i heard the latest government ban will now include Axis, Bosch and Sony. Since virtually every manufacturer has had vulnerabilities, The Government now suggests that you should arm your properties via Home Alone style boobytraps. Much less prone to hacking and obviously more effective to deterring bad guys.
Sony Gen 5 IP Cameras Critical Vulnerabilities
Cybersecurity vulnerabilities remain prevalent in video surveillance devices.
Now Talos researchers have discovered multiple vulnerabilities in Sony Gen 5 cameras. Inside this note we examine:
- Ease or difficulty of exploit
- Vulnerabilities explained
- Impact compared to others
- Manufacturer response
Key ********
***** *** *** *************** (***-****-**** *** ***-****-****) ** **** *** * ******* (~2012 - **** *****), **** ****** a ******** *.* / **.*.
****** ******** *******:
*** *************** ****** **** ***** **** firmware *.**.** **** ** ** ***** 1.79.00 *** ******** ***** ******* ** well. *** *************** ** *** ****** current *** * *******.
**** *********** ******* ************* ******** *** ***************.
Exploit *********
*** ********* ****** ** **** *** the ******* ** ******* ** ********. Because the *************** ***** ****** ***** ******** to ** ******** ******* ******* *** admin ********, ** ****** *** ******* to ** ***** ****, **** ** part ** ***, *******, ***. *******, because *** *** ** **** **** commands ** *******, ** ** *** as ****** ** **** ***** (*.*., the**** ********** ************ ********).
*********, ******, *** **** ** **** and ********** ******* ****** ** ********.
*******
** ************ ****** **** ***** ** concept ** * **** ***-***** **** firmware ******* *.**.** ** **** ** a **** ***-***** ******** ******* *.**.**, as ************ ** *** *** *****:
Response **** ****
**** ********* ** ****:
**** ******** ************** *** *********** ********* ******* security ** * ***** *****.
******** *********** ******* *** ******* *** accordingly, ***** *** ******** ** ****** through *** ******** *** ********.
**** ********* ** ********** ************ ******* ******* security *******, ******* ** *******, *** strive ** ****** **** *** ********/********* are ****** ********
*******, ** **** **** ** ***** done ** * ***** *****, ** does *** *** ******** ** *** these * ******** *************** **** *** found ** **********.
2016 **** ********
**** ** *** *** ***** ******** vulnerability ***** ** ****'* ** *******. In ****, *****-***** ******** *** *********.
Bosch **** ****** ******?
****, ** ****,***** *********** **** **** **** ***** surveillance. *** ** *** ****** ***** promoted ** ***** ******** ** ********** and ************* *** **** **** ***** apply ***** ********* ** ****. ** the *** ****, ***** *** ***** Sony *******, ** *** *****, ** remains ** ** **** **** ******** and ********** ***** **** ***** ** Sony's ** *******.
Since virtually every manufacturer has had vulnerabilities
Though none with the frequency and severity of Hikvision and Dahua.
Mobotix devices can't even be reset with a trip to the factory. It's a double-edged sword, security vs convenience, and I'd take securoty.
UD 1, that is a false statement. These types of ongoing statements are similar to the Russian campaign that put us in the presendential mess we are currently in. Why is it I expect to see the word Hikvision in every comment section (no mention in article).
These guys/gals actually believe these things as fact, the more the random UDs post this type of comment, without the stones to identify themselves.
In addition, I get it that “critical vulnerabilities” sells papers, but understand that this only occurs when one exposes these devices to a public network. Who does this? This sensationalism jounalism, without devulging all the facts regarding risks, has many of my clients asking about risks constantly (there are non, closed private networks).
So those of you with Sony Gen 5 cameras, assess your system design before becoming alarmed about system exploits.
I get it that “critical vulnerabilities” sells papers
And if we did not report on this, then you and other Hikvision dealers would attack us for only reporting on Dahua and Hikvision's vulnerabilities.
Secondly, we linked to the full disclosure report in the free / publication, so we are hardly going to sell anything with this.
only occurs when one exposes these devices to a public network. Who does this?
Jeffrey, lots of people - either by design or by mistake. Mirai botnets and Dahua massive hack attacks would not happen if no one did this.
And even if you are on a 'closed private network', better to upgrade devices lest at some future point, network changes (by design or mistake) make them accessible.
UD 1, that is a false statement.
Please elaborate. Which manufacturer has had more vulnerabilities and exploits than Hikvision (or Dahua)? Which manufacturer, or vulnerability, has had vulnerabilities with more severity than Hikvision's magic string, or Dahua's built-for-botnets flaws?
Maybe, but that doesn't support the (to me) implied position that "all" manufacturers have had vulnerabilities on part with Hikua.
Nominating TVT makes it seem more like all Chinese manufacturers have produced insecure devices that create an undue amount of risk for the end-user (also, we might as well lump XM in here too, for their part in Mirai at least).
I am not seeing evidence that Hikua's biggest competitors (Axis, Avigilon, Bosch, Hanwha, etc.) in the commercial segment have in any way suffered from the same kind and frequency of vulnerabilities as the Chinese products.
I'd say nobody is even close to the Big Three.
https://www.shodan.io/search?query=dahua
I think it is because while Western products were initially designed to be used in regulated environments and with the cyber security in mind, at least to some extent, the Chinese products are designed to barely do their job at the lowest possible cost.
Mr Hinkley, what mess you speak of. Our GDP is at record high as is my investment returns. Our business is at five months backlog......I am enjoying this mess.
I am a decendant of Governor Thomas Hinckley, Plymouth Colony, so I would hope you can get my name correct.
Sorry it took me so long to respond, I only visit IPVM 1-2 times a week.
I guess my point is that none of the manufacturers is immune to security vulnerabilities if you put their products with all ports open on a public IP. Design on a simple basis is key for all products. Do you need a valid Gateway? Do you need to have a DNS address. In my case (City/Commerical Enterprise Networks) the answer is no. Flat enterprise vlans are the way to go. On smaller systems (single site) dual NICS with one for the cameras (no Gateway) and one to customers data network eliminate any form of vulnerability.
I guess my other gripe is with the pessimism that exists with posts, including comments about the security flaws with Hikvision (and Dahua). I see few articles and posts from IPVM where these names do not come up in some fashion. I am not going to name any manufacturers (to show bias) but you have to realize that the others have similar amount if not more vulnerabilties. Look it up, research it, and you will find that all IoT devices are equally exposed if you give them a public address or route them to networks with "bad guys/gals/kids". You would think Sonicwall or Barracuda would release some cameras with their software providing protection (but not complete protection). This would of course increase CPU/memory needs of the devices.
In the Trump era (by the way, I am an independant neither supporting the USA left or right) we finally have a following that are truly the bad guys. Polls show that only 20% of Republicans were against Trumps speech at Helsinki. How is this possible? Because these followers were groomed by Fox news and Breitbart.
I have been a IPVM member since the begining (when it was on Linkedin groups) so have been around for awhile. It stinks that IPVM have scared away all of the manufacturers from making comments (I get it, I would tell my employees today "your fired if your post") as well as other top level integrators like myself (20 years experience, Electrical Engineer). Now it seems all of the followers, even though many, are the "yeah,what he said"variety with limited technical insight to discussions.
In this discussion, an article was written about a product (which by the way, had a vulnerabilty which the manufacturer corrected via firmware update) with the 2nd comment including (which by the way, was deleted by IPVM) a remark about Hikvision/Dahua vulnerabilities (by a undisclosed contributor). Hows that for manipulating commentary and news feeds. I no longer start threads in the discussion section because IPVM commonly changes my title and words.
Members are missing out on true support and commentary by those in the trenches in this sector by manipulating our wording and subject matter. I expect that this post will be soon edited, so those that read it, chime in to bring back the original and true mission of IP Video Marketplace.
In this discussion, an article was written about a product (which by the way, had a vulnerabilty which the manufacturer corrected via firmware update) with the 2nd comment including (which by the way, was deleted by IPVM) a remark about Hikvision/Dahua vulnerabilities (by a undisclosed contributor).
No comment was deleted here. I get emails for every comment posted on every thread and I just cross-checked that to what is posted here and all comments remain, none were deleted.
Indeed, the 2nd comment about Hikvision/Dahua vulnerabilities is still right there, I'll screencap it for you to make it clear:
I'd appreciate if you acknowledge you made a mistake.
It stinks that IPVM have scared away all of the manufacturers from making comments
What are you talking about?
- Dahua just gave us a statement today about the head of the overseas business unit being removed.
- Axis commented to us earlier this week responding to integrator IPVM members about their product shortage.
- Various Hanwha employees have responded this week to a discussion posted by a federal agency.
As for:
I expect that this post will be soon edited
No, I am happy to leave it as is, errors and all.
I guess my point is that none of the manufacturers is immune to security vulnerabilities if you put their products with all ports open on a public IP.
Where has someone claimed another manufacturer is immune? I saw a comment about Mobotix having no reported vulnerabilities so far (I have not spent any time determining if that is correct or not, just to be clear). However, I do not recall seeing claims of vulnerability immunity.
On smaller systems (single site) dual NICS with one for the cameras (no Gateway) and one to customers data network eliminate any form of vulnerability.
This is patently false. It may eliminate vulnerabilities from outside attack, but it will not eliminate "any form of vulnerability". Inside threats are real. And, if you have a Hikvision camera that comes setup by default to connect to a given Wifi SSID, then you have a potential gateway into that "secure" network, then into the recorder, then into the rest of the LAN that you thought was protected. Not saying it is common, or easy, but don't fool yourself into thinking you've built a scenario where you have eliminated "any form of vulnerability".
I am not going to name any manufacturers (to show bias) but you have to realize that the others have similar amount if not more vulnerabilties.
If you're going to make claims like this, you are going to be called out to back them up. Nobody will take it as "bias" if you manage to show how some other manufacturer has been shown to be even less secure than Hikua. Making statements like that and then pretending to ride some high horse to prevent you from backing up your claim seriously diminishes your credibility.
with the 2nd comment including (which by the way, was deleted by IPVM) a remark about Hikvision/Dahua vulnerabilities
Well, that was because the FIRST comment was some utter rubbish commonly spewed by Hik apologists who have either not bothered to look past the surface, or simply don't understand cyber security vulnerabilities with any depth (you know, the kinds of folks who think you can "eliminate any form of vulnerability" with a segmented network).
(by a undisclosed contributor)
Validity of my comments is unaffected by disclosure of my name. Try disputing my claims and comments with specific facts and data inside of offhand comments about what name is, or is not, attributed to the comment. I am probably making it easier for you to sway opinion against my posts by NOT signing them.
I am a decendant of Governor Thomas Hinckley, Plymouth Colony, so I would hope you can get my name correct.
Separately, I'm not sure if you are really a funny guy, or if you and Jeff Zwirm would likely be best pals.
I am a decendant of Governor Thomas Hinckley, Plymouth Colony, so I would hope you can get my name correct.
Internet Rule #3A: Any post calling someone out for spelling must NOT under any circumstances, itself contain a speling eror.
Mobotix doesn't using Linux as OS to my best knowledge, and also therefore not so easy to 'unpack' of the Firmware.
However, with your statement:
which makes them pretty much "immune" to any untargeted attack.
I get extremely tempted to privately purchase one or two units, only for the sake to see your statement are true or not... as far i know, none are 'immune', and I'm sure there are something juicy with Mobotix too.
Some information here, a bit more than the datasheet.
Had an old Mobotix AG S15D, booted up DHCP here is what I got. Linux Kernal ID as 2.6 :D ...probably hit it up with wireshark and see what phones home.
I am ... Governor Thomas Hinckley, Plymouth Colony, so I would hope you can get my name correct.
Said the Governor to his wife Mrs. Hinkley.
Vulnerabilities detected on the product that are not in the production for ~ 5 years (does not make vulnerabilities less important). Patched firmware released few weeks ago and properly communicated to all customers. Everything is transparent and fixed. In the IP world, vulnerabilities could happen to any products connected to the network. Besides the fact that no damage has been done, so far, the most important topic is how issue would be identified, handled and sorted out by manufacturer. This is one of the things that makes manufacturers different.
Besides the fact that no damage has been done
Dear Sony employee, this is an incredibly naive and irresponsible response. Do you think hackers announce publicly when they use vulnerabilities? Of course not.
That these vulnerabilities existed for many years is a big problem, just like Sony backdoor found 2 years ago.
With these vulnerabilities, who knows how many more are out there, being used by hackers, and not reported by white hats?
Dear John,
I am NOT a Sony employee.
First Vulnerability detected with Sony cameras was treated in the same way. Identified, communicated and sorted out in the shortest possible time. Openly, announced in public, with company logo, even before it was announced on IPVM.
Of course, hackers do not announce their R&D job in public, and that was NOT the topic of may comment. I just mentioned that it can happen to any IP based product, including security cameras.
Regarding possible damage, my comment was on my behalf, and I confirm that no damage, with Sony cameras, know to me. Maybe you can say "do not push your luck" , or maybe my knowledge is not so big as yours, or you can say "this is an incredibly naive and irresponsible response" but this is my personal conclusion based on facts known to me.
I am NOT a Sony employee.
Yes, all Sony employees now work for Bosch but your LinkedIn profile shows you sell Sony for Bosch. Disclose your affiliation or we will do it for you.
It is good to admit a mistake. You made another one with "all Sony employees now work for Bosch" but I believe it was just a generic conclusion you found from the newspaper. Anyway, this conversation went off topic, no need to continue, it is unhelpful, as you mentioned.
Are you saying your LinkedIn profile is wrong and that you no longer work for Bosch nor Sony? If that is true, update your LinkedIn profile and I will issue a full apology.
Dear John ,
You addressed me as "Dear Sony employee....." .
My reply was "I am NOT a Sony employee". And this is 100% correct. At least I know for who I am working for, don't you think ?
You're not helping your cause. You are a Bosch employee selling Sony (poorly) attempting to minimize the significance of a vulnerability impacting your products.
You are journalist attempting to minimize (poorly) the significance of your mistakes. I really do not need to compete with you in counting number of comments on IPVM. For any constructive approach, I am open for discussion.
All the best!
You're employing the logical fallacy of "distinction without a difference". I hope it makes you feel better because I can guarantee you are embarrassing both Sony and Bosch.
My reply was "I am NOT a Sony employee". And this is 100% correct. At least I know for who I am working for...
Ok then, what’s the worst thing you can say about Sony surveillance products?
C’mon, really give them a good thrashing!
I would like to coin a term as evidenced here and in other discussions. The Internet has "Goodwin's Law". I think here on IPVM we have "Honovich's Law". As a discussion grows, it will always come back to or be compared to Hikvision and Dahua.
As an example, this discussion is about Sony and it immediately devolved into the typical haters vs fanboys of Hik/Dahua. Drawing the conclusion that if it can happen to Sony, then Hik/Dahua aren't so bad etc. Firewalls and segmented networks are also usually brought up as examples and evidence, as well as links to other discussions and misspellings and undisclosed postings fanning the flames.
Does this exploit work in both HTTP/S? Thanks!
HTTPS are preferred as it gives some privacy ;)
Yes, working with both HTTP/HTTPS.