Cybersecurity Startup VDOO Disclosing 10 Manufacturer Vulnerabilities Starting With Axis And Foscam

Published Jun 20, 2018 13:03 PM

Cybersecurity startup VDOO has uncovered significant vulnerabilities in Axis cameras along with many others not yet disclosed.

In this report, we examine the company and its funding, their vulnerability research, and the value/impact of the vulnerabilities.

Company ********

**** *** *********** ** ****** ** 2017 ** *** ***** [**** ** longer *********], **** ****** [**** ** longer *********], *** **** ***** [**** no ****** *********], *** *** **** strong *********** ** ******* ********. ***** and ***** **-******* ******, ** ******** security ****, ***** *********** ** **** **** ******** ** 2014. ******* ***** ********* **** **** Cyvera *** ***, ** ****.

* ******* **** ** ****'* ******* is ****** ******* ** ***** *******:

**** **** ** ****** *** ******** Authority (**) *** ********* *******.

***********, **** ** ******** ** ****** and ***** *** ****** ************* (*** others) * ************ ******* (~$**,*** ** ******* a ************'* ********) ***** ********* ************* checks ** *** ******* *** ********.

**** **** **** ** ******* (****) a *********** **** ******** *** ******* has **** ******* ** ***** ****** as * ***-********** ******. **** **** to ********* * ******** ******* *** "post-deployment **********", ********** ** ******* *************** they ******** ***** ********** * ******* as ***-**********.

*******

**** ******** *********$** ******* ** ****************,**** ************ *******, *** ***** ********* *********.

**** ***** **** **** **** ** use **** *******:

** ******* *** ************* ****’* *****-**-***-**** Internet ** ****** (***) ******** ********, which ******** ** *********, ***-**-*** ******* that ******** *******, ******** *** ***** security ************ *** ************** ******** ***** on **** ********, *** ******** ******** certification *** * **** ***** ** connected *******.

Axis ************* *******

**** ********* ***** *************** ** *** Axis' ******** **** (******: ** ** 6/27/2018, ******* **** **** ***** ** CVE **********):

***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****

***** *** ** * **** **** since **** *** ****** ** **** administrative ****** ** *** ******. *** process ******** ** ******* ** ****** ** complex, ********* ******** ***** *** ******** knowledge, ****** ******* ****** *************** **** as*****'* ********* ************* ************ ************* *** ****** **** **** ****** strings.

*******, **** **** *********** *** ******, it ** **** * ****** ** time *** ********** *** *** ****** with **** ******** ****** ** ****** scripts ***** ******** ***** *******, ****** these *************** **** ******** *** ***** ** patch.

Impact ** *************

*** *************** ******* * ******** *********** of ***** ** **** *** **** advantage ** ****** ** **** ** adjust *** ****** ******, ***** *** camera's ******** (****** *********, **** ***********, video *******) ** *** *** ****** as * ******** ** ***** ******* on ****** *** *******.

**** ****** ************* ******, ***** ****** them ** **** ************ ****** ** the ******* ******** ***.

**** ***** ***** ************ ** ******** an **** **** ***** ******* ** a ********** ******:

***** ******* ***** ********, *** ******* (by ******* - * ***** **** logo) ******* ** *** *** **** corner ** *** ***** ******:

Foscam *************

** ******** ** *** **** ***************, earlier ** ****, **** **** ********** "***** ***************" ** ****** *********** **** ********* ** ******'* ******** team. ********* ***** ***** ***************, ********* may ***** *** ******* *** ******'* web ******, ****** ********, *** **** over *** ******.

Botnet ****

**** ****** ** ***** ******* **** both *** **** *** ****** *************** may *********** ** **** ** *** devices ** * ****** *** **** for ****** **** *******, ******* ******, or ***** ********. ** ******** ** the ***** ******, ***** ******* *** ***** severe ********** ** *** **** ******** targets ********* ************* *******.

VDOO *************** ** *************

** **** ***********, **** ** ************ critical *********** **************:

  • ****** ******* ********** **** *****: ** not *** *** ********* ** "****"
  • ****** ***** ************: ****** ******** ******** for ******** ***** *******
  • ****** ******** *****: **** ** ****** encryptions ****** ******* ** ******* ******** for **** ** *******

Axis ********

**** ********** ******** ** **** ********** **** ** ******** ******** *** patched ********** ****** *** *************** ** *****, which ******** *** ********* **** ****** models.

More *********** ****** / ******** ******

**** *** **** *** ******, **** will ** ********** **** *************** **** more *************, **** *** *********** ********** periods ***.

**** ***** **** * ******** ****** on *** ************* ** *** ***** surveillance ********, ***** *** **** * common ********* ***** *** **** *************. Cybersecurity ******** **** *** *** ****** significant ******** ********* ****** ** **** of *** ************* **** **** ******** from ******** ***************. ****, ***** *** pricing **** **** *** ****** *** manufacturer, *** **** ** ******* **** are ******** *** *** **** *** approaching *** ******, **** *** **** a ********* **** ******* ********.

Addendum: **** ******** ** *********

***** ** ******** *** ********** ********* to *** ******* ******, ** ******* VDOO * **** ** ********* *** they *********. ***** *** * *** remaining ****** ** ******* **** ** are ***** ** ********** **** **** for *************, *** ** **** **** those ********* ** **** ** ** receive ****.

****: ** ***** **** ***** *** agreements **** ************* *** **** **** not *** *********, ** **** ***** them *** ******* *****.

  • *: **** ** *** ******* / method **** **** ******** ******* *** a ************ ** ******* * *******? Does * ************ **** ***** ******* to ***?  
  • *: "**** **************-**************** ** ******** ** *** ******'* firmware ****, **** ** **** *** require *** ****** ** *** ******** device ** ** *** ****** ****. It **** ******** ** ********* ******** to ***** *** ************ ** ******** implement ********-********* ******** ****** *** ***** security ** ******"
  • *: *** *** ********** *** ***** system ** ******** *** ********/******** ** just ********?
  • *:*** ******** ******* ******* ******-******** ******** requirements, ******** ** *** ******** ***** of *** ******, ***** *** ******** and ******** ********** *** *** ******** risk *******.
  • *:*** *** ******* *************** ** ** camera ******** **** **** **** ****** eliminated ** ***** **********, ** *** they ****** ****** **** *** *********? 
  • *:** *******, ****** *** ******** **’** seen **** ********* **** *** ******’* expect ** *** ** ****. **’** seen **** ** ********* ******* ** well ** ** **** “*********” *** products & ******* ** *** ****** of Safety *** ********.
  • *: ** **** ******* ****** *** these *********** ****** ** **** *********? 
  • *: *** ******** ** ** ** out ** *** *** *** ** commercialize ***** ******** ** * ******* “***********” marketing ******. ** *** * ***** deal ** ******** ** (*) ****** guidance (**** ** ******) - ** fix *** ****** ********, ** **** as (*) **** ******** - ** make **** **** ******** *** ********* attack, **** ** ** ****** ** not **********; *** (*) ******* *********** to *** ******** ****** ** **** as “lessons *******” ** ***** ******* ** better ********* ******** *** *** ******** architecture *** ****** *****.
  • *: *** ***** ***** ******** ********** you *** ********* ********/******* *************** ***** now?
  • *:** **** ******** ********* ******* *******, a ******* ***** ******** *** *************** of ********* ******* **** *** ****** and ******** ****** *** ************ **** the ************ ******* ********. **** ***** these **** ** ******** ***** **** have ****** ****** ** ******** ********** hence, ****** ** ********** “********” ** the ******** *** ******* *** ***** level ** ********.
  • *: *** **** *** ******* ****** manufacturer ******** **** ******* **** *** contact ****? **** *** **** *******/*********?
  • *:** **** ********* ** ******** **** all *** ******* ************* ** **** been ******* **** **** ******* *** realization **** **** *** ** ****** ignore *****-******** *** ** *** **** the ********* ** ** “*******” ** “skeptical”. **** ********* **** **** *** being ***** **** *** **** ** their ********* ********* ***** ********’ ********.
  • *:** ***** ************ ****** ********* ** sign ** *** **** ******* **** VDOO *** **** **** **** *** with **** *** ******? *'* *** for ******* ************* *** *******, *** this ***** * ****** **** *********, unless **** *** ****** *** ***** clients
  • *:***** ** * ***** *********** ******* the ************* ********** *******, ***** ** will ******** ** **** **** ***** manufacturer ***** ** *** ******** **** practice ********** **. * ************* ****** in ***** ******** ********** ***** ************* discovery ** **** * ******** ** what **** ** ********* *** *** set ** ******* & ********, *** with * **** ** ************* *** entire ******** ******* ** *** ************* products. ********, **** * ************ ************* uses *** ********* ******** **** ********, as * *** ******* ******* ****** by *** ************ ******* *** **********, the *********** ************* ********* ** *** analysis ****** *** *** ******* **** not ** ****** **** **, ***** we **** *** ** **** ** access ** *** ******* **. ** the ************ ******* ** ******* *** product, ** **** ******* **** *********** and **** *********, *** ************* ******* will ** ****** ********. ** *** two ***** **** **** *********, ** provided **** **** ***** **** (**. industry **** *********) *** *** ************* to *** ***** ***************, ** **** as ********, ************ **** ***** ********** indeed ******* *** *************** *** ******** they ******* ***** ********'* *****.

 

Comments (33)
U
Undisclosed #1
Jun 20, 2018

If Hikvision was truly proactive about cyber security they would issue these guys a public invite to their source code review lab. What better way to show your confidence and commitment than to invite such an open analysis. 

(5)
(1)
Avatar
Sean Nelson
Jun 20, 2018
Nelly's Security

Sounds like a great idea. I assume they are trying to be the UL of the cybersecurity world. Is it $50,000 per product or $50,000 for all products? if $50,000 for each product, that is fairly steep. $50,000 membership to have all products tested isnt bad.

(4)
Avatar
Sean Patton
Jun 20, 2018

That is an estimate from VDOO, *for all products from an average manufacturer in this space*, depending on how many different revisions of code/firmware are required. I would imagine manufacturers with larger and diverse product lines (video, access control, intercoms, etc) could have to pay more.

*EDIT: Correcting my statement, the price estimation was a starting point for pricing to manufacturers.

(1)
(1)
Avatar
Sean Nelson
Jun 20, 2018
Nelly's Security

IMO, that is a fair price for a manufacturer. I hope they gain traction as I think this is a great idea. We need an industry leader like this that manufacturers can turn to to get their products certified from an industry trusted source.

(5)
Avatar
Sean Patton
Jun 20, 2018

But UL is the UL of Cybersecurity, right? Right...?

(5)
Avatar
John Bazyk
Jun 20, 2018
Command Corporation • IPVMU Certified

I love this concept. 

(1)
MM
Michael Miller
Jun 20, 2018

It’s time for cyber security to be top priority for security venders.  I hope all manufactures use this as a resource.  Love it.

(6)
bm
bashis mcw
Jun 20, 2018

Anonymous remote access (Write only) so easily to dbus are quite unusual and remarkable I must say, good job VDOO!

Great with the services they offer for manufactures, let's now hope manufactures get that too.

 

(2)
(1)
U
Undisclosed #3
Jun 20, 2018
IPVMU Certified

Anonymous remote access (Write only) so easily...

So, Are The Hackers Winning?

UI
Undisclosed Integrator #2
Jun 20, 2018

 Will these new exploits be added to the IPVM Vulnerability Scanner?

 

(1)
Avatar
John Scanlan
Jun 20, 2018
IPVM • IPVMU Certified

UI2: Yes, we should have two new vulnerabilities added by next week.

(1)
U
Undisclosed #4
Jun 20, 2018

You can only protect against that which is known, you cannot protect against that which is not known.

(1)
U
Undisclosed #3
Jun 20, 2018
IPVMU Certified

You can only protect against that which is known, you cannot protect against that which is not known.

Therefore we’re mostly unprotected?

U
Undisclosed #4
Jun 21, 2018

post mortem grey/white hats are always welcome to submit their version of the crystal ball.

however, the mask is behind time evolving equations fueled by inspirational needs to subvert the axis of logic.

the upper hand will always play into the hands of the original seeker.

cyberists standing-by ready to take the arrow and bullet are honoured yet useless to repel the inevitable angst of exploration.

deciding the precise time to flip the burger for the maximum flavor is not in the consumer's best interest, it lies with the creator/chef.

Therefore protection is moot. Always and hunted emotionally, MOOT.

It is comforting to see the wide open security field take on real proof of concepts relative to the vulnerabilities born from cheap engineering. 

hopefully technology can simplify stupidity, allowing subversion and exploitation to take a back seat to smart check-sum analytics.

Thy Comet Is Near. 

(4)
UI
Undisclosed Integrator #9
Jun 25, 2018

Thy post is unintelligible garbage.

(2)
UI
Undisclosed Integrator #9
Jun 25, 2018

As has always been the case.

TH
Terrence Harless
Jun 20, 2018

Just curious, if video surveillance camera companies do sign up for this service will VDOO out them like they did with Axis and Foscam? I'm all for tighter cybersecurity for cameras, but this seems a little like extortion, unless Axis and Foscam are their clients.

bm
bashis mcw
Jun 20, 2018

Most likely there will be NDA, as who want to pay >$50,000 to have Full Disclosure included, when that are usually for free?

Avatar
Sean Nelson
Jun 20, 2018
Nelly's Security

My Guess is that they are using this for marketing. 

Avatar
Sean Patton
Jun 20, 2018

Thanks for the feedback, I reached out to VDOO for a response.

In general, I cannot imagine they would certify a product as non-vulnerable, and then publically disclose, without the consent of the manufacturer, something they missed?

(1)
(1)
JH
John Honovich
Jun 20, 2018
IPVM

would certify a product as non-vulnerable, and then publically disclose, without the consent of the manufacturer, something they missed?

The concern is the opposite. Let's say I run CrappyCam. I call up VDOO and say "hey sign up me." I pay my money. A month later VDOO comes back and says we found 27 critical vulnerabilities. The question then is: As a client of VDOO, will VDOO disclose those vulnerabilities?

(3)
Avatar
Sean Patton
Jun 20, 2018

I see, you are both looking at the pre-certified stage. I suppose there could be conflict if the manufacturer was trying to ship a new product on a deadline prior to closing any vulnerability gaps.

Also, you should consider rebranding before worrying about cybersecurity issues.

TH
Terrence Harless
Jun 20, 2018

This is where I was coming from, if Axis does not have a partnership with VDOO and HIKVision does. For example purposes only, if they both have the same vulnerability, will VDOO out both companies or just the one that ISN'T their client. If it's the latter, seems to be a little extortion going on. Show us $50,000 or we will write an article about your vulnerability.

Avatar
Sean Nelson
Jun 20, 2018
Nelly's Security

if they out the companies that pay them $50k, then thats pretty crappy and I cant imagine many companies doing business with them. They should leave the outing up to the manufacturers.

I would assume they are outing companies publically right now to garner attention for marketing purposes which is smart.

I could understand if they outed the company if the manufacturer did not respond to the vulnerability in a reasonable amount of time, for public safety purposes. but even then I think they would have to refund the manufacturer in that case because you are still in effect screwing someone that paid you 50K over.

(2)
Avatar
Sean Patton
Jun 20, 2018

That makes sense, thanks for clarifying your point.

I think extortion is a strong way to put it, unless they stop responsibly disclosing vulnerabilities for non-partners at some point.

UM
Undisclosed Manufacturer #8
Jun 21, 2018

If a manufacturer truly cares about cyber security, the $50k is money well spent.  It shows a dedication to cyber security. Then, when/if a vulnerability is found, I would assume VDOO would give them a heads up and time to patch before full disclosure.  So then they can announce the issue and resolution, and the manufacturer shows their dedication to cyber.

Manufacturers often spend $ on penetration testing...

(2)
UI
Undisclosed Integrator #6
Jun 20, 2018

I would think they would test only products submitted by manufacturers with an agreement to disclose after a predetermined period of time on products that are already released and not disclose any found during the pre-release period, provided they pass before release.

Manufacturers without an agreement should be given a short time to self disclose.

U
Undisclosed
Jun 21, 2018

none of your CVE references have details (which you should have called out so you don't look like their shill.)

Avatar
Sean Patton
Jun 21, 2018

Thanks Rodney, I will be update the post to note that, and will be reaching out to see when those details will included in the CVE(s).

Avatar
Sean Patton
Jun 28, 2018

Just updating this discussion to let people know that the CVE reference details have been added, in case anyone wants to review them.

UE
Undisclosed End User #7
Jun 21, 2018

I think IPVM would/could make a great "agency" for blessing devices....

(1)
Avatar
Sean Patton
Jun 24, 2018

An addendum section has been added to the report.

Based on feedback and discussion responses to the initial report, we emailed VDOO a list of questions and they responded. There are a few remaining points of concern that we are still in discussion with VDOO for clarification, and we will post those responses as soon as we receive them.

  • Q: What is the process / method that your platform follows for a manufacturer to certify a product? Does a manufacturer ship their cameras to you?
  • A: "VDOO performs device-specific analysis by focusing on the device's firmware only, thus it does not require any access to the physical device or to its source code. It then provides an automated guidance to allow the manufacturer to properly implement security-essential building blocks and apply security by design"
  • Q: Are you certifying the whole system of hardware and firmware/software or just firmware?
  • A:The analysis service creates device-specific security requirements, tailored to the specific needs of the device, given its hardware and software components and its relative risk factors.
  • Q:Are you finding vulnerabilities in IP camera hardware that have been mostly eliminated in other industries, or are they common across many IoT verticals?
  • A:In general, during our research we’ve seen many practices that one wouldn’t expect to see in 2018. We’ve seen them in connected cameras as well as in more “sensitive” IoT products & systems in the fields of Safety and Security.
  • Q: Is your current intent for these disclosures simply to grab attention?
  • A: Our approach is to go out of our way not to commercialize these findings in a massive “traditional” marketing effort. We put a great deal of emphasis on (1) vendor guidance (free of charge) - to fix the issues properly, as well as (2) user guidance - to make sure they mitigate the potential attack, even if an update is not achievable; and (3) general instruction to the specific vendor as well as “lessons learned” to other vendors to better implement security and fix security architecture and design flaws.
  • Q: Are there other specific industries you are targeting actively/finding vulnerabilities right now?
  • A:We have recently commenced Project Vizavis, a project which unravels the vulnerabilities of connected devices from the Safety and Security fields and specifically from the surveillance cameras vertical. VDOO chose these sets of products since they have direct impact on business continuity hence, should be considered “critical” to the business and receive the right level of security.
  • Q: How does the typical camera manufacturer security team respond when you contact them? Have any been hostile/skeptical?
  • A:We were delighted to discover that all the leading manufacturers we have been working with have reached the realization that they can no longer ignore cyber-security and do not have the privilege to be “hostile” or “skeptical”. They indicated that they are being asked more and more by their customers regarding their products’ security.
  • Q:If video surveillance camera companies do sign up for this service will VDOO out them like they did with Axis and Foscam? I'm all for tighter cybersecurity for cameras, but this seems a little like extortion, unless Axis and Foscam are their clients
  • A:There is a clear distinction between the vulnerability disclosure process, where we will continue to work with every manufacturer based on the industry best practice guidelines vs. a significantly larger in scale business engagement where vulnerability discovery is just a fraction of what VDOO is providing via its set of product & services, all with a goal of strengthening the entire security posture of the manufacturers products. Moreover, when a manufacturer independently uses our automated analysis SaaS platform, as a web service managed solely by the manufacturer without our assistance, the information automatically generated by the analysis engine via the process will not be shared with us, hence we will not be able to access it and publish it. If the manufacturer chooses to certify its product, we will receive this information and once certified, the certification details will be shared publicly. In the two cases that were published, we provided more than ample time (vs. industry best practices) for the manufacturers to fix their vulnerabilities, as well as guidance, verification that their mitigation indeed removed the vulnerabilities and ensuring they reduced their customer's risks.
JH
John Honovich
Aug 07, 2018
IPVM
(1)