Company ********
**** *** *********** ** ****** ** 2017 ** *** ***** [**** ** longer *********], **** ****** [**** ** longer *********], *** **** ***** [**** no ****** *********], *** *** **** strong *********** ** ******* ********. ***** and ***** **-******* ******, ** ******** security ****, ***** *********** ** **** **** ******** ** 2014. ******* ***** ********* **** **** Cyvera *** ***, ** ****.
* ******* **** ** ****'* ******* is ****** ******* ** ***** *******:
**** **** ** ****** *** ******** Authority (**) *** ********* *******.
***********, **** ** ******** ** ****** and ***** *** ****** ************* (*** others) * ************ ******* (~$**,*** ** ******* a ************'* ********) ***** ********* ************* checks ** *** ******* *** ********.
**** **** **** ** ******* (****) a *********** **** ******** *** ******* has **** ******* ** ***** ****** as * ***-********** ******. **** **** to ********* * ******** ******* *** "post-deployment **********", ********** ** ******* *************** they ******** ***** ********** * ******* as ***-**********.
*******
**** ******** *********$** ******* ** ****************,**** ************ *******, *** ***** ********* *********.
**** ***** **** **** **** ** use **** *******:
** ******* *** ************* ****’* *****-**-***-**** Internet ** ****** (***) ******** ********, which ******** ** *********, ***-**-*** ******* that ******** *******, ******** *** ***** security ************ *** ************** ******** ***** on **** ********, *** ******** ******** certification *** * **** ***** ** connected *******.
Axis ************* *******
**** ********* ***** *************** ** *** Axis' ******** **** (******: ** ** 6/27/2018, ******* **** **** ***** ** CVE **********):
***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****
***** *** ** * **** **** since **** *** ****** ** **** administrative ****** ** *** ******. *** process ******** ** ******* ** ****** ** complex, ********* ******** ***** *** ******** knowledge, ****** ******* ****** *************** **** as*****'* ********* ************* ************ ************* *** ****** **** **** ****** strings.
*******, **** **** *********** *** ******, it ** **** * ****** ** time *** ********** *** *** ****** with **** ******** ****** ** ****** scripts ***** ******** ***** *******, ****** these *************** **** ******** *** ***** ** patch.
Impact ** *************
*** *************** ******* * ******** *********** of ***** ** **** *** **** advantage ** ****** ** **** ** adjust *** ****** ******, ***** *** camera's ******** (****** *********, **** ***********, video *******) ** *** *** ****** as * ******** ** ***** ******* on ****** *** *******.
**** ****** ************* ******, ***** ****** them ** **** ************ ****** ** the ******* ******** ***.
**** ***** ***** ************ ** ******** an **** **** ***** ******* ** a ********** ******:

***** ******* ***** ********, *** ******* (by ******* - * ***** **** logo) ******* ** *** *** **** corner ** *** ***** ******:

Foscam *************
** ******** ** *** **** ***************, earlier ** ****, **** **** ********** "***** ***************" ** ****** *********** **** ********* ** ******'* ******** team. ********* ***** ***** ***************, ********* may ***** *** ******* *** ******'* web ******, ****** ********, *** **** over *** ******.
Botnet ****
**** ****** ** ***** ******* **** both *** **** *** ****** *************** may *********** ** **** ** *** devices ** * ****** *** **** for ****** **** *******, ******* ******, or ***** ********. ** ******** ** the ***** ******, ***** ******* *** ***** severe ********** ** *** **** ******** targets ********* ************* *******.
VDOO *************** ** *************
** **** ***********, **** ** ************ critical *********** **************:
- ****** ******* ********** **** *****: ** not *** *** ********* ** "****"
- ****** ***** ************: ****** ******** ******** for ******** ***** *******
- ****** ******** *****: **** ** ****** encryptions ****** ******* ** ******* ******** for **** ** *******
Axis ********
**** ********** ******** ** **** ********** **** ** ******** ******** *** patched ********** ****** *** *************** ** *****, which ******** *** ********* **** ****** models.
More *********** ****** / ******** ******
**** *** **** *** ******, **** will ** ********** **** *************** **** more *************, **** *** *********** ********** periods ***.
**** ***** **** * ******** ****** on *** ************* ** *** ***** surveillance ********, ***** *** **** * common ********* ***** *** **** *************. Cybersecurity ******** **** *** *** ****** significant ******** ********* ****** ** **** of *** ************* **** **** ******** from ******** ***************. ****, ***** *** pricing **** **** *** ****** *** manufacturer, *** **** ** ******* **** are ******** *** *** **** *** approaching *** ******, **** *** **** a ********* **** ******* ********.
Addendum: **** ******** ** *********
***** ** ******** *** ********** ********* to *** ******* ******, ** ******* VDOO * **** ** ********* *** they *********. ***** *** * *** remaining ****** ** ******* **** ** are ***** ** ********** **** **** for *************, *** ** **** **** those ********* ** **** ** ** receive ****.
****: ** ***** **** ***** *** agreements **** ************* *** **** **** not *** *********, ** **** ***** them *** ******* *****.
- *: **** ** *** ******* / method **** **** ******** ******* *** a ************ ** ******* * *******? Does * ************ **** ***** ******* to ***?
- *: "**** **************-**************** ** ******** ** *** ******'* firmware ****, **** ** **** *** require *** ****** ** *** ******** device ** ** *** ****** ****. It **** ******** ** ********* ******** to ***** *** ************ ** ******** implement ********-********* ******** ****** *** ***** security ** ******"
- *: *** *** ********** *** ***** system ** ******** *** ********/******** ** just ********?
- *:*** ******** ******* ******* ******-******** ******** requirements, ******** ** *** ******** ***** of *** ******, ***** *** ******** and ******** ********** *** *** ******** risk *******.
- *:*** *** ******* *************** ** ** camera ******** **** **** **** ****** eliminated ** ***** **********, ** *** they ****** ****** **** *** *********?
- *:** *******, ****** *** ******** **’** seen **** ********* **** *** ******’* expect ** *** ** ****. **’** seen **** ** ********* ******* ** well ** ** **** “*********” *** products & ******* ** *** ****** of Safety *** ********.
- *: ** **** ******* ****** *** these *********** ****** ** **** *********?
- *: *** ******** ** ** ** out ** *** *** *** ** commercialize ***** ******** ** * ******* “***********” marketing ******. ** *** * ***** deal ** ******** ** (*) ****** guidance (**** ** ******) - ** fix *** ****** ********, ** **** as (*) **** ******** - ** make **** **** ******** *** ********* attack, **** ** ** ****** ** not **********; *** (*) ******* *********** to *** ******** ****** ** **** as “lessons *******” ** ***** ******* ** better ********* ******** *** *** ******** architecture *** ****** *****.
- *: *** ***** ***** ******** ********** you *** ********* ********/******* *************** ***** now?
- *:** **** ******** ********* ******* *******, a ******* ***** ******** *** *************** of ********* ******* **** *** ****** and ******** ****** *** ************ **** the ************ ******* ********. **** ***** these **** ** ******** ***** **** have ****** ****** ** ******** ********** hence, ****** ** ********** “********” ** the ******** *** ******* *** ***** level ** ********.
- *: *** **** *** ******* ****** manufacturer ******** **** ******* **** *** contact ****? **** *** **** *******/*********?
- *:** **** ********* ** ******** **** all *** ******* ************* ** **** been ******* **** **** ******* *** realization **** **** *** ** ****** ignore *****-******** *** ** *** **** the ********* ** ** “*******” ** “skeptical”. **** ********* **** **** *** being ***** **** *** **** ** their ********* ********* ***** ********’ ********.
- *:** ***** ************ ****** ********* ** sign ** *** **** ******* **** VDOO *** **** **** **** *** with **** *** ******? *'* *** for ******* ************* *** *******, *** this ***** * ****** **** *********, unless **** *** ****** *** ***** clients
- *:***** ** * ***** *********** ******* the ************* ********** *******, ***** ** will ******** ** **** **** ***** manufacturer ***** ** *** ******** **** practice ********** **. * ************* ****** in ***** ******** ********** ***** ************* discovery ** **** * ******** ** what **** ** ********* *** *** set ** ******* & ********, *** with * **** ** ************* *** entire ******** ******* ** *** ************* products. ********, **** * ************ ************* uses *** ********* ******** **** ********, as * *** ******* ******* ****** by *** ************ ******* *** **********, the *********** ************* ********* ** *** analysis ****** *** *** ******* **** not ** ****** **** **, ***** we **** *** ** **** ** access ** *** ******* **. ** the ************ ******* ** ******* *** product, ** **** ******* **** *********** and **** *********, *** ************* ******* will ** ****** ********. ** *** two ***** **** **** *********, ** provided **** **** ***** **** (**. industry **** *********) *** *** ************* to *** ***** ***************, ** **** as ********, ************ **** ***** ********** indeed ******* *** *************** *** ******** they ******* ***** ********'* *****.
Comments (33)
Undisclosed #1
If Hikvision was truly proactive about cyber security they would issue these guys a public invite to their source code review lab. What better way to show your confidence and commitment than to invite such an open analysis.
Create New Topic
Sean Nelson
06/20/18 02:10pm
Sounds like a great idea. I assume they are trying to be the UL of the cybersecurity world. Is it $50,000 per product or $50,000 for all products? if $50,000 for each product, that is fairly steep. $50,000 membership to have all products tested isnt bad.
Create New Topic
John Bazyk
IPVMU Certified | 06/20/18 02:53pm
I love this concept.
Create New Topic
Michael Miller
It’s time for cyber security to be top priority for security venders. I hope all manufactures use this as a resource. Love it.
Create New Topic
bashis mcw
Anonymous remote access (Write only) so easily to dbus are quite unusual and remarkable I must say, good job VDOO!
Great with the services they offer for manufactures, let's now hope manufactures get that too.
Create New Topic
Undisclosed Integrator #2
Will these new exploits be added to the IPVM Vulnerability Scanner?
Create New Topic
Undisclosed #4
You can only protect against that which is known, you cannot protect against that which is not known.
Create New Topic
Terrence Harless
Just curious, if video surveillance camera companies do sign up for this service will VDOO out them like they did with Axis and Foscam? I'm all for tighter cybersecurity for cameras, but this seems a little like extortion, unless Axis and Foscam are their clients.
Create New Topic
Undisclosed Manufacturer #6
I would think they would test only products submitted by manufacturers with an agreement to disclose after a predetermined period of time on products that are already released and not disclose any found during the pre-release period, provided they pass before release.
Manufacturers without an agreement should be given a short time to self disclose.
Create New Topic
Undisclosed
none of your CVE references have details (which you should have called out so you don't look like their shill.)
Create New Topic
Undisclosed End User #7
I think IPVM would/could make a great "agency" for blessing devices....
Create New Topic
Sean Patton
An addendum section has been added to the report.
Based on feedback and discussion responses to the initial report, we emailed VDOO a list of questions and they responded. There are a few remaining points of concern that we are still in discussion with VDOO for clarification, and we will post those responses as soon as we receive them.
Create New Topic
John Honovich
Update: exploit code for 3 of these vulnerability added to Metasploit here.
Create New Topic