ONVIF Exposure To "Devastating DDoS Attacks" Examined

By Ethan Ace and John Scanlan, Published Sep 06, 2019, 09:12am EDT (Info+)

ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices.

soap ONVIF issue_2

And after an IPVM discussion asking about ONVIF being 'dangerous', Verkada launched a Facebook ad declaring that:

IPVM investigated the vulnerability, speaking with the researcher, examining:

  • What the risks are and how severe it is for ONVIF devices
  • How the vulnerability works and what conditions must be met
  • ONVIF response to vulnerability
  • Input from the researcher
  • Potential for abuse
  • Mitigation steps

Executive *******

*** **** ** ********** ***** ***** is ********* *** ** ** ******** a *********** ** ******** ******: (*) a ******, ***-********, **-********* ************** **** (2) ******* * ***-********, ******** **** to *** ****** ********.

** *** ***** ****, ******* **** meet **** ********** ** ********* * threat ** ***** *********** **** ** DDOS *******.

No ******* ** ****** ** ******

** ******** ***** ***** *** ** able ** **** ******* ** *** device, **** *****, ****** ** *****, etc., **** ** * ****** ***** both **********.

Faulty **-********* ******** *** *******

** ***** ** ** ********** ** this *******, ******* **** *** * faulty **-********* ************** ***** ****** ********* to ** **** **** *** ********.********* ** **-*********'* **************, ** **** ********* *** ************* ** ******** **** *** ********:

************, ***** ** ***** ******** ** default ** ******* *******, ********* ****, Dahua, *** *********, ** ** **** be ******** ******* ** ***** *** WS-Discovery ** *** **** *******.

Uncommon **** **** ** **** (***/****)

******, ******* **** ********-****-********** (**** ********, *** *** ***********, used ** *****) *** *** **** 3702 **** ** *** ******** (** uncommon ****).

*** **** **** **** ***** ******** traffic **** *** ******** ** **** attackers *** **** **-********* ********. **** means **** **** **** **** ** forwarded ********, ********* ****, ** ** ******** ********* ** the ******** ******* * ******** ******** ports (*.*., ******** ********* ** * modem).

**** **** ** ********,*** * ****** ****, *** ******** ** ** ******** forwarded ** ****** ***** **** ****** users. ****** ***** ** ** *** which *** ******** ******** *** ****** access ** ******* *** **** ** routers/firewalls, **** ** ************* ****** ******** to ** ****.

UPnP ********* ******** ** *******

************,***** ** *** *******, **** ************* ******* **** ** default. *******, ** ** ******** **** older ********* *** **** ******* **** and ****** **** ****.

Low **** / *********** ** **** ******* ********

***** **** ***** ******* *** ************ rare ***********, *** ** **** ***** true ** ****** ******** ** *** vast ******** ** *************.

ONVIF ********

**** ******* ***** *** **** *********** on **** *******. ***** ******** *****, in *****, **** ** ******* ************* for ********* ******:

***** ******** ********** *** ******* ********* that ******* *********** *** ********** ** physical ******** *******. **** ************ **** have ******** ********* *** ******* ********** to ***** ***** ******** ** ** used ** * ****** ****** ** various ******* ************. ** * ******* rule ***** ******** **** ******** *** use ** ******** ******** ***** ********** security ******** **** ** ***** ** help ***** (******* ****’* *** *********) or ******* ********* (******* *******) ****** to *** ********* **** ** ******* entity. ** ***** ******* ********** ********** ******* **** *********** ***** *** to ******** ****** ***** ******** *** deployment, **** ****** ******* *** ****** manufacturer.

Axis ********

**** ********* **** **** **** ********** their *** ******** *** ******:

** *********** **** ** ** ******** to **** *** ********* **** ****** using ******* **-********* *******. **** ** behavior ** *** **-********* ******. ***** did *** ****** **, ***** **** specified ** *** **-********* ** ******** deployment.

*** ****** ** ******* ******* *** the ********** ** **** ****** *** always ** **********. ** *** ****** are ******* ** ** ********** - not **** *** ****. ** *** various ******** ** ****** *** ****** of ********-****** ******* ********* ********* ***** and ****** ****** ***** ****** (**** Companion). ** ******** ********** ********* *** partners ******** ******* ** ********.

Manufacturers ********

********* ** ****** *******, *** ********** quoted ** *** ***** *******, **** percentages ** *** ******** ******* ******* he *** ***** *** **** **** and *****. *** *** ******** ******* that ****** ***,*** ***** ******* ******* to ******** *** **** *** **** 3702. *******, ** ***** *** **** such ******* ** **** ******* *******. We **** *** ********* ***** ******* are ********** ** ********** ** ****** WS-Discovery ********, *** ******* *** ****** multiple ******* ***** ** ***** ******** and *********.

*******, ** *** *******, ******* ***** models ** *** **** *** ******* by *******, *** ** **** **** with ***** *******.

Exploit ********

****** ***** ******** ** **** ******* were ********* ~*** ****, *** **** recently, ******* ** ***+ **** **** seen. *** *********, *** **** ** approaching *** ********* ** *** **** which**** **** ***** ** ******** (*** Gbps)*** ***** ** **** **** ***** took ********** ** **** (*.* ****), *** ******* **** **** ********.

** *** **** ** *******, ***** were ***,*** ****** ****** ******* **** UDP **** **** **** ********** ** "ONVIF" *******, ***** *****:

*** **********, *******, **** ** **** many ** ***** ****** ********* ********* to **-********* ******* ****. ** **** says **** ******* * ***** ******* often ****** * **** ****** ********, with ************* ** **** ********.

Potential ******

****** ******* ************* *** ******** ** be ********* ***** **** *************, ~***,*** rogue ******* **** *********** ********* *** misuse. *** *******, *** ***** ******, which ********** ******** ~***,*** ******* ** attacks, *** **** ****** **** * *******'* ********,******* ******, *** ****.

**********

*** ********** *****, ***** *** *** basic ***** ***** *** ** ***** to ****** **** *** *** ********** to **** *******:

  • ******* ****:******** **** ************* ******* **** ** default, ** *** **** **** ******* by ******* ** *** ***** ********.
  • ****** **** **** ** ******:***** ****** **** **** **** **** UDP **** **** ** ****** ** their ****** ** ******** *** *** allow ******** ******* ** **** **** to *** ********.

*** ***** *** *** ******* ** not ******* ****** ** **** ***** changes, ********** *** ********* ****** ** these ******* **** ****** **** ** ISPs, ** **** *** ****** ** block ** **** ***** ***** ********.

Comments (24)

Undisclosed Manufacturer #1

09/06/19 02:05pm

I think your "low risk" ignores the fact that they have found 627 thousand devices on the internet doing this, over 500 thousand that report themselves as Onvif device.

I expect the majority to be cameras directly exposed to the internet, but this should be simple to block. If the device only responds to requests to the multicast address, then that makes it much harder for the attacker to send the packets.

Agree
Disagree: 4
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Undisclosed Manufacturer #1 | 09/06/19 02:07pm

I think your "low risk" ignores the fact

Low risk to people who have ONVIF devices. The likelihood that one's ONVIF device is part of that pool is extremely low because of this highly atypical requirements.

It's obviously a higher risk to targets that might be hit using these devices.

Agree: 2
Disagree
Informative
Unhelpful
Funny: 1

Undisclosed Integrator #2

In reply to John Honovich | 09/06/19 02:55pm

I think its still not fair to say it is low risk because of certain networking requirements for access to the target system; the vulnerability is there and exploitable. With everything having having ONVIF these days, and with the average networking knowledge of users, the likely hood of a public facing ONVIF discoverable device being used in a botnet is extremely high.

Accessing the risk of a vulnerability based on an individual likely-hood of experiencing it is short sighted. It would be akin to not worrying about a windows vulnerability update because you only have a 1 in 10000 chance of the specific exploit being used to infect your computer. You still need to take it seriously and update.

This is just another version of the NTP amplification attack. For years everyone though it was a secure protocol, until people discovered that you could spoof the NTP server to attack a target.

Agree
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Undisclosed Integrator #2 | 09/06/19 03:03pm

the likely hood of a public facing ONVIF discoverable device”

Yes but the likelihood of a publicly facing ONVIF device at the specific port number, that no manufacturer recommends to use, is very low.

Agree: 4
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Undisclosed Integrator #2 | 09/06/19 03:08pm

Accessing the risk of a vulnerability based on an individual likely-hood of experiencing it is short sighted.

No, it’s what every human being does every day. There are a vast array of risks every time you walk out the door but most are low and you can safely ignore.

In this case, it is worth to see what you are exposing to the Internet and in the extraordinarily rare case 3702 is open, close it.

Agree: 3
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #2

In reply to John Honovich | 09/06/19 03:27pm

Regardless of your individual risk to this, it is still a serous concern, and anybody with a security product on their network needs to make sure the port is close. The attack surface is large enough with enough amplification to warrant a higher risk assessment.

Agree
Disagree: 3
Informative
Unhelpful
Funny

Undisclosed #3

09/06/19 04:11pm

although I was not the first to point this out, after it was mentioned in a previous thread, I repeated this question in that Is ONVIF Dangerous? string:

Why does Vietnam (of all places) have ~80% of the exposed devices?

And why doesn't anyone but me (and the original poster) think this is strange enough to try and find out why this is?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #5

In reply to Undisclosed #3 | 09/06/19 04:51pm

How are you reaching that 80% figure? According to Shodan, the total results for ONVIF (filtered for port 3702) is 181,542. The total for Vietnam is 30,935. That's 17%.

Are you using numbers from somewhere else?

Even if it is 17%, though, I do still find it odd that Vietnam has the largest percentage.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #3

In reply to Undisclosed Integrator #5 | 09/06/19 05:00pm

I used the numbers from the graphic posted towards the end of the OP:

and I used a calculator to get the figure of 83.54795227715957 ([524,367 x 100] /627,624) - and represented that as ~80%.

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

John Scanlan

IPVM | IPVMU Certified | In reply to Undisclosed Integrator #5 | 09/06/19 05:08pm

The numbers were gathered from BinaryEdge.

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

John Scanlan

IPVM | IPVMU Certified | In reply to Undisclosed #3 | 09/06/19 05:05pm

The column to the left of the country is not the amount of devices in that country, it is the column to the right:

Agree: 1
Disagree
Informative
Unhelpful
Funny

Undisclosed #3

In reply to John Scanlan | 09/06/19 05:27pm

oic.

what does the Entries column next to Products represent if the Entries column after Countries represents exposed devices in that country?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #4

IPVMU Certified | In reply to Undisclosed #3 | 09/06/19 06:06pm

exposed products with 3704 open from all countries.

so 524,367 of the devices with port 3704 open were ONVIF devices, based on the header returned.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #3

In reply to Undisclosed #4 | 09/06/19 06:15pm

then how can all of the other three categories have higher 'countries'-based numbers than overall 'products'-based numbers?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #4

IPVMU Certified | In reply to Undisclosed #3 | 09/06/19 09:34pm

then how can all of the other three categories have higher 'countries'-based numbers than overall 'products'-based numbers?

because all the countries are not shown, but most, if not all, products are, they are in descending order.

John, can you post the rest of the graphic, starting with the line for India?

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

John Scanlan

IPVM | IPVMU Certified | In reply to Undisclosed #4 | 09/06/19 07:11pm

They are all ONVIF devices. I am not sure what difference in query/response is for BinearyEdge to separate them into different products but they are all ONVIF devices with port 3702 open.

Here is an example of an ONVIF device when I go to the web interface:

"Unknown WSDD Device" when I browse to the interface:

The same is true of the other product categories. I am guessing they locate an onvif identifier differently between the product categories but have emailed them for more detailed clarity.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #4

IPVMU Certified | 09/06/19 04:16pm

Given that these factors are individually rare occurrences, all of them being true is highly unlikely in the vast majority of installations.

but they are all true in at least 600,000 cases, right?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #4

IPVMU Certified | 09/06/19 04:29pm

Has security research Preston figured out why the largest percentage of these at risk devices are in Vietnam?

Normally, Vietnam has less than a hundredth of the results of the U.S. for ports besides 3702, yet here it has more than the U.S.?

imo, it’s too unlikely to be chance. figuring this out will aid in determine how big an ongoing threat this is.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

Undisclosed Integrator #5

In reply to Undisclosed #4 | 09/06/19 04:58pm

Maybe there's one extremely popular integrator who doesn't know what they're doing? Maybe they had a shortage of routers and ended up connecting a lot of devices directly to the Internet?

I wonder if you can partially dampen the effects of a DDoS by blocking Vietnam.

Agree
Disagree
Informative
Unhelpful
Funny: 1

Undisclosed Manufacturer #6

09/06/19 06:50pm

Certain Asian countries LOVE cameras, IOT Devices, etc. Maybe their ISP has devices that are using that port. Maybe it has nothing to do with ONVIF, rather it uses that port and reports that. Maybe there are Smart City devices all over the place that are not present in large numbers in the US, etc... Who knows....

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #3

In reply to Undisclosed Manufacturer #6 | 09/06/19 07:02pm

"Who knows...."

yes, but this is a pretty cavalier conclusion, no?

how can the aggregate data mean anything at all if the data itself is questionable based on statistical reasoning?

Agree
Disagree
Informative
Unhelpful
Funny

Slava H

09/06/19 07:17pm

That's very far fetched to call Onvif being dangerous because of possibility to use one faulty feature for DDOS.

DNS, BGP and even IP(ping to death server!) is dangerous as well. DNS was used and can still can be used for DDOS. So here we go, let's stop using DNS and use proprietary LAN connection.

Agree: 3
Disagree
Informative
Unhelpful
Funny

Undisclosed #7

09/06/19 07:19pm

Is Verkada saying that their cameras, and cloud servers, are not vulnerable to any kind of DDoS attack?

If so, ask them if they mind if I verify that.

Agree: 3
Disagree
Informative: 1
Unhelpful
Funny: 7

John Honovich

IPVM | 09/21/19 02:30pm

Update: Axis issued a security advisory on this, partial screencap below:

While Axis says the impact is limited, they acknowledged that they are susceptible:

All Axis devices that supports ONVIF are susceptible to the described attack. WS Discovery is enabled by default regardless if ONVIF API is used or not.

And that they are evaluating future firmware updates for this:

Axis is investigating modifying WS Discovery behavior to reduce risk if port 3702 is exposed. If adjustments will be made, they will be announced in a future scheduled firmware release.

We will update if they do here.

Agree: 1
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports