ONVIF Exposure To "Devastating DDoS Attacks" Examined

By: Ethan Ace and John Scanlan, Published on Sep 06, 2019

ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices.

soap ONVIF issue_2

And after an IPVM discussion asking about ONVIF being 'dangerous', Verkada launched a Facebook ad declaring that:

IPVM investigated the vulnerability, speaking with the researcher, examining:

  • What the risks are and how severe it is for ONVIF devices
  • How the vulnerability works and what conditions must be met
  • ONVIF response to vulnerability
  • Input from the researcher
  • Potential for abuse
  • Mitigation steps

Executive *******

*** **** ** ********** ONVIF ***** ** ********* low ** ** ******** a *********** ** ******** errors: (*) * ******, non-standard, **-********* ************** **** (2) ******* * ***-********, uncommon **** ** *** public ********.

** *** ***** ****, devices **** **** **** conditions ** ********* * threat ** ***** *********** used ** **** *******.

No ******* ** ****** ** ******

** ******** ***** ***** not ** **** ** take ******* ** *** device, **** *****, ****** to *****, ***., **** if * ****** ***** both **********.

Faulty **-********* ******** *** *******

** ***** ** ** vulnerable ** **** *******, cameras **** *** * faulty **-********* ************** ***** allows ********* ** ** sent **** *** ********.********* ** **-*********'* **************, ** **** ********* and ************* ** ******** **** the ********:

************, ***** ** ***** disabled ** ******* ** current *******, ********* ****, Dahua, *** *********, ** it **** ** ******** enabled ** ***** *** WS-Discovery ** *** **** locally.

Uncommon **** **** ** **** (***/****)

******, ******* **** ********-****-********** (**** ********, *** not ***********, **** ** ONVIF) *** *** **** 3702 **** ** *** internet (** ******** ****).

*** **** **** **** allow ******** ******* **** the ******** ** **** attackers *** **** **-********* requests. **** ***** **** port **** **** ** forwarded ********, ********* ****, ** ** ******** connected ** *** ******** without * ******** ******** ports (*.*., ******** ********* to * *****).

**** **** ** ********,*** * ****** ****, *** ******** ** be ******** ********* ** anyone ***** **** ****** users. ****** ***** ** or *** ***** *** commonly ******** *** ****** access ** ******* *** open ** *******/*********, **** is ************* ****** ******** to ** ****.

UPnP ********* ******** ** *******

************,***** ** *** *******, **** ************* ******* UPnP ** *******. *******, it ** ******** **** older ********* *** **** enabled **** *** ****** port ****.

Low **** / *********** ** **** ******* ********

***** **** ***** ******* are ************ **** ***********, all ** **** ***** true ** ****** ******** in *** **** ******** of *************.

ONVIF ********

**** ******* ***** *** more *********** ** **** exploit. ***** ******** *****, in *****, **** ** contact ************* *** ********* guides:

***** ******** ********** *** selects ********* **** ******* integration *** ********** ** physical ******** *******. **** manufacturer **** **** ******** hardening *** ******* ********** to ***** ***** ******** to ** **** ** a ****** ****** ** various ******* ************. ** a ******* **** ***** profiles **** ******** *** use ** ******** ******** where ********** ******** ******** were ** ***** ** help ***** (******* ****’* and *********) ** ******* eliminate (******* *******) ****** to *** ********* **** an ******* ******. ** users ******* ********** ********** ******* **** *********** about *** ** ******** harden ***** ******** *** deployment, **** ****** ******* the ****** ************.

Axis ********

**** ********* **** **** were ********** ***** *** analysis *** ******:

** *********** **** ** is ******** ** **** the ********* **** ****** using ******* **-********* *******. This ** ******** ** the **-********* ******. ***** did *** ****** **, ONVIF **** ********* ** use **-********* ** ******** deployment.

*** ****** ** ******* devices *** *** ********** of **** ****** *** always ** **********. ** the ****** *** ******* it ** ********** - not **** *** ****. We *** ******* ******** to ****** *** ****** of ********-****** ******* ********* hardening ***** *** ****** Remote ***** ****** (**** Companion). ** ******** ********** customers *** ******** ******** devices ** ********.

Manufacturers ********

********* ** ****** *******, the ********** ****** ** the ***** *******, **** percentages ** *** ******** exposed ******* ** *** found *** **** **** and *****. *** *** searches ******* **** ****** 100,000 ***** ******* ******* to ******** *** **** UDP **** ****. *******, we ***** *** **** such ******* ** **** devices *******. ** **** not ********* ***** ******* are ********** ** ********** to ****** **-********* ********, but ******* *** ****** multiple ******* ***** ** these ******** *** *********.

*******, ** *** *******, current ***** ****** ** not **** *** ******* by *******, *** ** they **** **** ***** enabled.

Exploit ********

****** ***** ******** ** this ******* **** ********* ~350 ****, *** **** recently, ******* ** ***+ Gbps **** ****. *** reference, *** **** ** approaching *** ********* ** the **** ********* **** ***** ** Security (*** ****)*** ***** ** **** that ***** **** ********** ** **** (*.* Tbps), *** ******* **** ever ********.

** *** **** ** writing, ***** **** ***,*** public ****** ******* **** UDP **** **** **** responding ** "*****" *******, shown *****:

*** **********, *******, **** us **** **** ** these ****** ********* ********* to **-********* ******* ****. He **** **** **** sending * ***** ******* often ****** * **** larger ********, **** ************* of **** ********.

Potential ******

****** ******* ************* *** unlikely ** ** ********* using **** *************, ~***,*** rogue ******* **** *********** potential *** ******. *** example, *** ***** ******, which ********** ******** ~***,*** devices ** *******, *** used ****** **** * *******'* internet,******* ******, *** ****.

**********

*** ********** *****, ***** are *** ***** ***** which *** ** ***** to ****** **** *** not ********** ** **** exploit:

  • ******* ****:******** **** ************* ******* UPnP ** *******, ** may **** **** ******* by ******* ** *** older ********.
  • ****** **** **** ** closed:***** ****** **** **** sure **** *** **** 3702 ** ****** ** their ****** ** ******** and *** ***** ******** traffic ** **** **** to *** ********.

*** ***** *** *** unaware ** *** ******* enough ** **** ***** changes, ********** *** ********* impact ** ***** ******* will ****** **** ** ISPs, ** **** *** choose ** ***** ** rate ***** ***** ********.

Comments (24)

* ***** **** "*** risk" ******* *** **** that **** **** ***** 627 ******** ******* ** the ******** ***** ****, over *** ******** **** report ********** ** ***** device.

* ****** *** ******** to ** ******* ******** exposed ** *** ********, but **** ****** ** simple ** *****. ** the ****** **** ******** to ******** ** *** multicast *******, **** **** makes ** **** ****** for *** ******** ** send *** *******.

* ***** **** "*** risk" ******* *** ****

*** **** ** ****** who **** ***** *******. The ********** **** ***'* ONVIF ****** ** **** of **** **** ** extremely *** ******* ** this ****** ******** ************.

**'* ********* * ****** risk ** ******* **** might ** *** ***** these *******.

* ***** *** ***** not **** ** *** it ** *** **** because ** ******* ********** requirements *** ****** ** the ****** ******; *** vulnerability ** ***** *** exploitable. **** ********** ****** having ***** ***** ****, and **** *** ******* networking ********* ** *****, the ****** **** ** a ****** ****** ***** discoverable ****** ***** **** in * ****** ** extremely ****.

********* *** **** ** a ************* ***** ** an ********** ******-**** ** experiencing ** ** ***** sighted. ** ***** ** akin ** *** ******** about * ******* ************* update ******* *** **** have * * ** 10000 ****** ** *** specific ******* ***** **** to ****** **** ********. You ***** **** ** take ** ********* *** update.

**** ** **** ******* version ** *** *** amplification ******. *** ***** everyone ****** ** *** a ****** ********, ***** people ********** **** *** could ***** *** *** server ** ****** * target.

*** ****** **** ** a ****** ****** ***** discoverable ******”

*** *** *** ********** of * ******** ****** ONVIF ****** ** *** specific **** ******, **** no ************ ********** ** use, ** **** ***.

********* *** **** ** a ************* ***** ** an ********** ******-**** ** experiencing ** ** ***** sighted.

**, **’* **** ***** human ***** **** ***** day. ***** *** * vast ***** ** ***** every **** *** **** out *** **** *** most *** *** *** you *** ****** ******.

** **** ****, ** is ***** ** *** what *** *** ******** to *** ******** *** in *** *************** **** case **** ** ****, close **.

********** ** **** ********** risk ** ****, ** is ***** * ****** concern, *** ******* **** a ******** ******* ** their ******* ***** ** make **** *** **** is *****. *** ****** surface ** ***** ****** with ****** ************* ** warrant * ****** **** assessment.

******** * *** *** the ***** ** ***** this ***, ***** ** was ********* ** * previous ******, * ******** this ******** ** ****** ***** *********?******:

Why **** ******* (** *** ******) **** ~**% ** *** ******* *******?

*** *** *****'* ****** but ** (*** *** original ******) ***** **** is ******* ****** ** try *** **** *** why **** **?

*** *** *** ******** that **% ******? ********* to ******, *** ***** results *** ***** (******** for **** ****) ** 181,542. *** ***** *** Vietnam ** **,***. ****'* 17%.

*** *** ***** ******* from ********* ****?

**** ** ** ** 17%, ******, * ** still **** ** *** that ******* *** *** largest **********.

* **** *** ******* from *** ******* ****** towards *** *** ** the **:

*** * **** * calculator ** *** *** figure ** **.************** ([***,*** x ***] /***,***) - and *********** **** ** ~80%.

*** ******* **** ******** from**********.

*** ****** ** *** left ** *** ******* is *** *** ****** of ******* ** **** country, ** ** *** column ** *** *****:

***.

**** **** *** ******* column **** ** ******** represent ** *** ******* column ***** ********* ********** exposed ******* ** **** country?

******* ******** **** **** open **** *** *********.

** ***,*** ** *** devices **** **** **** open **** ***** *******, based ** *** ****** returned.

**** *** *** *** of *** ***** ***** categories **** ****** '*********'-***** numbers **** ******* '********'-***** numbers?

**** *** *** *** of *** ***** ***** categories **** ****** '*********'-***** numbers **** ******* '********'-***** numbers?

******* *** *** ********* are *** *****, *** most, ** *** ***, products ***, **** *** in ********** *****.

****, *** *** **** the **** ** *** graphic, ******** **** *** line *** *****?

**** *** *** ***** devices. * ** *** sure **** ********** ** query/response ** *** *********** to ******** **** **** different ******** *** **** are *** ***** ******* with **** **** ****.

**** ** ** ******* of ** ***** ****** when * ** ** the *** *********:

"******* **** ******" **** I ****** ** *** interface:

*** **** ** **** of *** ***** ******* categories. * ** ******** they ****** ** ***** identifier *********** ******* *** product ********** *** **** emailed **** *** **** detailed *******.

***** **** ***** ******* are ************ **** ***********, all ** **** ***** true ** ****** ******** in *** **** ******** of *************.

*** **** *** *** true ** ** ***** 600,000 *****, *****?

*** ******** ******** ******* figured *** *** *** largest ********** ** ***** at **** ******* *** in *******?

********, ******* *** **** than * ********* ** the ******* ** *** U.S. *** ***** ******* 3702, *** **** ** has******** *** *.*.?

***, **’* *** ******** to ** ******. ******** this *** **** *** in ********* *** *** an ******* ****** **** is.

***** *****'* *** ********* popular ********** *** *****'* know **** ****'** *****? Maybe **** *** * shortage ** ******* *** ended ** ********** * lot ** ******* ******** to *** ********?

* ****** ** *** can ********* ****** *** effects ** * **** by ******** *******.

******* ***** ********* **** cameras, *** *******, ***. Maybe ***** *** *** devices **** *** ***** that ****. ***** ** has ******* ** ** with *****, ****** ** uses **** **** *** reports ****. ***** ***** are ***** **** ******* all **** *** ***** that *** *** ******* in ***** ******* ** the **, ***... *** knows....

"*** *****...."

***, *** **** ** a ****** ******** **********, no?

*** *** *** ********* data **** ******** ** all ** *** **** itself ** ************ ***** on *********** *********?

****'* **** *** ******* to **** ***** ***** dangerous ******* ** *********** to *** *** ****** feature *** ****.

***, *** *** **** IP(ping ** ***** ******!) is ********* ** ****. DNS *** **** *** can ***** *** ** used *** ****. ** here ** **, ***'* stop ***** *** *** use *********** *** **********.

** ******* ****** **** their *******, *** ***** servers, *** *** ********** to *** **** ** DDoS ******?

** **, *** **** if **** **** ** I ****** ****.

******:**** ****** * ******** advisory ** ****, ******* ********* *****:

***** **** **** *** impact ** *******, **** acknowledged **** **** *** susceptible:

*** **** ******* **** supports ***** *** *********** to *** ********* ******. WS ********* ** ******* by ******* ********** ** ONVIF *** ** **** or ***.

*** **** **** *** evaluating ****** ******** ******* for ****:

**** ** ************* ********* WS ********* ******** ** reduce **** ** **** 3702 ** *******. ** adjustments **** ** ****, they **** ** ********* in * ****** ********* firmware *******.

** **** ****** ** they ** ****.

Read this IPVM report for free.

This article is part of IPVM's 6,533 reports, 880 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Avigilon Social Distancing Analytics Tested on Aug 26, 2020
Avigilon released its social distancing analytics in response to the...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020
Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
ISC News Fakes Fever Screening, Falsely Quotes FDA on Jun 18, 2020
ISC News, the Reed publication behind the ISC East and West trade shows, has...
Disruptive Free Lead Generation Added To IPVM on May 15, 2020
IPVM has added lead generation for sellers, for free, disrupting the...
U.S. Government Accountability Office Urges Facial Recognition Regulation on Aug 27, 2020
The US Government Accountability Office (GAO) is urging facial recognition...
Hikvision Hides Xinjiang R&D Activities on Apr 22, 2020
Hikvision has systematically deleted evidence showing their R&D base and...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
US Passes Uyghur Human Rights Law Condemning Mass Surveillance on Jun 18, 2020
The US government has passed the Uyghur Human Rights Policy Act of 2020,...

Recent Reports

Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
Today is your last chance to save $50 on registration for the Fall 2020 Video...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...
Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...