ******* ** their ******* ***** ** make **** *** **** is *****. *** ****** surface ** ***** ****** with ****** ************* ** warrant * ****** **** assessment.

******** * *** *** the ***** ** ***** this ***, ***** ** was ********* ** * previous ******, * ******** this ******** ** ****** ***** *********?******:

Why **** ******* (** *** ******) **** ~**% ** *** ******* *******?

*** *** *****'* ****** but ** (*** *** original ******) ***** **** is ******* ****** ** try *** **** *** why **** **?

*** *** *** ******** that **% ******? ********* to ******, *** ***** results *** ***** (******** for **** ****) ** 181,542. *** ***** *** Vietnam ** **,***. ****'* 17%.

*** *** ***** ******* from ********* ****?

**** ** ** ** 17%, ******, * ** still **** ** *** that ******* *** *** largest **********.

* **** *** ******* from *** ******* ****** towards *** *** ** the **:

*** * **** * calculator ** *** *** figure ** **.************** ([***,*** x ***] /***,***) - and *********** **** ** ~80%.

*** ******* **** ******** from**********.

*** ****** ** *** left ** *** ******* is *** *** ****** of ******* ** **** country, ** ** *** column ** *** *****:

***.

**** **** *** ******* column **** ** ******** represent ** *** ******* column ***** ********* ********** exposed ******* ** **** country?

******* ******** **** **** open **** *** *********.

** ***,*** ** *** devices **** **** **** open **** ***** *******, based ** *** ****** returned.

**** *** *** *** of *** ***** ***** categories **** ****** '*********'-***** numbers **** ******* '********'-***** numbers?

**** *** *** *** of *** ***** ***** categories **** ****** '*********'-***** numbers **** ******* '********'-***** numbers?

******* *** *** ********* are *** *****, *** most, ** *** ***, products ***, **** *** in ********** *****.

****, *** *** **** the **** ** *** graphic, ******** **** *** line *** *****?

**** *** *** ***** devices. * ** *** sure **** ********** ** query/response ** *** *********** to ******** **** **** different ******** *** **** are *** ***** ******* with **** **** ****.

**** ** ** ******* of ** ***** ****** when * ** ** the *** *********:

"******* **** ******" **** I ****** ** *** interface:

*** **** ** **** of *** ***** ******* categories. * ** ******** they ****** ** ***** identifier *********** ******* *** product ********** *** **** emailed **** *** **** detailed *******.

***** **** ***** ******* are ************ **** ***********, all ** **** ***** true ** ****** ******** in *** **** ******** of *************.

*** **** *** *** true ** ** ***** 600,000 *****, *****?

*** ******** ******** ******* figured *** *** *** largest ********** ** ***** at **** ******* *** in *******?

********, ******* *** **** than * ********* ** the ******* ** *** U.S. *** ***** ******* 3702, *** **** ** has******** *** *.*.?

***, **’* *** ******** to ** ******. ******** this *** **** *** in ********* *** *** an ******* ****** **** is.

***** *****'* *** ********* popular ********** *** *****'* know **** ****'** *****? Maybe **** *** * shortage ** ******* *** ended ** ********** * lot ** ******* ******** to *** ********?

* ****** ** *** can ********* ****** *** effects ** * **** by ******** *******.

******* ***** ********* **** cameras, *** *******, ***. Maybe ***** *** *** devices **** *** ***** that ****. ***** ** has ******* ** ** with *****, ****** ** uses **** **** *** reports ****. ***** ***** are ***** **** ******* all **** *** ***** that *** *** ******* in ***** ******* ** the **, ***... *** knows....

"*** *****...."

***, *** **** ** a ****** ******** **********, no?

*** *** *** ********* data **** ******** ** all ** *** **** itself ** ************ ***** on *********** *********?

****'* **** *** ******* to **** ***** ***** dangerous ******* ** *********** to *** *** ****** feature *** ****.

***, *** *** **** IP(ping ** ***** ******!) is ********* ** ****. DNS *** **** *** can ***** *** ** used *** ****. ** here ** **, ***'* stop ***** *** *** use *********** *** **********.

** ******* ****** **** their *******, *** ***** servers, *** *** ********** to *** **** ** DDoS ******?

** **, *** **** if **** **** ** I ****** ****.

******:**** ****** * ******** advisory ** ****, ******* ********* *****:

***** **** **** *** impact ** *******, **** acknowledged **** **** *** susceptible:

*** **** ******* **** supports ***** *** *********** to *** ********* ******. WS ********* ** ******* by ******* ********** ** ONVIF *** ** **** or ***.

*** **** **** *** evaluating ****** ******** ******* for ****:

**** ** ************* ********* WS ********* ******** ** reduce **** ** **** 3702 ** *******. ** adjustments **** ** ****, they **** ** ********* in * ****** ********* firmware *******.

** **** ****** ** they ** ****.

Read this IPVM report for free.

This article is part of IPVM's 6,367 reports, 855 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Delayed Egress Access Control Tutorial on Feb 04, 2020
Delayed Egress marks one of the few times locking people into a building is legal. With so much of access control driven by life safety codes, and...
Google Found Software House Vulnerability Allows Inside Attacker To Open Doors on Sep 04, 2018
A vulnerability in Software House IP-ACM modules allows an attacker to potentially unlock doors, or perform other actions, on affected systems....
JCI / Napco Integration Battle on Aug 30, 2018
JCI and Napco are firing salvos at each other over integration issues which both sides blame on the other. The bigger problem is that central...
Genetec Self-Discloses Critical Vulnerability on Jul 31, 2018
In an unprecedented move for the video surveillance industry, Genetec has self-disclosed a critical software vulnerability across Security Center...
The Interceptor Aims To Fix Vulnerability In Millions of Alarm Systems on Jan 08, 2018
Security executive Jeffery Zwirn claims a 'catastrophic' flaw exists in 'millions of alarm systems', and dealers could be liable if not fixed. His...
Vivotek Remote Stack Overflow Vulnerability on Nov 14, 2017
A stack overflow vulnerability in Vivotek cameras has been discovered by bashis, the security researcher who has also found vulnerabilities in...
Uniview Recorder Backdoor Examined on Oct 20, 2017
A Chinese research group has identified a vulnerability in Uniview recorders that allows backdoor access in a method similar to the Dahua...
Genetec CEO Warns Against Insider Threats on Sep 21, 2017
With Dahua and Hikvision cybersecurity issues becoming indisputable, a new counter has emerged. Just put them behind a firewall, buy cheap...
Devil's Ivy PR Campaign Exploiting Manufacturer Cybersecurity on Jul 20, 2017
Manufacturers increasingly have a bulls-eye on their back. As cyber security solutions providers grow, they realize a great way to get publicity...
Hanwha Recorder Vulnerability Analyzed on May 18, 2017
ICS-CERT has released a vulnerability notice for Hanwha SRN-4000 recorders.  Hanwha provided additional information to IPVM about this issue,...

Most Recent Industry Reports

Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020
Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM is 'not a good look' and that 'IPVM should never be your source of...
Vintra Presents FulcrumAI Face Recognition on Jul 02, 2020
Vintra presented its FulcrumAI face recognition and mask detection offering at the May 2020 IPVM Startups show. Inside this report: A...
Uniview Wrist Temperature Reader Tested on Jul 02, 2020
Uniview is promoting measuring wrist temperatures whereas most others are just offering forehead or inner canthus measurements. But how well does...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the industry but an obvious one to the US FDA, that the thermal temperature...
Access Control Online Show - July 2020 - With 40+ Manufacturers - Register Now on Jul 01, 2020
IPVM is excited to announce our July 2020 Access Control Show. With 40+ companies presenting across 4 days, this is a unique opportunity to hear...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an expanding offering in the midst of coronavirus. Hanwha in partnership...
UK Government Says Fever Cameras "Unsuitable" on Jul 01, 2020
The UK government's medical device regulator, MHRA, told IPVM that fever-seeking thermal cameras are "unsuitable for this purpose" and recommends...
Camera Course Summer 2020 on Jun 30, 2020
This is the only independent surveillance camera course, based on in-depth product and technology testing. Lots of manufacturer training...
Worst Over But Integrators Still Dealing With Coronavirus Problems (June Statistics) on Jun 30, 2020
While numbers of integrators very impacted by Coronavirus continue to drop, most are still moderately dealing with the pandemic's problems, June...