ONVIF Exposure To "Devastating DDoS Attacks" Examined

By: Ethan Ace and John Scanlan, Published on Sep 06, 2019

ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices.

soap ONVIF issue_2

And after an IPVM discussion asking about ONVIF being 'dangerous', Verkada launched a Facebook ad declaring that:

IPVM investigated the vulnerability, speaking with the researcher, examining:

  • What the risks are and how severe it is for ONVIF devices
  • How the vulnerability works and what conditions must be met
  • ONVIF response to vulnerability
  • Input from the researcher
  • Potential for abuse
  • Mitigation steps

***** ******** "******** **** ** ***,*** devices *** ** ****** for *********** **** *******", ****** ******** ** ONVIF *******.

soap ONVIF issue_2

*** ***** ****** ********** ****** ***** ONVIF ***** '*********', ******* ******** * Facebook ** ********* ****:

**** ************ *** *************, speaking **** *** **********, examining:

  • **** *** ***** *** and *** ****** ** is *** ***** *******
  • *** *** ************* ***** and **** ********** **** be ***
  • ***** ******** ** *************
  • ***** **** *** **********
  • ********* *** *****
  • ********** *****

[***************]

Executive *******

*** **** ** ********** ONVIF ***** ** ********* low ** ** ******** a *********** ** ******** errors: (*) * ******, non-standard, **-********* ************** **** (2) ******* * ***-********, uncommon **** ** *** public ********.

** *** ***** ****, devices **** **** **** conditions ** ********* * threat ** ***** *********** used ** **** *******.

No ******* ** ****** ** ******

** ******** ***** ***** not ** **** ** take ******* ** *** device, **** *****, ****** to *****, ***., **** if * ****** ***** both **********.

Faulty **-********* ******** *** *******

** ***** ** ** vulnerable ** **** *******, cameras **** *** * faulty **-********* ************** ***** allows ********* ** ** sent **** *** ********.********* ** **-*********'* **************, ** **** ********* and ************* ** ******** **** the ********:

************, ***** ** ***** disabled ** ******* ** current *******, ********* ****, Dahua, *** *********, ** it **** ** ******** enabled ** ***** *** WS-Discovery ** *** **** locally.

Uncommon **** **** ** **** (***/****)

******, ******* **** ********-****-********** (**** ********, *** not ***********, **** ** ONVIF) *** *** **** 3702 **** ** *** internet (** ******** ****).

*** **** **** **** allow ******** ******* **** the ******** ** **** attackers *** **** **-********* requests. **** ***** **** port **** **** ** forwarded ********, ********* ****, ** ** ******** connected ** *** ******** without * ******** ******** ports (*.*., ******** ********* to * *****).

**** **** ** ********,*** * ****** ****, *** ******** ** be ******** ********* ** anyone ***** **** ****** users. ****** ***** ** or *** ***** *** commonly ******** *** ****** access ** ******* *** open ** *******/*********, **** is ************* ****** ******** to ** ****.

UPnP ********* ******** ** *******

************,***** ** *** *******, **** ************* ******* UPnP ** *******. *******, it ** ******** **** older ********* *** **** enabled **** *** ****** port ****.

Low **** / *********** ** **** ******* ********

***** **** ***** ******* are ************ **** ***********, all ** **** ***** true ** ****** ******** in *** **** ******** of *************.

ONVIF ********

**** ******* ***** *** more *********** ** **** exploit. ***** ******** *****, in *****, **** ** contact ************* *** ********* guides:

***** ******** ********** *** selects ********* **** ******* integration *** ********** ** physical ******** *******. **** manufacturer **** **** ******** hardening *** ******* ********** to ***** ***** ******** to ** **** ** a ****** ****** ** various ******* ************. ** a ******* **** ***** profiles **** ******** *** use ** ******** ******** where ********** ******** ******** were ** ***** ** help ***** (******* ****’* and *********) ** ******* eliminate (******* *******) ****** to *** ********* **** an ******* ******. ** users ******* ********** ********** ******* **** *********** about *** ** ******** harden ***** ******** *** deployment, **** ****** ******* the ****** ************.

Axis ********

**** ********* **** **** were ********** ***** *** analysis *** ******:

** *********** **** ** is ******** ** **** the ********* **** ****** using ******* **-********* *******. This ** ******** ** the **-********* ******. ***** did *** ****** **, ONVIF **** ********* ** use **-********* ** ******** deployment.

*** ****** ** ******* devices *** *** ********** of **** ****** *** always ** **********. ** the ****** *** ******* it ** ********** - not **** *** ****. We *** ******* ******** to ****** *** ****** of ********-****** ******* ********* hardening ***** *** ****** Remote ***** ****** (**** Companion). ** ******** ********** customers *** ******** ******** devices ** ********.

Manufacturers ********

********* ** ****** *******, the ********** ****** ** the ***** *******, **** percentages ** *** ******** exposed ******* ** *** found *** **** **** and *****. *** *** searches ******* **** ****** 100,000 ***** ******* ******* to ******** *** **** UDP **** ****. *******, we ***** *** **** such ******* ** **** devices *******. ** **** not ********* ***** ******* are ********** ** ********** to ****** **-********* ********, but ******* *** ****** multiple ******* ***** ** these ******** *** *********.

*******, ** *** *******, current ***** ****** ** not **** *** ******* by *******, *** ** they **** **** ***** enabled.

Exploit ********

****** ***** ******** ** this ******* **** ********* ~350 ****, *** **** recently, ******* ** ***+ Gbps **** ****. *** reference, *** **** ** approaching *** ********* ** the **** ********* **** ***** ** Security (*** ****)*** ***** ** **** that ***** **** ********** ** **** (*.* Tbps), *** ******* **** ever ********.

** *** **** ** writing, ***** **** ***,*** public ****** ******* **** UDP **** **** **** responding ** "*****" *******, shown *****:

*** **********, *******, **** us **** **** ** these ****** ********* ********* to **-********* ******* ****. He **** **** **** sending * ***** ******* often ****** * **** larger ********, **** ************* of **** ********.

Potential ******

****** ******* ************* *** unlikely ** ** ********* using **** *************, ~***,*** rogue ******* **** *********** potential *** ******. *** example, *** ***** ******, which ********** ******** ~***,*** devices ** *******, *** used ****** **** * *******'* internet,******* ******, *** ****.

**********

*** ********** *****, ***** are *** ***** ***** which *** ** ***** to ****** **** *** not ********** ** **** exploit:

  • ******* ****:******** **** ************* ******* UPnP ** *******, ** may **** **** ******* by ******* ** *** older ********.
  • ****** **** **** ** closed:***** ****** **** **** sure **** *** **** 3702 ** ****** ** their ****** ** ******** and *** ***** ******** traffic ** **** **** to *** ********.

*** ***** *** *** unaware ** *** ******* enough ** **** ***** changes, ********** *** ********* impact ** ***** ******* will ****** **** ** ISPs, ** **** *** choose ** ***** ** rate ***** ***** ********.

Comments (24)

Undisclosed Manufacturer #1

09/06/19 05:05pm

* ***** **** "*** risk" ******* *** **** that **** **** ***** 627 ******** ******* ** the ******** ***** ****, over *** ******** **** report ********** ** ***** device.

* ****** *** ******** to ** ******* ******** exposed ** *** ********, but **** ****** ** simple ** *****. ** the ****** **** ******** to ******** ** *** multicast *******, **** **** makes ** **** ****** for *** ******** ** send *** *******.

John Honovich

IPVM | In reply to Undisclosed Manufacturer #1 | 09/06/19 05:07pm

* ***** **** "*** risk" ******* *** ****

*** **** ** ****** who **** ***** *******. The ********** **** ***'* ONVIF ****** ** **** of **** **** ** extremely *** ******* ** this ****** ******** ************.

**'* ********* * ****** risk ** ******* **** might ** *** ***** these *******.

Undisclosed Integrator #2

In reply to John Honovich | 09/06/19 05:55pm

* ***** *** ***** not **** ** *** it ** *** **** because ** ******* ********** requirements *** ****** ** the ****** ******; *** vulnerability ** ***** *** exploitable. **** ********** ****** having ***** ***** ****, and **** *** ******* networking ********* ** *****, the ****** **** ** a ****** ****** ***** discoverable ****** ***** **** in * ****** ** extremely ****.

********* *** **** ** a ************* ***** ** an ********** ******-**** ** experiencing ** ** ***** sighted. ** ***** ** akin ** *** ******** about * ******* ************* update ******* *** **** have * * ** 10000 ****** ** *** specific ******* ***** **** to ****** **** ********. You ***** **** ** take ** ********* *** update.

**** ** **** ******* version ** *** *** amplification ******. *** ***** everyone ****** ** *** a ****** ********, ***** people ********** **** *** could ***** *** *** server ** ****** * target.

John Honovich

IPVM | In reply to Undisclosed Integrator #2 | 09/06/19 06:03pm

*** ****** **** ** a ****** ****** ***** discoverable ******”

*** *** *** ********** of * ******** ****** ONVIF ****** ** *** specific **** ******, **** no ************ ********** ** use, ** **** ***.

John Honovich

IPVM | In reply to Undisclosed Integrator #2 | 09/06/19 06:08pm

********* *** **** ** a ************* ***** ** an ********** ******-**** ** experiencing ** ** ***** sighted.

**, **’* **** ***** human ***** **** ***** day. ***** *** * vast ***** ** ***** every **** *** **** out *** **** *** most *** *** *** you *** ****** ******.

** **** ****, ** is ***** ** *** what *** *** ******** to *** ******** *** in *** *************** **** case **** ** ****, close **.

Undisclosed Integrator #2

In reply to John Honovich | 09/06/19 06:27pm

********** ** **** ********** risk ** ****, ** is ***** * ****** concern, *** ******* **** a ******** ******* ** their ******* ***** ** make **** *** **** is *****. *** ****** surface ** ***** ****** with ****** ************* ** warrant * ****** **** assessment.

Undisclosed #3

09/06/19 07:11pm

******** * *** *** the ***** ** ***** this ***, ***** ** was ********* ** * previous ******, * ******** this ******** ** ****** ***** *********?******:

Why **** ******* (** *** ******) **** ~**% ** *** ******* *******?

*** *** *****'* ****** but ** (*** *** original ******) ***** **** is ******* ****** ** try *** **** *** why **** **?

Undisclosed Integrator #5

In reply to Undisclosed #3 | 09/06/19 07:51pm

*** *** *** ******** that **% ******? ********* to ******, *** ***** results *** ***** (******** for **** ****) ** 181,542. *** ***** *** Vietnam ** **,***. ****'* 17%.

*** *** ***** ******* from ********* ****?

**** ** ** ** 17%, ******, * ** still **** ** *** that ******* *** *** largest **********.

Undisclosed #3

In reply to Undisclosed Integrator #5 | 09/06/19 08:00pm

* **** *** ******* from *** ******* ****** towards *** *** ** the **:

*** * **** * calculator ** *** *** figure ** **.************** ([***,*** x ***] /***,***) - and *********** **** ** ~80%.

Avatar

John Scanlan

IPVM | IPVMU Certified | In reply to Undisclosed Integrator #5 | 09/06/19 08:08pm

*** ******* **** ******** from**********.

Avatar

John Scanlan

IPVM | IPVMU Certified | In reply to Undisclosed #3 | 09/06/19 08:05pm

*** ****** ** *** left ** *** ******* is *** *** ****** of ******* ** **** country, ** ** *** column ** *** *****:

Undisclosed #3

In reply to John Scanlan | 09/06/19 08:27pm

***.

**** **** *** ******* column **** ** ******** represent ** *** ******* column ***** ********* ********** exposed ******* ** **** country?

Undisclosed #4

In reply to Undisclosed #3 | 09/06/19 09:06pm

******* ******** **** **** open **** *** *********.

** ***,*** ** *** devices **** **** **** open **** ***** *******, based ** *** ****** returned.

Undisclosed #3

In reply to Undisclosed #4 | 09/06/19 09:15pm

**** *** *** *** of *** ***** ***** categories **** ****** '*********'-***** numbers **** ******* '********'-***** numbers?

Undisclosed #4

In reply to Undisclosed #3 | 09/07/19 12:34am

**** *** *** *** of *** ***** ***** categories **** ****** '*********'-***** numbers **** ******* '********'-***** numbers?

******* *** *** ********* are *** *****, *** most, ** *** ***, products ***, **** *** in ********** *****.

****, *** *** **** the **** ** *** graphic, ******** **** *** line *** *****?

Avatar

John Scanlan

IPVM | IPVMU Certified | In reply to Undisclosed #4 | 09/06/19 10:11pm

**** *** *** ***** devices. * ** *** sure **** ********** ** query/response ** *** *********** to ******** **** **** different ******** *** **** are *** ***** ******* with **** **** ****.

**** ** ** ******* of ** ***** ****** when * ** ** the *** *********:

"******* **** ******" **** I ****** ** *** interface:

*** **** ** **** of *** ***** ******* categories. * ** ******** they ****** ** ***** identifier *********** ******* *** product ********** *** **** emailed **** *** **** detailed *******.

Undisclosed #4

09/06/19 07:16pm

***** **** ***** ******* are ************ **** ***********, all ** **** ***** true ** ****** ******** in *** **** ******** of *************.

*** **** *** *** true ** ** ***** 600,000 *****, *****?

Undisclosed #4

09/06/19 07:29pm

*** ******** ******** ******* figured *** *** *** largest ********** ** ***** at **** ******* *** in *******?

********, ******* *** **** than * ********* ** the ******* ** *** U.S. *** ***** ******* 3702, *** **** ** has******** *** *.*.?

***, **’* *** ******** to ** ******. ******** this *** **** *** in ********* *** *** an ******* ****** **** is.

Undisclosed Integrator #5

In reply to Undisclosed #4 | 09/06/19 07:58pm

***** *****'* *** ********* popular ********** *** *****'* know **** ****'** *****? Maybe **** *** * shortage ** ******* *** ended ** ********** * lot ** ******* ******** to *** ********?

* ****** ** *** can ********* ****** *** effects ** * **** by ******** *******.

Undisclosed Manufacturer #6

09/06/19 09:50pm

******* ***** ********* **** cameras, *** *******, ***. Maybe ***** *** *** devices **** *** ***** that ****. ***** ** has ******* ** ** with *****, ****** ** uses **** **** *** reports ****. ***** ***** are ***** **** ******* all **** *** ***** that *** *** ******* in ***** ******* ** the **, ***... *** knows....

Undisclosed #3

In reply to Undisclosed Manufacturer #6 | 09/06/19 10:02pm

"*** *****...."

***, *** **** ** a ****** ******** **********, no?

*** *** *** ********* data **** ******** ** all ** *** **** itself ** ************ ***** on *********** *********?

Slava H

09/06/19 10:17pm

****'* **** *** ******* to **** ***** ***** dangerous ******* ** *********** to *** *** ****** feature *** ****.

***, *** *** **** IP(ping ** ***** ******!) is ********* ** ****. DNS *** **** *** can ***** *** ** used *** ****. ** here ** **, ***'* stop ***** *** *** use *********** *** **********.

Undisclosed #7

09/06/19 10:19pm

** ******* ****** **** their *******, *** ***** servers, *** *** ********** to *** **** ** DDoS ******?

** **, *** **** if **** **** ** I ****** ****.

John Honovich

IPVM | 09/21/19 05:30pm

******:**** ****** * ******** advisory ** ****, ******* ********* *****:

***** **** **** *** impact ** *******, **** acknowledged **** **** *** susceptible:

*** **** ******* **** supports ***** *** *********** to *** ********* ******. WS ********* ** ******* by ******* ********** ** ONVIF *** ** **** or ***.

*** **** **** *** evaluating ****** ******** ******* for ****:

**** ** ************* ********* WS ********* ******** ** reduce **** ** **** 3702 ** *******. ** adjustments **** ** ****, they **** ** ********* in * ****** ********* firmware *******.

** **** ****** ** they ** ****.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Warning: Windows 7 Update Crashing NVRs on Aug 26, 2019
Windows 7 updates are causing VMS servers to fail to boot. After running the update, impacted systems do not boot as normal, instead display this...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
Subnetting for Video Surveillance on Apr 30, 2019
This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range,...
Verint Victimized By Ransomware on Apr 18, 2019
Verint, which is best known in the physical security industry for video surveillance but has built a sizeable cybersecurity business as well, was...

Most Recent Industry Reports

USA's Feevr Thermal Temperature System Examined on Mar 31, 2020
This US company has burst on to the scene, brashly naming itself 'feevr' and branding itself as a "COVID 19 - AI BASED NON CONTACT THERMAL...
JCI Coronavirus Cuts on Mar 31, 2020
JCI has made coronavirus cuts, the company told employees in an email that IPVM has reviewed. Inside this note, we examine the cuts made, the...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door operators to fight the spread of coronavirus. This delivers...
Video Surveillance Business 101 on Mar 30, 2020
This report explains the fundamental elements of the video surveillance business for those new to the industry. This is part of our Video...
FDA Gives Guidance on 'Coronavirus' Thermal Fever Detection Systems on Mar 30, 2020
The US FDA has given IPVM guidance on the use of thermal fever detection systems being marketed for coronavirus, as an explosion of such devices...
Worsen: Integrators Hit Even Harder By Coronavirus on Mar 30, 2020
Integrator's problems have worsened over the past 2 weeks, according to new IPVM survey results. Inside this report, we share statistics and...
Pivot3 Mass Layoffs on Mar 27, 2020
Pivot3 has conducted mass layoffs, the culmination of grand hopes, a quarter of a billion dollars in VC funding, and multiple failures to gain...
Athena CEO Criticizes 'Deplorable' 'Nitpicking', IPVM Refutes on Mar 27, 2020
UPDATE: NBC News Report Cites IPVM On Coronavirus 'Fever Detection' Cameras Athena Security's CEO Lisa Falzone has strongly objected to IPVM's...
Hikvision Admits Sanctions Harming Its Financial Performance on Mar 27, 2020
While Hikvision initially downplayed being sanctioned for human rights abuses, the company is now admitting a significant impact in a new PRC...