Secure Boot Could Eliminate Botnets - But Manufacturers Ignore It

Author: Brian Karas, Published on Dec 29, 2016

Increased cyber attacks have motivated video surveillance manufacturers to begin to release hardening guides, instructing users on how to better secure devices from attack. These guidelines put the onus on the installer or user to secure devices connected to the internet, but manufacturers could take another approach that would secure devices from software exploits, even if an attacker had the admin password.

"Secure Boot" support would all but eliminate exploits like Mirai, and by extension would make it less profitable for attackers to target security devices. Secure Boot is even available in some chipsets already in cameras, so why do manufacturers not enable it? In this report we provide an overview of Secure Boot pros and cons.

********* ***** ******* **** ********* ***** ************ ************* ** ***** to ******* ********* ******, *********** ***** ** *** ** ****** secure ******* **** ******. ***** ********** *** *** **** ** the ********* ** **** ** ****** ******* ********* ** *** internet, *** ************* ***** **** ******* ******** **** ***** ****** ******* from ******** ********, **** ** ** ******** *** *** ***** ********.

"****** ****" ******* ***** *** *** ********* ******** **** *****, and ** ********* ***** **** ** **** ********** *** ********* to ****** ******** *******. ****** **** ** **** ********* ** some ******** ******* ** *******, ** *** ** ************* *** enable **? ** **** ****** ** ******* ** ******** ** Secure **** **** *** ****.

[***************]

Bootloader ********

**** * ****** **** ** ********* ****** (**** * ****** or ***/***) ****** **, ** ***** ******** ********** ****, ***** ** responsible *** ******* ****** **** ******* ******* *** ******* **********, setting ** * ************** **** **** ***** **********, *** **** kicking *** *** ****** ********* ****** **** *******. ********** **** is **********, **** **** ****** ********, *** ** **** ***** a ****** **** ****** ********** **** ******* *** ******* ************ or *************.

Secure ****

** * ****** **** ******, *** ************ ***** * ****** ********** key **** *** *********, *** *** ********* **** **** ******* a ********** **** * ******** ***. **** ******** ******* **** replacing *** ********** **** **** ********* **** **** ***** ** used ** ********** *** ******.

** *** ** **** ******/******** **********, *** ********* ****** ***** be ********** ** **** *** ** ** ********** *** **********, and ***** **** ******* *** ********** ************ ** ** ********* signed. ** *********** **** *** *** ******** ****** ***** *** be ********** ** *** ********* ******.

* **** ****** **** ************** ******* **** *** **********, ********* system, *** *** ********** ******** (**** ** *** ********** **** enable ***** ********* ** * *** *********) *** *** ******** by *** ************ ** ***** *********. **** ***-**-*** ************ ** code ** ***** ******** ** ** * "****** ********* ***********" (SOE).

***** *** ********* **** ***** *********** ***** ** ****** **** and ** *** ** ****** ***** ** * *** ** help ****** ******* ********* ***** ********.

Supported ** **** *************

********** **** *********, *****/******** *** ******** *** ********* **** **** **** ***** ********* ** *** ******** market **** ******* ****** ****, ****** **** **** ** ************* using *** ******* ** ******** ** *** **.

Secure **** / *** *****

****** **** ******** * *********/*** **** ****** *******, ***** **** manufacturers ** ***** ********** **** ** ***** ******, ****** ********* for * ****** ********** **** ******** ** *****-*** *****.

*** **** ***** ** ************** **** **** ********** *********** **** ****** ** implement ****** ****/***. **** *** ******* ******* ********* ****-****** ****, **** *** things **** ******** ***** *******, ** ******* *** ****** *********** - **** ****** **** ****** ********** ***** ******* ** *******-********* packages. ************ ** *** *** **** **** ** **** ********* to ******* ***** ***** **********, ** **** **** **** ****.

Malware *** ***

************ * ****** ********* *********** ***** **** ** ********* ********* for ** ******** ** **** *** ******* ******* ** *** device. ** ** ** **** ***** **** ** **** *** encryption *** *** ************ **** ** **** ***** ********, *** impossible, *** ****** ******** *** **** ******.

Not * ***-***

*** *** ******** *** ****** ** ************ ****** ****/***, **** passwords ***** ***** ***** ********* ** **** ****** ** * system, *** **** ***** ** ******* ** **** ********** ********* that *** ************ *******. **** ***** ***** ***** * ****** attacker ** *** *****, *********** ****** ************* ********, ** **** reset * ****** ** ******* ********. *** **** ******, ****** passwords *** ****** ******* ******** *** ***** ****** **** ******* devices ******.

* ****** ***** **** ***** **** *********** **** ** ***** secure ***** **** ******* ********* ** ***** ***** **** *** device, *** ******* **** ***** ** ****** ** ****/******* ********* code *** ****** ***** ** **** **** ********* **. ** unsecure ***********.

Comments (47)

Marcelo Martinez

SATIS - Seguridad de Misión Crítica | 12/29/16 01:45pm

***% *****!

Itamar Kerbel

12/29/16 01:53pm

** *** ***** ****** **** ** **** *** *** ** protect * ******.

*'* *** **** *** * ***'* ***** *** ****** ****** could ** ********* **** ***. *** ******* *** **** ***** gained ****** ** *** ******* ***** ******* ******** *** *********.

* ***** *** ************* ***** **** ***** **** **** ** solve *** ****** **** **** ******* *** **** ** * camera *** **** **** ****** *** **** ************* *******.

** ***/**** ** *** ******* *** ***** ** *** ****** OS ** * ****** **** ********* ** ****** *** ******** a ****** **** *** ***** ***** *** ******* ******** ** how ** ** ** *** ***** * ***** *** ***** the ******.

**** ** ****** **** *** ***** *** ** ***** ****:*** ****** **** ***** ** ******* * *** **, *** What ** ***** *** *****

Brian Karas

IPVM | In reply to Itamar Kerbel | 12/29/16 02:11pm

*'* *** **** *** * ***'* ***** *** ****** ****** could ** ********* **** ***. *** ******* *** **** ***** gained ****** ** *** ******* ***** ******* ******** *** *********.

****** -

***** (*** ********* *** ***** ******) **** *** ****** ** take **** * ******:

**** **** ** *****-***** ****** ** * ****** (**** ***** be ***** * *****, **** ***** ***, ** ******* *** UI ************)
********/******* *** ****** ******* **** *** ** **** ** ****** remote ****** *******, *** ** *** ************ **** *** ****** might *** **** ** ******* (**** *** ******* ** ******/******* raw *******)

*** *** **** * ****** **** **** ****** ****** ** changing ******* ***********, *** ***** ***** ****** ** ***** ******* access, *** ***** *** ***** *****.

****** ****/*** ******* *** ****** **** ** *** *****, ** prevents ************ ******** **** *********. ** **** ** ******* ****** access ** **** ******, **** ***** *** **** *** *** botnet ********.

***** ***** *** **** ** ****** ** *** ***** *** security ****** **** *********.

***** #* ** ****** ** *** ***** ** *** ****/********* to *******, ************* *** **** ** ** **** ** *** sense ** ********* ****** *********, *** ***** **** ***** **** trade **** ** ********* ******* *****, ***.

***** #* ****** ** ***** *** ******* ** *** ************, they *** ********* * ****** ********* *********** **** ***** ******* devices **** *** ****** **********. ** **** ***** ** ******* against ***** ******** **** *** ** *****, ******* ***** **** a *** ** **** ***** ******, *** ** *** ****** do **** **** **** **** *****, ** ***** *** ****** less ******** *** *** **** **** ***** ** ***** ********* (though **** ***** ***** **** * **** ** *** *** discovered *******).

Undisclosed Distributor #1

12/29/16 03:51pm

**** ***** ** * ********* ******** ** *********** ********. ***** are * *** ***** ** ***** ** ** *** ******* world ******. #* - **** ** *** **'* *** ************ are **** ***** ******* *** ****** ** ** **** ************* that **** **** ***'* **** *** ** ****** ***** ****. This ** *** * **** ** ** ********/********* **** **** to *** **** ** **** ********* *******, **** **** *** using ****** **** *** **** ******* ** ******* ***** **** the ************* ****'* **** *** ** ****** ****** ** **** didn't **** **. #* - "****** ********* *** * ****** additional **** ******** ** *****-*** *****" **** ****** ** **** immediately. ***** ********* *** ***** ********** **** *** ** **** every *****, **** ****** ** ** ******** **** **** ******** the **** ** ***.

** (*** ************* **** *** **** ** * ***** ******** reference ****) ***** **** ***** *******, *** ************* *** ************* care **** ***** **** ******* ***** ****** ***** *** ** it *** ** **** **** ******* ***** *** ******** ******** then ** ** **. **** **** ****** ** ************ **** these ******* ***** **** ** ************* **** ** *** ** bad ***** *** **** **'* **** ** ******.

Brian Karas

IPVM | In reply to Undisclosed Distributor #1 | 12/29/16 04:18pm

#* - **** ** *** **'* *** ************ *** **** being ******* *** ****** ** ** **** ************* **** **** just ***'* **** *** ** ****** ***** ****.
#* - "****** ********* *** * ****** ********** **** ******** to *****-*** *****" **** ****** ** **** ***********. ***** ********* are ***** ********** **** *** ** **** ***** *****, **** refuse ** ** ******** **** **** ******** *** **** ** all.

*** ******** *******, * ***** *** ****** ************* **** *** solely ******* ** **** ** ** **** **** ****** ****. No ****** *** *** ****** ** ******** **, ******** ** expensive (******** ** ***** ******* ** **** ********). *** * think ***** *** ***** *************, *** ********* *** ****** ******, who ** ***** *** ******** *** ** ************* *** **** the ********* ** ********* ****, *** ****/****** ** ** * way **** ********* *** *******.

** ******** ****** * **** **** ******** **** ****** ***** cyber ******** ****** *** ***** ** ******** ** ** * big ******* ** ****. * ************ **** *********** ****** ****, and *** * ****** *** ****** ******* (******** ****** ** discover *** ****** **********) ***** **** * *********** **** ** promoting ********** ** *** "**** ******" ********, ********** * ****** price *** *************** ********** **** ******.

Undisclosed Distributor #1

12/29/16 04:27pm

* ***% ***** **** *** ** ****. ************* **** ** the "********" ******** ***** **** **** ***** *** ******** *** easiest ******** ** **** **** * ****/***** ******** ** **** can *** ***** ***** *** ********* ***** **** **** *** customer ***** ***** **** **** ** *** ******* $** ******. The **** ************************* *** ** ***** ********* *** ******* **** **** *** best ******** ********, *** **** ***** **** *** ** *** current **********, ******* ***** ** **** **, *** **** ******** just ***** ***** *** ***** ***** ***** ***** **** ***** manufacturers **** *****. ***** *** *** ********, ****'* **** *** best **** ** *** ******** ** *'* **** **** ** you *** **** ********* ****.

Itamar Kerbel

12/29/16 06:05pm

** **** * ****** **** ** * ***** ** ***************** company.

**** *** ********* *** **** ****** ** *** ********.

** ******* **** ****** *******. **** *** **** ** ** saying **** *** ******** ***** **** *** *** ******* ******* cameras.

** ******* **** ******** ** *** *** ******** ******* (**) offer ********* **** ************* ******* *** ****** *** *** ***.

**** *** **** ** ** ***** * *** **** ****** that ** ** *** ***** **** ** (******) ** ****** they **** ** ********....

***** *****....

Undisclosed End User #2

12/29/16 07:20pm

*********** *****, *** * ***** ****'* **** **** "**** **** of *** ******** (***/**** **** *******) ******* ** **** **** of *** ***** ** ******** (****** ****** */* ***************)".

John Honovich

IPVM | In reply to Undisclosed End User #2 | 12/29/16 07:26pm

#*, ***** ****** **** **** ******* ******* ******** *************?

Undisclosed End User #2

In reply to John Honovich | 12/29/16 07:30pm

***'* ***** **, ***** **** *** ********** *** ******* "******** application ** *** ***********".

Brian Karas

IPVM | In reply to Undisclosed End User #2 | 12/29/16 07:42pm

******, ****** **** ***** *** ******* *** **** **** **** offered ***-********* ******** **** ******* ****-**** ****** ** *******. ** would ******** ***** **** ******* *** ****** ****** ***** ** with **** ******, ******* *** *** ********* ** ******** *** camera ** * **** *** ***** ********* ********.

** ** **** ***** ********** **** ** ***** **** *** Axis *******, * **** ***** *** ** ***% **** **** an ******** *** *** ****** *** **********, ** ** ***** things **** ***** ***** **** ** *** **** **** * camera/device ***** ** ******* ******** *** **** *********. ****** **** would ******* **** ****** ********** (* ******** ** **** *** full ********** **** ** ***** ** ********) **** ******* ******** would ***** *** ******** ******* *** ****** ** ***** ********* were ***** ** * ******** ********* ******.

Undisclosed End User #2

12/29/16 08:24pm

****'* ****, **'* ******** ** ****** *** **** ****** **** to ***** **** **** ***** ****** **** ********* ** *** flash *** **** **** ****, ******* *** ** **** *********. (That's *** ***, ***** **** **** *** **** ** *******)

**** ** ***** ** *** **** "****** ****", ** ********** is **** ** ******* ***** "********" ******* ** *** *** device, *** ****'* ******* ***** **** ** **** ****. *'* thinking ** *** *** *********** ***/**** "******* ***** ************". ***** be *********** ** **** *** **** ***** ****.

*******, **** ********* *** **, *** **** ****** **** **** be ******** ** **** *****, ** * ***'* *** **** as *** *****.

Joshua Hendricks

Milestone Systems | 12/30/16 04:46am

* ***** ** ***** *** * *** ***** *** ********** this ********** *** **** ********* ** ********** *******-***** *********.

******** *** ** *** **** ***** *** *** **** ***** presence ** **** ****, ***** ***** ** **** *** **** to **-****** *** ****** ** **** ******* ******* *** ******* or ******* ******** *** **** (***** ******** ***'* **** ****** to *****/***** *** ****).

*** **** ******** ** ****** ******* ** *** ******* **** level ** *********, *** * ******* **'* **** **** ** accomplish * ******* ***** ********* ** ** *** ****** ******* physical ******. ****** ** ****** *** **** ******** ******* *** updates **** *** **.

** *'* *** ***** (*'* **** ******* **% ****), **** there ***** ** ****** ** ** ***** ** ************ ****** boot **** ****** ** *** ******** ***** ** ******* *** there ********* *****.

*******, ** * **** ******** ********* *** * ********** ** other **** ******** *******, * ***** ****** ** *** ***-******* devices ** ** ***** *********** ******* ******* ***'* ** ******** persistent *******. * ******* ****** *** ***'* *** ********* ******** and *********** *** *** ** * ********* ************** **** *** "script ******" ***** ******* ****.

** *'* ***** *** *** ********* **** ** *** ** somehow ***** ** *** ** *****(*), **** **** *** ******* to *** ***** ** *** ********** ***** ********** *** ********* check, **** **** ***** ** * ********* *** ** **** down *** *******. * ***** **** ***** ** ****** ***-******* though.

** *** ** *****, *'* **** ***** *** *** **** ability ** **** ******* "********" **** *********** ******* ******* **** this ** ******* ******** ****** ******* **** ***** *********. ***** probably *** **** ******* *****. ** ***** **** *********** *** linux ** ******* **** **** ****** ** * ********* ** keys ***** ** *** **** ***.

** ************* **** ** ** ****, **** *** **** **** to ********** ****** **** ********* ***** ** ** ****** ***** the ******* *** **** *** ************ ** *** *** **** your ********** ****, ** ** ******** * **** ** *** manufacturers *********** ******** ******** *** ****** **** ********* ******** ******* the ************* ********/*********.

Joshua Hendricks

Milestone Systems | In reply to Joshua Hendricks | 12/30/16 05:10am

*** ***** ****** **** ***** ***** *********** ** ******* ******* by ********* **** ************ **** **** *** ***** ***** **********, even ** ****** ** * *****/******* ****, ***** **** ** be ******* *** ***** **** ** ******** **** *** ************ cert *** ******. **** ***** ***** ******* ******* ***** *** private *** ** ***********, *** *********** **** ** ** ***** warning ****** *** *** ************ (** *** ***** *********** ** audited *** ***** ***** ** **** **** ******, *** *** want ** ****** **** ***********).

Undisclosed #3

In reply to Joshua Hendricks | 12/30/16 06:35am

******** *** ** *** **** ***** *** *** **** ***** presence ** **** ****, ***** ***** ** **** *** **** to **-****** *** ****** ** **** ******* ******* *** ******* or ******* ******** *** **** (***** ******** ***'* **** ****** to *****/***** *** ****).

**** ** *** ***, ** *** **** **********?

*** **** ******** ** ****** ******* ** *** ******* **** level ** *********, *** * ******* **'* **** **** ** accomplish * ******* ***** ********* ** ** *** ****** ******* physical ******. ****** ** ****** *** **** ******** ******* *** updates **** *** **.

********** * ******* ** ****** **** *** *** ** ** root, **** ***** ****** ** ****** ******.

Joshua Hendricks

Milestone Systems | In reply to Undisclosed #3 | 12/30/16 11:17am

*********** * ***** **'* *** **** *** *** **** **** is ******** *** ** ****. ** ******** ******* ******* ***** exclusively **** *** ******* * **********, ** *******. **'* **** bootloader's ***, **** **** **** **** ***** *** ****/**** ***** (GRUB, *****, ***).

** *** **** "**********" ******** ********* ******* *** **/*** ***** and *** *** *****?

*** ********, * *** ******** **** ***** ****** **** ********, and * *** *** ***** *** **** ** **** ** accomplish ******** ** ******** ****. ** *** ******* ***** ** to **** ***** ****** ******* *** ****, *** ******* ***** be ** ******** ******* ** **********/******** *******.

* ***** ****** ** ***, ** **** ******* ********** ****** to **** *** ****** *** ******* ******* ********** ** *** kernel ** *** ** *****?

Undisclosed Integrator #4

In reply to Joshua Hendricks | 12/30/16 03:31pm

*** ***** ******, ** *****, *** ** *** ******** **** UEFI, ***** ***** ******* **** ** ** ****** ** ***** secure ****. ****** ******* ***** **** **** **** ** ** signed, ** **** ******* ******.***********. **** ***** ****** *********.

Undisclosed #3

In reply to Joshua Hendricks | 12/30/16 05:48pm

** *** **** "**********" ******** ********* ******* *** **/*** ***** and *** *** *****?

*** ******, *** ** **** ** * *** **** **** a **********, ****'* *** * *** ****** ** ******* **** you ******** ** "** *** **** *****".

Undisclosed Integrator #4

12/30/16 03:23pm

"*** ** ************* *** ****** **?" ******** *********** *** ****** that ***** ** ******** *** ****. ****** ***********, *******, *** even ****** *******? ****, ****'* ******* ****-*********. *** *********? ** Linux, ** *****, ****'* ***** * ***** *** **** **** just ********* ** ** "*******".

***:*****://****.******.***/****/**********************************

**** **'* ********* ***** **** "*** **** ***** ** ************** come **** ********** *********** **** ****** ** ********* ****** ****/***. This *** ******* ******* ********* ****-****** ****", *** ***** *'* just ***** ********, *** *** ******* **** ***** ********.

********** *****, ** ***** ***** ***** *** **** **** **** run **** ****** **** ** ***** *****? ********* *******.

Undisclosed Integrator #4

In reply to Undisclosed Integrator #4 | 12/30/16 03:40pm

** ****, **** ****** **** ***'* * ***-*** (** ******* ever *** **):

*****://***.*******.***/*****?*=***********

****://***.******.****/*****/********-***********.***

****://***.******.***/****/**/**/******-****-******-********/

***** ************ ** *** **** *****, ****, *** *** ********* stands. * ** ***** **** ******** ****** ************* **** ** keep ** **** *** ***/***** ****, *** *'* *** ******* that ****'** **** **** **--********** ** *** ****** ** * race ** *** ******.

Brian Karas

IPVM | In reply to Undisclosed Integrator #4 | 12/30/16 06:21pm

***** *'* **** ***** ********, *** *** ******* **** ***** flippant.

*****, * ********** *** ********. *** ******* *** ** ***** to ****** **** * ***** ** * ****** ******** **** people ***** **** **** ******** ***** ****** ********* *********** *******, "if **'* ********, *** ****'* ************* ***** **?" *** ******, of ****** ** ******* ** ** *** **** ** ****** as ******* ********* **, *** **** **** *** **** ** should *** ** ********** ** ****** ** ********* ***** ******** issues.

*** ******* ** **** **** *** ** **** **** ********* to ********* **** ** ****** *******, *** **** *** **** does *** **** ** **** ****** ** *** **** ** integrator.

***, ***** ** ****** ******** ** ****** ******* **** ******, and ***** ************* *** ******* ******* ****** **** **** ****** security. ****** **** *** ****** ************ ******* *****, ** ******* degrees, ** *** ** *****.*******, ** *** *******, ***** ******* *** ******* ******** **** what ** **** *** *** *** ********* ** **** *******.

*** ********* ******* ** ******** ****** ** ******* ** ******** devices, ***** *** ********* ** *** **** ** **** **** actual ***** ********** ********** ******** ************. **** *** ********** ****** for ****, ** ***** ******* **** ******* *** ***** ****, but ***** *** * **** **** ***** **** ** *** broader ************ ****.

********** *****, ** ***** ***** ***** *** **** **** **** run **** ****** **** ** ***** *****?

*** ********** ******, *** **** ** ***** ** **** ****** to **** *********** ******* ****** **** *****'* ****-******* ************ (*** example), *** ******** *******. ** ** ******** *** * **** to **** *** ******-**** ************ ** ******* ****, ******* ***** are **** *** **** **** *** ***-***** *** *****. *** an ******** ****** ***** ** *** ** **** *** ************-****** code, ** *** **** ***** (****** ****, ****** ******, ***.) was *** ***********.

Undisclosed Integrator #4

In reply to Brian Karas | 12/30/16 07:01pm

** *** **** ** *******, **** ***** *************. *** ******* **** *********, ******, ** **** *** "*****" are ***** *** **** ****** ****** ****** *** **** ***** (default ***********, ********). ** **** *****, **** ** *** ****** access/control ***'* **** ** ** **** ********** ******* ** ****** boot ** **., *** ****** ** ***** *****.

** **** **** *****, ****'* ***** *** **** *********** ****** in ************ **** ************ ***** **, ** **** ** ** concern **** *** ********. ************* *** "********" ****** **** *** userspace **** ******* ************ ** *** **** *** **** *'* "ignoring" *** ****** ** ****** * *****.

Undisclosed End User #2

In reply to Brian Karas | 12/31/16 08:59pm

**'* ****** **** ** ***** ** *** *****, **** ***** outside ** *** ***.

> *** ** ******** ****** ***** ** *** ** **** run ************-****** ****,
> ** *** **** ***** (****** ****, ****** ******, ***.) was *** ***********.

*** ***** ** ********* **** ****/******/*****/***.. *******?

Joshua Hendricks

Milestone Systems | In reply to Undisclosed End User #2 | 01/01/17 04:12am

******* *** ******** *** ******, *** **** ******* ***** ** executed ***** * ******* **** ******* **** ******/*****/*** (***** ** another **** ** ******).

** ******** **** *** ****** ** **** ******** ** ****, the *** ** *********** ******* ***** ** *********.

** ***** ********** ** * *********, *** * ****** *** to *********. * ****** ** *** **** ** *** ****** could ** ****** ** *** ****** ******** **** ********* ** security? **** *** ** ********** *** ******* ******* *** ********* (for ******* *******), ******* **** ***** ******* ** ** ********?

Undisclosed #3

In reply to Joshua Hendricks | 01/01/17 04:37am

* ****** ** *** **** ** *** ****** ***** ** slowed ** *** ****** ******** **** ********* ** ********?

**** ** *** *** ** *** *** *******/**** *********, ******** will ** ** ******** * ****** ** ** **** ** demanded.

Joshua Hendricks

Milestone Systems | In reply to Undisclosed #3 | 01/01/17 05:07am

**** *****. ****'* *** *** ******* ***** *** **** **** effective *******. ***** ******* **** ***** ***** ** ******* ******* and ********* *** ******** **** ** ** **** ******.

Undisclosed #3

In reply to Undisclosed Integrator #4 | 12/30/16 06:41pm

...** ***** ***** ***** *** **** **** **** *** **** signed **** ** ***** *****?

***

Undisclosed Integrator #4

In reply to Undisclosed #3 | 12/30/16 06:52pm

**! ** **** ******* **** * ********** ******. *** **** is * **** ******* **** **** **** ******** ** * core *******, ******** *** ***** *****.

Paul Curran

01/03/17 06:41pm

****'* **** ** *** ******** ****** ***** ******** **** ** people ******* *********** *** ******** ** **** **** ***** ******** and *********. ** **** ****** **** ****** **** ***** ****? Would *** **** *** ***** ******* (***** ** ******** *** at ***** **** ** * ****** **********) ** *** ********** key *** ****** ****?

Brian Karas

IPVM | In reply to Paul Curran | 01/04/17 02:33am

**** -

**** ****** **** *** ******** ***** ********* ** *********. *******, any ********** *** (*************) ** ******, *** **** ***** ** would ** **** *** **** **** ****** **** ******** ***** be ****** ********.

*****, ** **** *** ******, ** ******** ***** ***** ******* account ***********, *** **** ***** ******** ** *** ********, *** would ** **** ******* ** **** **** ***** ** **** that ****, ** **** ***** *** ****/*** ********** ********, **** could **** ******** **** *** ************ *** ******* ***** **** the ********.

*** ********** **** *** *** ** *** ************, *** *** not ********* ********** ** ************ ** *** *** ****, ** it ** *** **** ** ***** ********* ** ****** **** that.

**** ** *** ********** **** * ****** **** ************** ** that *** ************* *** ******** ****** ** **** ****** **** secure. **** ***** ****** (*********) *** ** ******* *** *** effort ** ************ ****** ****, *** **** ***** ****** **** (or ***** ** ****** ******** ****** ********), *** **** ** technically ********.

* ** *** **** ** ***** **** ****** **** ** a ***% *** *** ****** **** *****, *** ** ***** go * **** *** ** ****** ******* **** ***********, *** making *** ***** ******** **** ********, ** **** ** ******* more *****/********** ** ***** (*** *** ***** **** ****, **** still ** *** **** * **** ***** ******** ;) ).

Undisclosed #3

In reply to Brian Karas | 01/04/17 02:50am

*** ********** **** *** *** ** *** ************, *** *** not ********* ********** ** ************ ** *** *** ****...

***** **** *** ****** *** *** *** ** ******* *** firmware ** *** *** *** ************'* ****** ***?

Brian Karas

IPVM | In reply to Undisclosed #3 | 01/04/17 02:59am

** ** * *** ******* ** *** ************, *** ** is *** "******". ******* ** *** *** **********/********** ***** (**, worked, ***** *** *** **** **** ****** ******* ***** ***).

Undisclosed #3

In reply to Brian Karas | 01/04/17 04:19am

**, *** ***** *** *** ** ******* *** ******** ** in *** ******** ******?

** * ***?

Undisclosed #5

In reply to Brian Karas | 01/04/17 04:46am

*****,

*** **** ***

************ **** ******* **** ******* ****** ***

*** ******* **** ******* **** ******* ******* ***

*****?

Undisclosed #3

In reply to Undisclosed #5 | 01/04/17 08:42am

************ **** ******* **** ******* ****** *** *** ******* **** decrypt **** ******* ******* ***

***, *** **** ****** ***** *** *** ************'* ****** *** to ******* ***** *** ***** ********, ***** ***** ** ******** by *** ******, ***** ** **** ** *** ****** ** avoid **** ******-****.

Undisclosed Integrator #4

In reply to Undisclosed #3 | 01/04/17 01:39pm

*****'* **** ********* ***** ** ****. ****** **** *** **** use*******, *** **********, ** ****** **** *** ******, *******, ***. have *** **** ********. **-**** ********** ** **** **** ** an ******** ********* ****** **********. (*****, *** ** ** ********* on "***" ******* *** *** ******** ****.) *** ***'** ******* into ******-********* *******, ******** ************, *** ***** *** *****. *'* be ******* ** **** **** ******* ******** **** **** ****** how **** ***** ****** *****.

Brian Karas

IPVM | In reply to Undisclosed Integrator #4 | 01/04/17 02:02pm

*** *** *******, *** ******* ******** ********** *** ******** *** authenticity *** ****** **** ** * "******" ****** **** **************. However, ** ***** **** ** ****** *** *** ******** **** itself ** ** ********* ** **** ** ****** ** ****** extracted *** *******-**********.

*** ***** ** ************ *** *** **** ** ******** *******, where *** ******** ** ********* *********** ** * ******** ***** (OS, ******** *******, ***.), *** *** *** *** ******** ** environment ***** ***** *** ***** ** ** ******* ****** ********/************ on ***** ***.

Undisclosed #3

In reply to Undisclosed Integrator #4 | 01/04/17 03:52pm

****** **** *** **** *** *******, *** **********...

*** ******* **** **********.

** *** **** **'* *** **** *******, ****** * *** is ********* ** *** ****** ** * ***** ***** **** be ***********.

Undisclosed Integrator #4

01/04/17 04:06pm

*** ******* **** **********.

****, ******** ********, *** ****** ******* ********* **** *** **** encrypt **, ***** ** *** ***** * *** ******. *** yes, *** ** **** * **** ** *****, *** ***** are *** ****** **** ******* **** **** ******* ** *** a **** **** ****:

****://***.****.***/*****/*******/*****/*********/****%*****%*******%*************%***%***%****%**(***).***

****://***.****.***/*****/*******/*****/*********/****%*******%*******%*******%**-%*******%****%*******%********************.***

*****://***.****.***/*******-****/***********/*******/************-********-*****-*****-*******-********-******-***-*****

(****: **** ****'* **** ** *** *******-** ******* *** **** reason, ******'* ****)

Undisclosed #3

In reply to Undisclosed Integrator #4 | 01/04/17 04:31pm

...*** ****** ******* ********* **** *** **** ******* **, ***** is *** ***** * *** ******.

** ***** *** **** **** ** ************ *** ******** *** **** *** **** ********** ** ************ that ******* ***. **** ** * ********, *** *'* *** sure ***** ** * ****** ***** ******* **** *** ***** yet.

Undisclosed Integrator #4

In reply to Undisclosed #3 | 01/04/17 05:39pm

...*** **** ********** ** ************ **** ******* ***...

**** *** ****** ******** ********** **** ********* * ********* ******** only **** *** ****** *** ** ******* ** *** ******. Attackers *** **** ******* *** ******** *** **** ****--**** ****'* going ** ** **** ** *** **** ** *** ****** without ****** *** ******* ***, ** ******** ****** ** *** device (** **** ****).

Undisclosed #3

In reply to Undisclosed Integrator #4 | 01/04/17 06:00pm

********* *** **** ******* *** ******** *** **** ****, **** aren't ***** ** ** **** ** *** ****...

**** **** ** ******* **, **** ** **** ***'* *** it. **'* *** **** **** *** *************** ** *** "******" version.

Undisclosed End User #2

In reply to Undisclosed #3 | 01/04/17 06:31pm

*****, *** ** *** ****** *** *** *** ****** ***/** encrypted, *********** *** **** **** *** *** *** ** *** it - *** *** *******.

***** ** *** ******* ***** "**** **** ** *** ******** (can/have **** *******) ******* ** **** **** ** *** ***** of ******** (****** ****** */* ***************)".

************ ****** **** (***** **** ******* ****) ***** *** *********** that ****** ** ***** ***** *** ******, *** ****** **** researcher *** ****** *********** *** **** **** *** ******** *****.

**** *** ****** **** ** ************* ********, *** *** * totally ***** **** **** ******** ****** ***** ** *** *** down ** ******* **** *** *** ************ ******* ****.

*** *** ******* ** **** ** **** **** **** **** some ******** ***** ***** ********* **** ** ********* *** **** to ******* ****.

Undisclosed Integrator #4

In reply to Undisclosed #3 | 01/04/17 06:33pm

** **** ** ** **'** ********** ****? *** ******* *** about ****** ****. ** ******** *** ***** ****** ****, **** one ******* ********** **** ******* **** *** ****** ******** ** do **** ********** ** *** ********. ** ** ******** **** to ******* *********** ******** *** **** ********-*********** ***************, **'** **** to *** ***** * *** **** ***** *** ********** ** extending *** ***** ** ***** ** ********* ********.

***** **** **'** ***** ** *******.

Undisclosed End User #2

In reply to Undisclosed Integrator #4 | 01/17/17 11:02pm

********* **

Undisclosed End User #2

01/04/17 06:36pm

***, * ******** **** *** ****

Brian Karas

IPVM | 01/16/17 01:43pm

**** ** *** ** ***** ******** ** ******** *******, *********'* ****** ******** ********* **** ******* **** *** ****** ******* ******** *** ************** on *** *******. ** ** ** *********** **** *** ****** interested ** ***** ******.

Login to read this IPVM report.

Why do I need to log in?

IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

FLIR Restructures Security Division on Aug 22, 2017

FLIR's goal was once to have a single end-to-end security solution. However, FLIR's Security business unit has been struggling, with several areas...

Honeywell Total Connect 2.0 Tested on Aug 22, 2017

Honeywell is one of the biggest brands in security, with Total Connect 2.0 being the company's remote security and smarthome platform. We bought...

IP Camera Cabling Testing Statistics on Aug 22, 2017

Test and certify, or crimp and pray? Some integrators certify every cable they run, while others only inspect cables that have video issues. 130...

Dahua 4K IR PTZ Tested on Aug 21, 2017

4K has made its way to IR PTZs. In this report, we examine the Dahua 6AE830VNI, a 4K PTZ with 30x optical zoom, 200m (~650') integrated IR, and...

Top Used License Plate Capture Cameras on Aug 21, 2017

Capturing license plates is a common video surveillance application. But what cameras do integrators mostly commonly used? Special purpose LPC...

VLAN For Video Surveillance Usage Statistics on Aug 21, 2017

VLANs (see our tutorial) are an option for networks using video surveillance, but how often are they actually used? 125+ integrators told us how...

Avigilon CEO Attacks Asian Companies Cyber Insecurity on Aug 18, 2017

Avigilon CEO is taking aim at their Asian competitors. And he is going directly after these company's cyber security issues. In this note, we...

Sony Next Gen HD Dome Camera Tested (SNC-EM642R) on Aug 18, 2017

Sony has released their latest generation, claiming improved WDR and low light, increased IR range, and more. We tested the SNC-EM642R outdoor IR...

IP Networking Course September 2017 on Aug 17, 2017

This is the only networking course designed specifically for video surveillance professionals plus it includes live training, personal help and...

Knightscope Raises $10 Million With $3,320 Average Per Investor on Aug 17, 2017

Congrats to Knightscope. And condolences to their legion of little investors. Knightscope has disclosed they have raised $10+ million from their...

Secure Boot Could Eliminate Botnets - But Manufacturers Ignore It

Comments (47)

Marcelo Martinez

Itamar Kerbel

Brian Karas

Undisclosed Distributor #1

Brian Karas

Undisclosed Distributor #1

Itamar Kerbel

Undisclosed End User #2

John Honovich

Undisclosed End User #2

Brian Karas

Undisclosed End User #2

Joshua Hendricks

Joshua Hendricks

Undisclosed #3

Joshua Hendricks

Undisclosed Integrator #4

Undisclosed #3

Undisclosed Integrator #4

Undisclosed Integrator #4

Brian Karas

Undisclosed Integrator #4

Undisclosed End User #2

Joshua Hendricks

Undisclosed #3

Joshua Hendricks

Undisclosed #3

Undisclosed Integrator #4

Paul Curran

Brian Karas

Undisclosed #3

Brian Karas

Undisclosed #3

Undisclosed #5

Undisclosed #3

Undisclosed Integrator #4

Brian Karas

Undisclosed #3

Undisclosed Integrator #4

Undisclosed #3

Undisclosed Integrator #4

Undisclosed #3

Undisclosed End User #2

Undisclosed Integrator #4

Undisclosed End User #2

Undisclosed End User #2

Brian Karas

Login to read this IPVM report.

Most Recent Industry Reports

Member Login