Cybersecurity Startup VDOO Disclosing 10 Manufacturer Vulnerabilities Starting With Axis And Foscam

By: IPVM Team, Published on Jun 20, 2018

Cybersecurity startup VDOO has uncovered significant vulnerabilities in Axis cameras along with many others not yet disclosed.

In this report, we examine the company and its funding, their vulnerability research, and the value/impact of the vulnerabilities.

************* ******* ******* ********* *********** *************** ** **** cameras ***** **** **** ****** not *** *********.

** **** ******, ** examine *** ******* *** its *******, ***** ************* research, *** *** *****/****** of *** ***************.

[***************]

Company ********

**** *** *********** ** Israel ** **** ** Uri ***** [**** ** longer *********], **** ****** [link ** ****** *********], and **** ***** [**** no ****** *********], *** all **** ****** *********** in ******* ********. ***** and ***** **-******* ******, an ******** ******** ****, which *********** ** **** **** Networks ** ****. ******* ***** ********* came **** ****** *** EMC, ** ****.

* ******* **** ** VDOO's ******* ** ****** clearly ** ***** *******:

**** **** ** ****** the ******** ********* (**) for ********* *******.

***********, **** ** ******** IP ****** *** ***** IoT ****** ************* (*** others) * ************ ******* (~$**,*** to ******* * ************'* products) ***** ********* ************* checks ** *** ******* and ********.

**** **** **** ** provide (****) * *********** that ******** *** ******* has **** ******* ** their ****** ** * non-vulnerable ******. **** **** to ********* * ******** process *** "****-********** **********", presumably ** ******* *************** they ******** ***** ********** a ******* ** ***-**********.

*******

**** ******** *********$** ******* ** ****************,**** ************ *******, *** ***** ********* investors.

**** ***** **** **** plan ** *** **** funding:

** ******* *** ************* VDOO’s *****-**-***-**** ******** ** Things (***) ******** ********, which ******** ** *********, end-to-end ******* **** ******** devices, ******** *** ***** security ************ *** ************** guidance ***** ** **** analysis, *** ******** ******** certification *** * **** range ** ********* *******.

Axis ************* *******

**** ********* ***** *************** to *** ****' ******** team (******: ** ** 6/27/2018, ******* **** **** added ** *** **********):

***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****

***** *** ** * high **** ***** **** can ****** ** **** administrative ****** ** *** camera. *** ******* ******** to perform ** ****** ** complex, ********* ******** ***** and ******** *********, ****** simpler ****** *************** **** as*****'* ********* ************* ************ ************* *** ****** **** only ****** *******.

*******, **** **** *********** now ******, ** ** only * ****** ** time *** ********** *** bad ****** **** **** advanced ****** ** ****** scripts ***** ******** ***** attacks, ****** ***** *************** **** priority *** ***** ** patch.

Impact ** *************

*** *************** ******* * specific *********** ** ***** to **** *** **** advantage ** ****** ** view ** ****** *** camera ******, ***** *** camera's ******** (****** *********, lens ***********, ***** *******) or *** *** ****** as * ******** ** other ******* ** ****** the *******.

**** ****** ************* ******, which ****** **** ** gain ************ ****** ** the ******* ******** ***.

**** ***** ***** ************ by ******** ** **** logo ***** ******* ** a ********** ******:

***** ******* ***** ********, the ******* (** ******* - * ***** **** logo) ******* ** *** top **** ****** ** the ***** ******:

Foscam *************

** ******** ** *** Axis ***************, ******* ** June, **** **** ********** "***** ***************" ** Foscam *********** **** ********* ** Foscam's ******** ****. ********* these ***** ***************, ********* may ***** *** ******* the ******'* *** ******, inject ********, *** **** over *** ******.

Botnet ****

**** ****** ** ***** reports **** **** *** Axis *** ****** *************** may *********** ** **** to *** ******* ** a ****** *** **** for ****** **** *******, bitcoin ******, ** ***** purposes. ** ******** ** the ***** ******, ***** ******* may ***** ****** ********** to *** **** ******** targets ********* ************* *******.

VDOO *************** ** *************

** **** ***********, **** is ************ ******** *********** considerations:

  • ****** ******* ********** **** parts: ** *** *** all ********* ** "****"
  • ****** ***** ************: ****** external ******** *** ******** input *******
  • ****** ******** *****: **** of ****** *********** ****** hackers ** ******* ******** for **** ** *******

Axis ********

**** ********** ******** ** Axis ********** **** ** ******** products *** ******* ********** ****** *** *************** in *****, ***** ******** 390 ********* **** ****** models.

More *********** ****** / ******** ******

**** *** **** *** months, **** **** ** disclosing **** *************** **** more *************, **** *** responsible ********** ******* ***.

**** ***** **** * positive ****** ** *** cybersecurity ** *** ***** surveillance ********, ***** *** been * ****** ********* focus *** **** *************. Cybersecurity ******** **** *** yet ****** *********** ******** financial ****** ** **** of *** ************* **** have ******** **** ******** vulnerabilities. ****, ***** *** pricing **** **** *** asking *** ************, *** type ** ******* **** are ******** *** *** they *** *********** *** market, **** *** **** a ********* **** ******* partners.

Addendum: **** ******** ** *********

***** ** ******** *** discussion ********* ** *** initial ******, ** ******* VDOO * **** ** questions *** **** *********. There *** * *** remaining ****** ** ******* that ** *** ***** in ********** **** **** for *************, *** ** will **** ***** ********* as **** ** ** receive ****.

****: ** ***** **** about *** ********** **** manufacturers *** **** **** not *** *********, ** have ***** **** *** details *****.

  • *: **** ** *** process / ****** **** your ******** ******* *** a ************ ** ******* a *******? **** * manufacturer **** ***** ******* to ***?  
  • *: "**** **************-**************** ** ******** ** the ******'* ******** ****, thus ** **** *** require *** ****** ** the ******** ****** ** to *** ****** ****. It **** ******** ** automated ******** ** ***** the ************ ** ******** implement ********-********* ******** ****** and ***** ******** ** design"
  • *: *** *** ********** the ***** ****** ** hardware *** ********/******** ** just ********?
  • *:*** ******** ******* ******* device-specific ******** ************, ******** to *** ******** ***** of *** ******, ***** its ******** *** ******** components *** *** ******** risk *******.
  • *:*** *** ******* *************** in ** ****** ******** that **** **** ****** eliminated ** ***** **********, or *** **** ****** across **** *** *********? 
  • *:** *******, ****** *** research **’** **** **** practices **** *** ******’* expect ** *** ** 2018. **’** **** **** in ********* ******* ** well ** ** **** “sensitive” *** ******** & systems ** *** ****** of Safety *** ********.
  • *: ** **** ******* intent *** ***** *********** simply ** **** *********? 
  • *: *** ******** ** to ** *** ** our *** *** ** commercialize ***** ******** ** a ******* “***********” ********* ******. We *** * ***** deal ** ******** ** (1) ****** ******** (**** of ******) - ** fix *** ****** ********, as **** ** (*) user ******** - ** make **** **** ******** the ********* ******, **** if ** ****** ** not **********; *** (*) general *********** ** *** specific ****** ** **** as “lessons *******” ** ***** vendors ** ****** ********* security *** *** ******** architecture *** ****** *****.
  • *: *** ***** ***** specific ********** *** *** targeting ********/******* *************** ***** now?
  • *:** **** ******** ********* Project *******, * ******* which ******** *** *************** of ********* ******* **** the ****** *** ******** fields *** ************ **** the ************ ******* ********. VDOO ***** ***** **** of ******** ***** **** have ****** ****** ** business ********** *****, ****** be ********** “********” ** the ******** *** ******* the ***** ***** ** security.
  • *: *** **** *** typical ****** ************ ******** team ******* **** *** contact ****? **** *** been *******/*********?
  • *:** **** ********* ** discover **** *** *** leading ************* ** **** been ******* **** **** reached *** *********** **** they *** ** ****** ignore *****-******** *** ** not **** *** ********* to ** “*******” ** “skeptical”. **** ********* **** they *** ***** ***** more *** **** ** their ********* ********* ***** products’ ********.
  • *:** ***** ************ ****** companies ** **** ** for **** ******* **** VDOO *** **** **** they *** **** **** and ******? *'* *** for ******* ************* *** cameras, *** **** ***** a ****** **** *********, unless **** *** ****** are ***** *******
  • *:***** ** * ***** distinction ******* *** ************* disclosure *******, ***** ** will ******** ** **** with ***** ************ ***** on *** ******** **** practice ********** **. * significantly ****** ** ***** business ********** ***** ************* discovery ** **** * fraction ** **** **** is ********* *** *** set ** ******* & services, *** **** * goal ** ************* *** entire ******** ******* ** the ************* ********. ********, when * ************ ************* uses *** ********* ******** SaaS ********, ** * web ******* ******* ****** by *** ************ ******* our **********, *** *********** automatically ********* ** *** analysis ****** *** *** process **** *** ** shared **** **, ***** we **** *** ** able ** ****** ** and ******* **. ** the ************ ******* ** certify *** *******, ** will ******* **** *********** and **** *********, *** certification ******* **** ** shared ********. ** *** two ***** **** **** published, ** ******** **** than ***** **** (**. industry **** *********) *** the ************* ** *** their ***************, ** **** as ********, ************ **** their ********** ****** ******* the *************** *** ******** they ******* ***** ********'* risks.

 

Comments (33)

If Hikvision was truly proactive about cyber security they would issue these guys a public invite to their source code review lab. What better way to show your confidence and commitment than to invite such an open analysis. 

Sounds like a great idea. I assume they are trying to be the UL of the cybersecurity world. Is it $50,000 per product or $50,000 for all products? if $50,000 for each product, that is fairly steep. $50,000 membership to have all products tested isnt bad.

That is an estimate from VDOO, *for all products from an average manufacturer in this space*, depending on how many different revisions of code/firmware are required. I would imagine manufacturers with larger and diverse product lines (video, access control, intercoms, etc) could have to pay more.

*EDIT: Correcting my statement, the price estimation was a starting point for pricing to manufacturers.

IMO, that is a fair price for a manufacturer. I hope they gain traction as I think this is a great idea. We need an industry leader like this that manufacturers can turn to to get their products certified from an industry trusted source.

But UL is the UL of Cybersecurity, right? Right...?

I love this concept. 

It’s time for cyber security to be top priority for security venders.  I hope all manufactures use this as a resource.  Love it.

Anonymous remote access (Write only) so easily to dbus are quite unusual and remarkable I must say, good job VDOO!

Great with the services they offer for manufactures, let's now hope manufactures get that too.

 

Anonymous remote access (Write only) so easily...

So, Are The Hackers Winning?

 Will these new exploits be added to the IPVM Vulnerability Scanner?

 

UI2: Yes, we should have two new vulnerabilities added by next week.

You can only protect against that which is known, you cannot protect against that which is not known.

You can only protect against that which is known, you cannot protect against that which is not known.

Therefore we’re mostly unprotected?

post mortem grey/white hats are always welcome to submit their version of the crystal ball.

however, the mask is behind time evolving equations fueled by inspirational needs to subvert the axis of logic.

the upper hand will always play into the hands of the original seeker.

cyberists standing-by ready to take the arrow and bullet are honoured yet useless to repel the inevitable angst of exploration.

deciding the precise time to flip the burger for the maximum flavor is not in the consumer's best interest, it lies with the creator/chef.

Therefore protection is moot. Always and hunted emotionally, MOOT.

It is comforting to see the wide open security field take on real proof of concepts relative to the vulnerabilities born from cheap engineering. 

hopefully technology can simplify stupidity, allowing subversion and exploitation to take a back seat to smart check-sum analytics.

Thy Comet Is Near. 

Thy post is unintelligible garbage.

As has always been the case.

Just curious, if video surveillance camera companies do sign up for this service will VDOO out them like they did with Axis and Foscam? I'm all for tighter cybersecurity for cameras, but this seems a little like extortion, unless Axis and Foscam are their clients.

Most likely there will be NDA, as who want to pay >$50,000 to have Full Disclosure included, when that are usually for free?

My Guess is that they are using this for marketing. 

Thanks for the feedback, I reached out to VDOO for a response.

In general, I cannot imagine they would certify a product as non-vulnerable, and then publically disclose, without the consent of the manufacturer, something they missed?

would certify a product as non-vulnerable, and then publically disclose, without the consent of the manufacturer, something they missed?

The concern is the opposite. Let's say I run CrappyCam. I call up VDOO and say "hey sign up me." I pay my money. A month later VDOO comes back and says we found 27 critical vulnerabilities. The question then is: As a client of VDOO, will VDOO disclose those vulnerabilities?

I see, you are both looking at the pre-certified stage. I suppose there could be conflict if the manufacturer was trying to ship a new product on a deadline prior to closing any vulnerability gaps.

Also, you should consider rebranding before worrying about cybersecurity issues.

This is where I was coming from, if Axis does not have a partnership with VDOO and HIKVision does. For example purposes only, if they both have the same vulnerability, will VDOO out both companies or just the one that ISN'T their client. If it's the latter, seems to be a little extortion going on. Show us $50,000 or we will write an article about your vulnerability.

if they out the companies that pay them $50k, then thats pretty crappy and I cant imagine many companies doing business with them. They should leave the outing up to the manufacturers.

I would assume they are outing companies publically right now to garner attention for marketing purposes which is smart.

I could understand if they outed the company if the manufacturer did not respond to the vulnerability in a reasonable amount of time, for public safety purposes. but even then I think they would have to refund the manufacturer in that case because you are still in effect screwing someone that paid you 50K over.

That makes sense, thanks for clarifying your point.

I think extortion is a strong way to put it, unless they stop responsibly disclosing vulnerabilities for non-partners at some point.

If a manufacturer truly cares about cyber security, the $50k is money well spent.  It shows a dedication to cyber security. Then, when/if a vulnerability is found, I would assume VDOO would give them a heads up and time to patch before full disclosure.  So then they can announce the issue and resolution, and the manufacturer shows their dedication to cyber.

Manufacturers often spend $ on penetration testing...

I would think they would test only products submitted by manufacturers with an agreement to disclose after a predetermined period of time on products that are already released and not disclose any found during the pre-release period, provided they pass before release.

Manufacturers without an agreement should be given a short time to self disclose.

none of your CVE references have details (which you should have called out so you don't look like their shill.)

Thanks Rodney, I will be update the post to note that, and will be reaching out to see when those details will included in the CVE(s).

Just updating this discussion to let people know that the CVE reference details have been added, in case anyone wants to review them.

I think IPVM would/could make a great "agency" for blessing devices....

An addendum section has been added to the report.

Based on feedback and discussion responses to the initial report, we emailed VDOO a list of questions and they responded. There are a few remaining points of concern that we are still in discussion with VDOO for clarification, and we will post those responses as soon as we receive them.

  • Q: What is the process / method that your platform follows for a manufacturer to certify a product? Does a manufacturer ship their cameras to you?
  • A: "VDOO performs device-specific analysis by focusing on the device's firmware only, thus it does not require any access to the physical device or to its source code. It then provides an automated guidance to allow the manufacturer to properly implement security-essential building blocks and apply security by design"
  • Q: Are you certifying the whole system of hardware and firmware/software or just firmware?
  • A:The analysis service creates device-specific security requirements, tailored to the specific needs of the device, given its hardware and software components and its relative risk factors.
  • Q:Are you finding vulnerabilities in IP camera hardware that have been mostly eliminated in other industries, or are they common across many IoT verticals?
  • A:In general, during our research we’ve seen many practices that one wouldn’t expect to see in 2018. We’ve seen them in connected cameras as well as in more “sensitive” IoT products & systems in the fields of Safety and Security.
  • Q: Is your current intent for these disclosures simply to grab attention?
  • A: Our approach is to go out of our way not to commercialize these findings in a massive “traditional” marketing effort. We put a great deal of emphasis on (1) vendor guidance (free of charge) - to fix the issues properly, as well as (2) user guidance - to make sure they mitigate the potential attack, even if an update is not achievable; and (3) general instruction to the specific vendor as well as “lessons learned” to other vendors to better implement security and fix security architecture and design flaws.
  • Q: Are there other specific industries you are targeting actively/finding vulnerabilities right now?
  • A:We have recently commenced Project Vizavis, a project which unravels the vulnerabilities of connected devices from the Safety and Security fields and specifically from the surveillance cameras vertical. VDOO chose these sets of products since they have direct impact on business continuity hence, should be considered “critical” to the business and receive the right level of security.
  • Q: How does the typical camera manufacturer security team respond when you contact them? Have any been hostile/skeptical?
  • A:We were delighted to discover that all the leading manufacturers we have been working with have reached the realization that they can no longer ignore cyber-security and do not have the privilege to be “hostile” or “skeptical”. They indicated that they are being asked more and more by their customers regarding their products’ security.
  • Q:If video surveillance camera companies do sign up for this service will VDOO out them like they did with Axis and Foscam? I'm all for tighter cybersecurity for cameras, but this seems a little like extortion, unless Axis and Foscam are their clients
  • A:There is a clear distinction between the vulnerability disclosure process, where we will continue to work with every manufacturer based on the industry best practice guidelines vs. a significantly larger in scale business engagement where vulnerability discovery is just a fraction of what VDOO is providing via its set of product & services, all with a goal of strengthening the entire security posture of the manufacturers products. Moreover, when a manufacturer independently uses our automated analysis SaaS platform, as a web service managed solely by the manufacturer without our assistance, the information automatically generated by the analysis engine via the process will not be shared with us, hence we will not be able to access it and publish it. If the manufacturer chooses to certify its product, we will receive this information and once certified, the certification details will be shared publicly. In the two cases that were published, we provided more than ample time (vs. industry best practices) for the manufacturers to fix their vulnerabilities, as well as guidance, verification that their mitigation indeed removed the vulnerabilities and ensuring they reduced their customer's risks.
Login to read this IPVM report.

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
USA's Feevr Thermal Temperature System Examined on Mar 31, 2020
This US company has burst on to the scene, brashly naming itself 'feevr' and...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Startup Videoloft Presents Cloud Storage on May 27, 2020
Videoloft presented offsite cloud storage at the May 2020 IPVM Startups...
Sunell Panda Cam Body Temperature Measurement Camera Tested on May 14, 2020
Sunell is far less well known than its gargantuan domestic competitors Dahua...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Directory of 95 Video Surveillance Startups on May 20, 2020
This directory provides a list of video surveillance startups to help you see...
IPVM Rejects Feevr's Improper Threats And Demands on May 04, 2020
IPVM categorically rejects Feevr's improper threats and demands submitted...
Asylon Presents All-Weather Automated Security Drones on Jun 18, 2020
Asylon presented its All-Weather Automated Security Drone, the DroneCore, at...
Camio Presents Coronavirus Social Distancing Analytics on Apr 20, 2020
Camio presented its social distancing analytics for responding to coronavirus...
USA's Seek Scan Thermal Temperature System Examined on Apr 01, 2020
This US company, Seek, located down the road from FLIR and founded by former...
Oyla Presents Low-Cost 3D LIDAR Alternative Camera on Jun 23, 2020
Oyla presented its low-cost LIDAR alternative camera at the May 2020 IPVM...
SafeZone Tech Presents AI Gunfire Detection on Jun 15, 2020
Safe Zone presented its AI gunfire sensor the May 2020 IPVM Startups...
White House Proposes Blacklist of Dahua, Hikvision Users on Feb 04, 2020
The White House is proposing to blacklist Hikvision and Dahua users from...

Recent Reports

Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Telpo China Temperature Tablets Tested on Aug 10, 2020
The provider for overseas companies ranging from Canon Singapore to US'...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...