Cybersecurity Startup VDOO Disclosing 10 Manufacturer Vulnerabilities Starting With Axis And Foscam
Cybersecurity startup VDOO has uncovered significant vulnerabilities in Axis cameras along with many others not yet disclosed.
In this report, we examine the company and its funding, their vulnerability research, and the value/impact of the vulnerabilities.
Company ********
**** *** *********** ** ****** ** 2017 ** *** ***** [**** ** longer *********], **** ****** [**** ** longer *********], *** **** ***** [**** no ****** *********], *** *** **** strong *********** ** ******* ********. ***** and ***** **-******* ******, ** ******** security ****, ***** *********** ** **** **** ******** ** 2014. ******* ***** ********* **** **** Cyvera *** ***, ** ****.
* ******* **** ** ****'* ******* is ****** ******* ** ***** *******:
**** **** ** ****** *** ******** Authority (**) *** ********* *******.
***********, **** ** ******** ** ****** and ***** *** ****** ************* (*** others) * ************ ******* (~$**,*** ** ******* a ************'* ********) ***** ********* ************* checks ** *** ******* *** ********.
**** **** **** ** ******* (****) a *********** **** ******** *** ******* has **** ******* ** ***** ****** as * ***-********** ******. **** **** to ********* * ******** ******* *** "post-deployment **********", ********** ** ******* *************** they ******** ***** ********** * ******* as ***-**********.
*******
**** ******** *********$** ******* ** ****************,**** ************ *******, *** ***** ********* *********.
**** ***** **** **** **** ** use **** *******:
** ******* *** ************* ****’* *****-**-***-**** Internet ** ****** (***) ******** ********, which ******** ** *********, ***-**-*** ******* that ******** *******, ******** *** ***** security ************ *** ************** ******** ***** on **** ********, *** ******** ******** certification *** * **** ***** ** connected *******.
Axis ************* *******
**** ********* ***** *************** ** *** Axis' ******** **** (******: ** ** 6/27/2018, ******* **** **** ***** ** CVE **********):
***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****
***** *** ** * **** **** since **** *** ****** ** **** administrative ****** ** *** ******. *** process ******** ** ******* ** ****** ** complex, ********* ******** ***** *** ******** knowledge, ****** ******* ****** *************** **** as*****'* ********* ************* ************ ************* *** ****** **** **** ****** strings.
*******, **** **** *********** *** ******, it ** **** * ****** ** time *** ********** *** *** ****** with **** ******** ****** ** ****** scripts ***** ******** ***** *******, ****** these *************** **** ******** *** ***** ** patch.
Impact ** *************
*** *************** ******* * ******** *********** of ***** ** **** *** **** advantage ** ****** ** **** ** adjust *** ****** ******, ***** *** camera's ******** (****** *********, **** ***********, video *******) ** *** *** ****** as * ******** ** ***** ******* on ****** *** *******.
**** ****** ************* ******, ***** ****** them ** **** ************ ****** ** the ******* ******** ***.
**** ***** ***** ************ ** ******** an **** **** ***** ******* ** a ********** ******:
***** ******* ***** ********, *** ******* (by ******* - * ***** **** logo) ******* ** *** *** **** corner ** *** ***** ******:
Foscam *************
** ******** ** *** **** ***************, earlier ** ****, **** **** ********** "***** ***************" ** ****** *********** **** ********* ** ******'* ******** team. ********* ***** ***** ***************, ********* may ***** *** ******* *** ******'* web ******, ****** ********, *** **** over *** ******.
Botnet ****
**** ****** ** ***** ******* **** both *** **** *** ****** *************** may *********** ** **** ** *** devices ** * ****** *** **** for ****** **** *******, ******* ******, or ***** ********. ** ******** ** the ***** ******, ***** ******* *** ***** severe ********** ** *** **** ******** targets ********* ************* *******.
VDOO *************** ** *************
** **** ***********, **** ** ************ critical *********** **************:
- ****** ******* ********** **** *****: ** not *** *** ********* ** "****"
- ****** ***** ************: ****** ******** ******** for ******** ***** *******
- ****** ******** *****: **** ** ****** encryptions ****** ******* ** ******* ******** for **** ** *******
Axis ********
**** ********** ******** ** **** ********** **** ** ******** ******** *** patched ********** ****** *** *************** ** *****, which ******** *** ********* **** ****** models.
More *********** ****** / ******** ******
**** *** **** *** ******, **** will ** ********** **** *************** **** more *************, **** *** *********** ********** periods ***.
**** ***** **** * ******** ****** on *** ************* ** *** ***** surveillance ********, ***** *** **** * common ********* ***** *** **** *************. Cybersecurity ******** **** *** *** ****** significant ******** ********* ****** ** **** of *** ************* **** **** ******** from ******** ***************. ****, ***** *** pricing **** **** *** ****** *** manufacturer, *** **** ** ******* **** are ******** *** *** **** *** approaching *** ******, **** *** **** a ********* **** ******* ********.
Addendum: **** ******** ** *********
***** ** ******** *** ********** ********* to *** ******* ******, ** ******* VDOO * **** ** ********* *** they *********. ***** *** * *** remaining ****** ** ******* **** ** are ***** ** ********** **** **** for *************, *** ** **** **** those ********* ** **** ** ** receive ****.
****: ** ***** **** ***** *** agreements **** ************* *** **** **** not *** *********, ** **** ***** them *** ******* *****.
- *: **** ** *** ******* / method **** **** ******** ******* *** a ************ ** ******* * *******? Does * ************ **** ***** ******* to ***?
- *: "**** **************-**************** ** ******** ** *** ******'* firmware ****, **** ** **** *** require *** ****** ** *** ******** device ** ** *** ****** ****. It **** ******** ** ********* ******** to ***** *** ************ ** ******** implement ********-********* ******** ****** *** ***** security ** ******"
- *: *** *** ********** *** ***** system ** ******** *** ********/******** ** just ********?
- *:*** ******** ******* ******* ******-******** ******** requirements, ******** ** *** ******** ***** of *** ******, ***** *** ******** and ******** ********** *** *** ******** risk *******.
- *:*** *** ******* *************** ** ** camera ******** **** **** **** ****** eliminated ** ***** **********, ** *** they ****** ****** **** *** *********?
- *:** *******, ****** *** ******** **’** seen **** ********* **** *** ******’* expect ** *** ** ****. **’** seen **** ** ********* ******* ** well ** ** **** “*********” *** products & ******* ** *** ****** of Safety *** ********.
- *: ** **** ******* ****** *** these *********** ****** ** **** *********?
- *: *** ******** ** ** ** out ** *** *** *** ** commercialize ***** ******** ** * ******* “***********” marketing ******. ** *** * ***** deal ** ******** ** (*) ****** guidance (**** ** ******) - ** fix *** ****** ********, ** **** as (*) **** ******** - ** make **** **** ******** *** ********* attack, **** ** ** ****** ** not **********; *** (*) ******* *********** to *** ******** ****** ** **** as “lessons *******” ** ***** ******* ** better ********* ******** *** *** ******** architecture *** ****** *****.
- *: *** ***** ***** ******** ********** you *** ********* ********/******* *************** ***** now?
- *:** **** ******** ********* ******* *******, a ******* ***** ******** *** *************** of ********* ******* **** *** ****** and ******** ****** *** ************ **** the ************ ******* ********. **** ***** these **** ** ******** ***** **** have ****** ****** ** ******** ********** hence, ****** ** ********** “********” ** the ******** *** ******* *** ***** level ** ********.
- *: *** **** *** ******* ****** manufacturer ******** **** ******* **** *** contact ****? **** *** **** *******/*********?
- *:** **** ********* ** ******** **** all *** ******* ************* ** **** been ******* **** **** ******* *** realization **** **** *** ** ****** ignore *****-******** *** ** *** **** the ********* ** ** “*******” ** “skeptical”. **** ********* **** **** *** being ***** **** *** **** ** their ********* ********* ***** ********’ ********.
- *:** ***** ************ ****** ********* ** sign ** *** **** ******* **** VDOO *** **** **** **** *** with **** *** ******? *'* *** for ******* ************* *** *******, *** this ***** * ****** **** *********, unless **** *** ****** *** ***** clients
- *:***** ** * ***** *********** ******* the ************* ********** *******, ***** ** will ******** ** **** **** ***** manufacturer ***** ** *** ******** **** practice ********** **. * ************* ****** in ***** ******** ********** ***** ************* discovery ** **** * ******** ** what **** ** ********* *** *** set ** ******* & ********, *** with * **** ** ************* *** entire ******** ******* ** *** ************* products. ********, **** * ************ ************* uses *** ********* ******** **** ********, as * *** ******* ******* ****** by *** ************ ******* *** **********, the *********** ************* ********* ** *** analysis ****** *** *** ******* **** not ** ****** **** **, ***** we **** *** ** **** ** access ** *** ******* **. ** the ************ ******* ** ******* *** product, ** **** ******* **** *********** and **** *********, *** ************* ******* will ** ****** ********. ** *** two ***** **** **** *********, ** provided **** **** ***** **** (**. industry **** *********) *** *** ************* to *** ***** ***************, ** **** as ********, ************ **** ***** ********** indeed ******* *** *************** *** ******** they ******* ***** ********'* *****.
****** **** * ***** ****. * assume **** *** ****** ** ** the ** ** *** ************* *****. Is ** $**,*** *** ******* ** $50,000 *** *** ********? ** $**,*** for **** *******, **** ** ****** steep. $**,*** ********** ** **** *** products ****** **** ***.
**** ** ** ******** **** ****, *for *** ******** **** ********************* ** **** ******, ********* ** how **** ********* ********* ** ****/******** are ********. * ***** ******* ************* with ****** *** ******* ******* ***** (video, ****** *******, *********, ***) ***** have ** *** ****.
*****: ********** ** *********, *** ***** estimation *** *starting ***** for pricing to manufacturers.
***, **** ** * **** ***** for * ************. * **** **** gain ******** ** * ***** **** ** a ***** ****. ** **** ** industry ****** **** **** **** ************* can **** ** ** *** ***** products ********* **** ** ******** ******* source.
* **** **** *******.
**’* **** *** ***** ******** ** be *** ******** *** ******** *******. I **** *** ************ *** **** as * ********. **** **.
********* ****** ****** (***** ****) ** ****** to **** *** ***** ******* *** remarkable * **** ***, **** *** VDOO!
***** **** *** ******** **** ***** for ************, ***'* *** **** ************ get **** ***.
********* ****** ****** (***** ****) ** easily...
**** ***** *** ******** ** ***** to *** **** ************* *******?
***: ***, ** ****** **** *** new *************** ***** ** **** ****.
*** *** **** ******* ******* **** which ** *****, *** ****** ******* against **** ***** ** *** *****.
*** *** **** ******* ******* **** which ** *****, *** ****** ******* against **** ***** ** *** *****.
********* **’** ****** ***********?
**** ****** ****/***** **** *** ****** welcome ** ****** ***** ******* ** the ******* ****.
*******, *** **** ** ****** **** evolving ********* ****** ** ************* ***** to ******* *** **** ** *****.
*** ***** **** **** ****** **** into *** ***** ** *** ******** seeker.
********* ********-** ***** ** **** *** arrow *** ****** *** ******** *** useless ** ***** *** ********** ***** of ***********.
******** *** ******* **** ** **** the ****** *** *** ******* ****** is *** ** *** ********'* **** interest, ** **** **** *** *******/****.
********* ********** ** ****. ****** *** hunted ***********, ****.
** ** ********** ** *** *** wide **** ******** ***** **** ** real ***** ** ******** ******** ** the *************** **** **** ***** ***********.
********* ********** *** ******** *********, ******** subversion *** ************ ** **** * back **** ** ***** *****-*** *********.
*** ***** ** ****.
**** *******, ** ***** ************ ****** companies ** **** ** *** **** ******* will **** *** **** **** **** did **** **** *** ******? *'* all *** ******* ************* *** *******, but **** ***** * ****** **** extortion, ****** **** *** ****** *** their *******.
**** ****** ***** **** ** ***, as *** **** ** *** >$**,*** to **** **** ********** ********, **** that *** ******* *** ****?
****** *** *** ********, * ******* out ** **** *** * ********.
** *******, * ****** ******* **** would ******* * ******* ** ***-**********, and **** ********** ********, ******* *** consent ** *** ************, ********* **** missed?
***** ******* * ******* ** ***-**********, and **** ********** ********, ******* *** consent ** *** ************, ********* **** missed?
*** ******* ** *** ********. ***'* *** I *** *********. * **** ** VDOO *** *** "*** **** ** me." I *** ** *****. * ***** later VDOO ***** **** *** **** ** found ** ******** ***************. *** ******** then **: ** * ****** ** VDOO, **** **** ******** ***** ***************?
* ***, *** *** **** ******* at *** ***-********* *****. * ******* there ***** ** ******** ** *** manufacturer *** ****** ** **** * new ******* ** * ******** ***** to ******* *** ************* ****.
****, *** ****** ******** ********** ****** worrying ***** ************* ******.
**** ** ***** * *** ****** from, ** **** **** *** **** a *********** **** **** *** ********* ****. For ******* ******** ****, ** **** both **** *** **** *************, **** VDOO *** **** ********* ** **** the *** **** ***'* ***** ******. If **'* *** ******, ***** ** be * ****** ********* ***** **. Show ** $**,*** ** ** **** write ** ******* ***** **** *************.
** **** *** *** ********* **** pay **** $***, **** ***** ****** crappy *** * **** ******* **** companies ***** ******** **** ****. **** should ***** *** ****** ** ** the *************.
* ***** ****** **** *** ****** companies ********** ***** *** ** ****** attention *** ********* ******** ***** ** smart.
* ***** ********** ** **** ***** the ******* ** *** ************ *** not ******* ** *** ************* ** a ********** ****** ** ****, *** public ****** ********. *** **** **** * think **** ***** **** ** ****** the ************ ** **** **** ******* you *** ***** ** ****** ******** someone **** **** *** *** ****.
**** ***** *****, ****** *** ********** your *****.
* ***** ********* ** * ****** way ** *** **, ****** **** stop *********** ********** *************** *** ***-******** at **** *****.
** * ************ ***** ***** ***** cyber ********, *** $*** ** ***** well *****. ** ***** * ********** to ***** ********. ****, ****/** * vulnerability ** *****, * ***** ****** VDOO ***** **** **** * ***** up *** **** ** ***** ****** full **********. ** **** **** *** announce *** ***** *** **********, *** the ************ ***** ***** ********** ** cyber.
************* ***** ***** $ ** *********** testing...
* ***** ***** **** ***** **** only ******** ********* ** ************* **** an ********* ** ******** ***** * predetermined ****** ** **** ** ******** that *** ******* ******** *** *** disclose *** ***** ****** *** ***-******* period, ******** **** **** ****** *******.
************* ******* ** ********* ****** ** given * ***** **** ** **** disclose.
**** ** **** *** ********** **** details (***** *** ****** **** ****** out ** *** ***'* **** **** their *****.)
****** ******, * **** ** ****** the **** ** **** ****, *** will ** ******** *** ** *** when ***** ******* **** ******** ** the ***(*).
**** ******** **** ********** ** *** people **** **** *** *** ********* details **** **** *****, ** **** anyone ***** ** ****** ****.
* ***** **** *****/***** **** * great "******" *** ******** *******....
** ******** ******* *** **** ***** to *** ******.
***** ** ******** *** ********** ********* to *** ******* ******, ** ******* VDOO * **** ** ********* *** they *********. ***** *** * *** remaining ****** ** ******* **** ** are ***** ** ********** **** **** for *************, *** ** **** **** those ********* ** **** ** ** receive ****.
- *: **** ** *** ******* / method **** **** ******** ******* *** a ************ ** ******* * *******? Does * ************ **** ***** ******* to ***?
- *: "**** **************-**************** ** ******** ** *** ******'* firmware ****, **** ** **** *** require *** ****** ** *** ******** device ** ** *** ****** ****. It **** ******** ** ********* ******** to ***** *** ************ ** ******** implement ********-********* ******** ****** *** ***** security ** ******"
- *: *** *** ********** *** ***** system ** ******** *** ********/******** ** just ********?
- *:*** ******** ******* ******* ******-******** ******** requirements, ******** ** *** ******** ***** of *** ******, ***** *** ******** and ******** ********** *** *** ******** risk *******.
- *:*** *** ******* *************** ** ** camera ******** **** **** **** ****** eliminated ** ***** **********, ** *** they ****** ****** **** *** *********?
- *:** *******, ****** *** ******** **’** seen **** ********* **** *** ******’* expect ** *** ** ****. **’** seen **** ** ********* ******* ** well ** ** **** “*********” *** products & ******* ** *** ****** of ****** *** ********.
- *: ** **** ******* ****** *** these *********** ****** ** **** *********?
- *: *** ******** ** ** ** out ** *** *** *** ** commercialize ***** ******** ** * ******* “traditional” ********* ******. ** *** * great **** ** ******** ** (*) vendor ******** (**** ** ******) - to *** *** ****** ********, ** well ** (*) **** ******** - to **** **** **** ******** *** potential ******, **** ** ** ****** is *** **********; *** (*) ******* instruction ** *** ******** ****** ** well ** “******* *******” ** ***** vendors ** ****** ********* ******** *** fix ******** ************ *** ****** *****.
- *: *** ***** ***** ******** ********** you *** ********* ********/******* *************** ***** now?
- *:** **** ******** ********* ******* *******, a ******* ***** ******** *** *************** of ********* ******* **** *** ****** and ******** ****** *** ************ **** the ************ ******* ********. **** ***** these **** ** ******** ***** **** have ****** ****** ** ******** ********** hence, ****** ** ********** “********” ** the ******** *** ******* *** ***** level ** ********.
- *: *** **** *** ******* ****** manufacturer ******** **** ******* **** *** contact ****? **** *** **** *******/*********?
- *:** **** ********* ** ******** **** all *** ******* ************* ** **** been ******* **** **** ******* *** realization **** **** *** ** ****** ignore *****-******** *** ** *** **** the ********* ** ** “*******” ** “skeptical”. **** ********* **** **** *** being ***** **** *** **** ** their ********* ********* ***** ********’ ********.
- *:** ***** ************ ****** ********* ** sign ** *** **** ******* **** VDOO *** **** **** **** *** with **** *** ******? *'* *** for ******* ************* *** *******, *** this ***** * ****** **** *********, unless **** *** ****** *** ***** clients
- *:***** ** * ***** *********** ******* the ************* ********** *******, ***** ** will ******** ** **** **** ***** manufacturer ***** ** *** ******** **** practice ********** **. * ************* ****** in ***** ******** ********** ***** ************* discovery ** **** * ******** ** what **** ** ********* *** *** set ** ******* & ********, *** with * **** ** ************* *** entire ******** ******* ** *** ************* products. ********, **** * ************ ************* uses *** ********* ******** **** ********, as * *** ******* ******* ****** by *** ************ ******* *** **********, the *********** ************* ********* ** *** analysis ****** *** *** ******* **** not ** ****** **** **, ***** we **** *** ** **** ** access ** *** ******* **. ** the ************ ******* ** ******* *** product, ** **** ******* **** *********** and **** *********, *** ************* ******* will ** ****** ********. ** *** two ***** **** **** *********, ** provided **** **** ***** **** (**. industry **** *********) *** *** ************* to *** ***** ***************, ** **** as ********, ************ **** ***** ********** indeed ******* *** *************** *** ******** they ******* ***** ********'* *****.
** ********* *** ***** ********* ***** cyber ******** **** ***** ***** ***** guys * ****** ****** ** ***** source **** ****** ***. **** ****** way ** **** **** ********** *** commitment **** ** ****** **** ** open ********.