"BIG Payouts": SSD Seeks Critical Vulnerabilities for Axis, Dahua Devices
The company offering up to $75,000 for Uniview exploits is now seeking vulnerabilities for Dahua, Axis, Mobotix, and truVision (i.e., Interlogix OEM of Hikvision) devices.
This is part of a broader campaign for SSD, the zero day broker who sells early access to cybersecurity vulnerabilities.
In this note, IPVM examines the company, SSD, and their latest payouts offered for vulnerabilities, including feedback from SSD, Axis, and Mobotix to IPVM.
SSD **********
*** ****** ************** ******** *********** ** ******* *************** for "* **** ***** ** ******** and ********." *** ************ ** ******************** *****, *****, *** ***** (*** SSD ****) *** ***** ** ****** conference ** *********** **********,**** *** ** *** ***** ** the **** ***** ************ *************** *******.
** **** ****,**** *********** ******** ** ** $**,*** *** Uniview ***************, ** ******** ******' *** ****** *************** ** ** $*,*** *******, *****, just **** *****,**** ******* ** $*,***.
"BIG *******" & "**** ******" *** ***** ************ ***************
*** ** *** ********* "*** *******" for ***** ***************, ** **** ** a**** ** ********* *****:
*** ********* ****** ***"*****"(*.*., *** ************* ** ***** *************** for) ** **** ***** ***** ****'***** **** ******* ******:
*** **** ********* ** ****** ** tweet***** *** "******* ** ****** *************** are *** ** **** ******!"
*******, ******* ******************** ** ********* *******:
********* ****** ** ********** ******** *********, ***** ** **** in ***'*"*****"****, *** **** *** ******* *** case **** ********* ***** ***** ***.
Pre-Auth ************* ********
*** ** ******* '***-**************' ****** ****/******* Executions *** *** *** ***** *******, per *** ************* *******,*****,*******, ************.
***-**** **** ******** ******* ***** *** username/password/login ****, ****** **** ********** ******** and **** ******** **** ****-**** ***************.
*** ******** ******** *** ******* ************* severity, ****,****** ******* **** ***** "** ******** [*.*. most ******] ** ** ********** *** required".
Axis, ******* ** *** **** **** ***
**** **** **** ** *** "*** received *** ************* *******" **** *** and "**** *** **** **** *** specific ************":
**** ******* ** ***, ** *** we **** *** ******** *** ************* reports **** **** ** *** ******** available ******* ***********-********@****.******** ******* *** ****** ******* **** we ********** **** *** **** ** Bugcrowd.
**** **** *** **** **** *** specific ************ *** ******** *** ******** researchers, ******* ******* *** ************* ** submit ********** *************** ** **** ** they *** ********** ** **** ** can **** **** ****** ******* *** joint *********** ********** *******.
******* **** **** ** "**** *** have *** ************ **** **** ************ but ****** *** ********".
***** *** ********* *** *** ******* to ******* ********, ** **** **, we **** ******.
Risks ********
*** **** **** ** ***** ***** access ** *** *************** ** **** to *** *********, ******* ******* *** cybersecurity ********.
*** **** ** ****, *** *** companion ******:**** *** ****** ***** ***** ****** To ************* ***************.
****** *** ** ***** ** **** at **** ****. *** **** ******* has ** ****** **** **** *******?
****, * ***'* ***** **** *** serious *** ******* ******.
* ***** ** * **** ****** by **** **** ** * ****'* care ***** ******.
**** ***** *** *'* ******, ***** I **, *** * ***'* ****.
*** **** ******** **** **** *** Uniview ******* * ****** ** ******** them **** ** **** **? * don't ********** *** ******** ***** * guess ******* **** ***** **** ** awful *** ** *** ** **** are ***** ** *** ** *** lawful *** ******* ********.