Cybersecurity Startup VDOO Disclosing 10 Manufacturer Vulnerabilities Starting With Axis And Foscam

By IPVM Team, Published on Jun 20, 2018

Cybersecurity startup VDOO has uncovered significant vulnerabilities in Axis cameras along with many others not yet disclosed.

In this report, we examine the company and its funding, their vulnerability research, and the value/impact of the vulnerabilities.

Company ********

**** *** *********** ** Israel ** **** ** Uri ***** [**** ** longer *********], **** ****** [link ** ****** *********], and **** ***** [**** no ****** *********], *** all **** ****** *********** in ******* ********. ***** and ***** **-******* ******, an ******** ******** ****, which *********** ** **** **** Networks ** ****. ******* ***** ********* came **** ****** *** EMC, ** ****.

* ******* **** ** VDOO's ******* ** ****** clearly ** ***** *******:

**** **** ** ****** the ******** ********* (**) for ********* *******.

***********, **** ** ******** IP ****** *** ***** IoT ****** ************* (*** others) * ************ ******* (~$**,*** to ******* * ************'* products) ***** ********* ************* checks ** *** ******* and ********.

**** **** **** ** provide (****) * *********** that ******** *** ******* has **** ******* ** their ****** ** * non-vulnerable ******. **** **** to ********* * ******** process *** "****-********** **********", presumably ** ******* *************** they ******** ***** ********** a ******* ** ***-**********.

*******

**** ******** *********$** ******* ** ****************,**** ************ *******, *** ***** ********* investors.

**** ***** **** **** plan ** *** **** funding:

** ******* *** ************* VDOO’s *****-**-***-**** ******** ** Things (***) ******** ********, which ******** ** *********, end-to-end ******* **** ******** devices, ******** *** ***** security ************ *** ************** guidance ***** ** **** analysis, *** ******** ******** certification *** * **** range ** ********* *******.

Axis ************* *******

**** ********* ***** *************** to *** ****' ******** team (******: ** ** 6/27/2018, ******* **** **** added ** *** **********):

***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****,***-****-*****

***** *** ** * high **** ***** **** can ****** ** **** administrative ****** ** *** camera. *** ******* ******** to perform ** ****** ** complex, ********* ******** ***** and ******** *********, ****** simpler ****** *************** **** as*****'* ********* ************* ************ ************* *** ****** **** only ****** *******.

*******, **** **** *********** now ******, ** ** only * ****** ** time *** ********** *** bad ****** **** **** advanced ****** ** ****** scripts ***** ******** ***** attacks, ****** ***** *************** **** priority *** ***** ** patch.

Impact ** *************

*** *************** ******* * specific *********** ** ***** to **** *** **** advantage ** ****** ** view ** ****** *** camera ******, ***** *** camera's ******** (****** *********, lens ***********, ***** *******) or *** *** ****** as * ******** ** other ******* ** ****** the *******.

**** ****** ************* ******, which ****** **** ** gain ************ ****** ** the ******* ******** ***.

**** ***** ***** ************ by ******** ** **** logo ***** ******* ** a ********** ******:

***** ******* ***** ********, the ******* (** ******* - * ***** **** logo) ******* ** *** top **** ****** ** the ***** ******:

Foscam *************

** ******** ** *** Axis ***************, ******* ** June, **** **** ********** "***** ***************" ** Foscam *********** **** ********* ** Foscam's ******** ****. ********* these ***** ***************, ********* may ***** *** ******* the ******'* *** ******, inject ********, *** **** over *** ******.

Botnet ****

**** ****** ** ***** reports **** **** *** Axis *** ****** *************** may *********** ** **** to *** ******* ** a ****** *** **** for ****** **** *******, bitcoin ******, ** ***** purposes. ** ******** ** the ***** ******, ***** ******* may ***** ****** ********** to *** **** ******** targets ********* ************* *******.

VDOO *************** ** *************

** **** ***********, **** is ************ ******** *********** considerations:

  • ****** ******* ********** **** parts: ** *** *** all ********* ** "****"
  • ****** ***** ************: ****** external ******** *** ******** input *******
  • ****** ******** *****: **** of ****** *********** ****** hackers ** ******* ******** for **** ** *******

Axis ********

**** ********** ******** ** Axis ********** **** ** ******** products *** ******* ********** ****** *** *************** in *****, ***** ******** 390 ********* **** ****** models.

More *********** ****** / ******** ******

**** *** **** *** months, **** **** ** disclosing **** *************** **** more *************, **** *** responsible ********** ******* ***.

**** ***** **** * positive ****** ** *** cybersecurity ** *** ***** surveillance ********, ***** *** been * ****** ********* focus *** **** *************. Cybersecurity ******** **** *** yet ****** *********** ******** financial ****** ** **** of *** ************* **** have ******** **** ******** vulnerabilities. ****, ***** *** pricing **** **** *** asking *** ************, *** type ** ******* **** are ******** *** *** they *** *********** *** market, **** *** **** a ********* **** ******* partners.

Addendum: **** ******** ** *********

***** ** ******** *** discussion ********* ** *** initial ******, ** ******* VDOO * **** ** questions *** **** *********. There *** * *** remaining ****** ** ******* that ** *** ***** in ********** **** **** for *************, *** ** will **** ***** ********* as **** ** ** receive ****.

****: ** ***** **** about *** ********** **** manufacturers *** **** **** not *** *********, ** have ***** **** *** details *****.

  • *: **** ** *** process / ****** **** your ******** ******* *** a ************ ** ******* a *******? **** * manufacturer **** ***** ******* to ***?  
  • *: "**** **************-**************** ** ******** ** the ******'* ******** ****, thus ** **** *** require *** ****** ** the ******** ****** ** to *** ****** ****. It **** ******** ** automated ******** ** ***** the ************ ** ******** implement ********-********* ******** ****** and ***** ******** ** design"
  • *: *** *** ********** the ***** ****** ** hardware *** ********/******** ** just ********?
  • *:*** ******** ******* ******* device-specific ******** ************, ******** to *** ******** ***** of *** ******, ***** its ******** *** ******** components *** *** ******** risk *******.
  • *:*** *** ******* *************** in ** ****** ******** that **** **** ****** eliminated ** ***** **********, or *** **** ****** across **** *** *********? 
  • *:** *******, ****** *** research **’** **** **** practices **** *** ******’* expect ** *** ** 2018. **’** **** **** in ********* ******* ** well ** ** **** “sensitive” *** ******** & systems ** *** ****** of Safety *** ********.
  • *: ** **** ******* intent *** ***** *********** simply ** **** *********? 
  • *: *** ******** ** to ** *** ** our *** *** ** commercialize ***** ******** ** a ******* “***********” ********* ******. We *** * ***** deal ** ******** ** (1) ****** ******** (**** of ******) - ** fix *** ****** ********, as **** ** (*) user ******** - ** make **** **** ******** the ********* ******, **** if ** ****** ** not **********; *** (*) general *********** ** *** specific ****** ** **** as “lessons *******” ** ***** vendors ** ****** ********* security *** *** ******** architecture *** ****** *****.
  • *: *** ***** ***** specific ********** *** *** targeting ********/******* *************** ***** now?
  • *:** **** ******** ********* Project *******, * ******* which ******** *** *************** of ********* ******* **** the ****** *** ******** fields *** ************ **** the ************ ******* ********. VDOO ***** ***** **** of ******** ***** **** have ****** ****** ** business ********** *****, ****** be ********** “********” ** the ******** *** ******* the ***** ***** ** security.
  • *: *** **** *** typical ****** ************ ******** team ******* **** *** contact ****? **** *** been *******/*********?
  • *:** **** ********* ** discover **** *** *** leading ************* ** **** been ******* **** **** reached *** *********** **** they *** ** ****** ignore *****-******** *** ** not **** *** ********* to ** “*******” ** “skeptical”. **** ********* **** they *** ***** ***** more *** **** ** their ********* ********* ***** products’ ********.
  • *:** ***** ************ ****** companies ** **** ** for **** ******* **** VDOO *** **** **** they *** **** **** and ******? *'* *** for ******* ************* *** cameras, *** **** ***** a ****** **** *********, unless **** *** ****** are ***** *******
  • *:***** ** * ***** distinction ******* *** ************* disclosure *******, ***** ** will ******** ** **** with ***** ************ ***** on *** ******** **** practice ********** **. * significantly ****** ** ***** business ********** ***** ************* discovery ** **** * fraction ** **** **** is ********* *** *** set ** ******* & services, *** **** * goal ** ************* *** entire ******** ******* ** the ************* ********. ********, when * ************ ************* uses *** ********* ******** SaaS ********, ** * web ******* ******* ****** by *** ************ ******* our **********, *** *********** automatically ********* ** *** analysis ****** *** *** process **** *** ** shared **** **, ***** we **** *** ** able ** ****** ** and ******* **. ** the ************ ******* ** certify *** *******, ** will ******* **** *********** and **** *********, *** certification ******* **** ** shared ********. ** *** two ***** **** **** published, ** ******** **** than ***** **** (**. industry **** *********) *** the ************* ** *** their ***************, ** **** as ********, ************ **** their ********** ****** ******* the *************** *** ******** they ******* ***** ********'* risks.

 

Comments (33)

If Hikvision was truly proactive about cyber security they would issue these guys a public invite to their source code review lab. What better way to show your confidence and commitment than to invite such an open analysis. 

Sounds like a great idea. I assume they are trying to be the UL of the cybersecurity world. Is it $50,000 per product or $50,000 for all products? if $50,000 for each product, that is fairly steep. $50,000 membership to have all products tested isnt bad.

That is an estimate from VDOO, *for all products from an average manufacturer in this space*, depending on how many different revisions of code/firmware are required. I would imagine manufacturers with larger and diverse product lines (video, access control, intercoms, etc) could have to pay more.

*EDIT: Correcting my statement, the price estimation was a starting point for pricing to manufacturers.

IMO, that is a fair price for a manufacturer. I hope they gain traction as I think this is a great idea. We need an industry leader like this that manufacturers can turn to to get their products certified from an industry trusted source.

But UL is the UL of Cybersecurity, right? Right...?

I love this concept. 

It’s time for cyber security to be top priority for security venders.  I hope all manufactures use this as a resource.  Love it.

Anonymous remote access (Write only) so easily to dbus are quite unusual and remarkable I must say, good job VDOO!

Great with the services they offer for manufactures, let's now hope manufactures get that too.

 

Anonymous remote access (Write only) so easily...

So, Are The Hackers Winning?

 Will these new exploits be added to the IPVM Vulnerability Scanner?

 

UI2: Yes, we should have two new vulnerabilities added by next week.

You can only protect against that which is known, you cannot protect against that which is not known.

You can only protect against that which is known, you cannot protect against that which is not known.

Therefore we’re mostly unprotected?

post mortem grey/white hats are always welcome to submit their version of the crystal ball.

however, the mask is behind time evolving equations fueled by inspirational needs to subvert the axis of logic.

the upper hand will always play into the hands of the original seeker.

cyberists standing-by ready to take the arrow and bullet are honoured yet useless to repel the inevitable angst of exploration.

deciding the precise time to flip the burger for the maximum flavor is not in the consumer's best interest, it lies with the creator/chef.

Therefore protection is moot. Always and hunted emotionally, MOOT.

It is comforting to see the wide open security field take on real proof of concepts relative to the vulnerabilities born from cheap engineering. 

hopefully technology can simplify stupidity, allowing subversion and exploitation to take a back seat to smart check-sum analytics.

Thy Comet Is Near. 

Thy post is unintelligible garbage.

As has always been the case.

Just curious, if video surveillance camera companies do sign up for this service will VDOO out them like they did with Axis and Foscam? I'm all for tighter cybersecurity for cameras, but this seems a little like extortion, unless Axis and Foscam are their clients.

Most likely there will be NDA, as who want to pay >$50,000 to have Full Disclosure included, when that are usually for free?

My Guess is that they are using this for marketing. 

Thanks for the feedback, I reached out to VDOO for a response.

In general, I cannot imagine they would certify a product as non-vulnerable, and then publically disclose, without the consent of the manufacturer, something they missed?

would certify a product as non-vulnerable, and then publically disclose, without the consent of the manufacturer, something they missed?

The concern is the opposite. Let's say I run CrappyCam. I call up VDOO and say "hey sign up me." I pay my money. A month later VDOO comes back and says we found 27 critical vulnerabilities. The question then is: As a client of VDOO, will VDOO disclose those vulnerabilities?

I see, you are both looking at the pre-certified stage. I suppose there could be conflict if the manufacturer was trying to ship a new product on a deadline prior to closing any vulnerability gaps.

Also, you should consider rebranding before worrying about cybersecurity issues.

This is where I was coming from, if Axis does not have a partnership with VDOO and HIKVision does. For example purposes only, if they both have the same vulnerability, will VDOO out both companies or just the one that ISN'T their client. If it's the latter, seems to be a little extortion going on. Show us $50,000 or we will write an article about your vulnerability.

if they out the companies that pay them $50k, then thats pretty crappy and I cant imagine many companies doing business with them. They should leave the outing up to the manufacturers.

I would assume they are outing companies publically right now to garner attention for marketing purposes which is smart.

I could understand if they outed the company if the manufacturer did not respond to the vulnerability in a reasonable amount of time, for public safety purposes. but even then I think they would have to refund the manufacturer in that case because you are still in effect screwing someone that paid you 50K over.

That makes sense, thanks for clarifying your point.

I think extortion is a strong way to put it, unless they stop responsibly disclosing vulnerabilities for non-partners at some point.

If a manufacturer truly cares about cyber security, the $50k is money well spent.  It shows a dedication to cyber security. Then, when/if a vulnerability is found, I would assume VDOO would give them a heads up and time to patch before full disclosure.  So then they can announce the issue and resolution, and the manufacturer shows their dedication to cyber.

Manufacturers often spend $ on penetration testing...

I would think they would test only products submitted by manufacturers with an agreement to disclose after a predetermined period of time on products that are already released and not disclose any found during the pre-release period, provided they pass before release.

Manufacturers without an agreement should be given a short time to self disclose.

none of your CVE references have details (which you should have called out so you don't look like their shill.)

Thanks Rodney, I will be update the post to note that, and will be reaching out to see when those details will included in the CVE(s).

Just updating this discussion to let people know that the CVE reference details have been added, in case anyone wants to review them.

I think IPVM would/could make a great "agency" for blessing devices....

An addendum section has been added to the report.

Based on feedback and discussion responses to the initial report, we emailed VDOO a list of questions and they responded. There are a few remaining points of concern that we are still in discussion with VDOO for clarification, and we will post those responses as soon as we receive them.

  • Q: What is the process / method that your platform follows for a manufacturer to certify a product? Does a manufacturer ship their cameras to you?
  • A: "VDOO performs device-specific analysis by focusing on the device's firmware only, thus it does not require any access to the physical device or to its source code. It then provides an automated guidance to allow the manufacturer to properly implement security-essential building blocks and apply security by design"
  • Q: Are you certifying the whole system of hardware and firmware/software or just firmware?
  • A:The analysis service creates device-specific security requirements, tailored to the specific needs of the device, given its hardware and software components and its relative risk factors.
  • Q:Are you finding vulnerabilities in IP camera hardware that have been mostly eliminated in other industries, or are they common across many IoT verticals?
  • A:In general, during our research we’ve seen many practices that one wouldn’t expect to see in 2018. We’ve seen them in connected cameras as well as in more “sensitive” IoT products & systems in the fields of Safety and Security.
  • Q: Is your current intent for these disclosures simply to grab attention?
  • A: Our approach is to go out of our way not to commercialize these findings in a massive “traditional” marketing effort. We put a great deal of emphasis on (1) vendor guidance (free of charge) - to fix the issues properly, as well as (2) user guidance - to make sure they mitigate the potential attack, even if an update is not achievable; and (3) general instruction to the specific vendor as well as “lessons learned” to other vendors to better implement security and fix security architecture and design flaws.
  • Q: Are there other specific industries you are targeting actively/finding vulnerabilities right now?
  • A:We have recently commenced Project Vizavis, a project which unravels the vulnerabilities of connected devices from the Safety and Security fields and specifically from the surveillance cameras vertical. VDOO chose these sets of products since they have direct impact on business continuity hence, should be considered “critical” to the business and receive the right level of security.
  • Q: How does the typical camera manufacturer security team respond when you contact them? Have any been hostile/skeptical?
  • A:We were delighted to discover that all the leading manufacturers we have been working with have reached the realization that they can no longer ignore cyber-security and do not have the privilege to be “hostile” or “skeptical”. They indicated that they are being asked more and more by their customers regarding their products’ security.
  • Q:If video surveillance camera companies do sign up for this service will VDOO out them like they did with Axis and Foscam? I'm all for tighter cybersecurity for cameras, but this seems a little like extortion, unless Axis and Foscam are their clients
  • A:There is a clear distinction between the vulnerability disclosure process, where we will continue to work with every manufacturer based on the industry best practice guidelines vs. a significantly larger in scale business engagement where vulnerability discovery is just a fraction of what VDOO is providing via its set of product & services, all with a goal of strengthening the entire security posture of the manufacturers products. Moreover, when a manufacturer independently uses our automated analysis SaaS platform, as a web service managed solely by the manufacturer without our assistance, the information automatically generated by the analysis engine via the process will not be shared with us, hence we will not be able to access it and publish it. If the manufacturer chooses to certify its product, we will receive this information and once certified, the certification details will be shared publicly. In the two cases that were published, we provided more than ample time (vs. industry best practices) for the manufacturers to fix their vulnerabilities, as well as guidance, verification that their mitigation indeed removed the vulnerabilities and ensuring they reduced their customer's risks.
Read this IPVM report for free.

This article is part of IPVM's 6,599 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Genetec and Dahua-Backed Intelbras Split Examined on Jul 29, 2020
China is the cause of the breakup between Canada's and Brazil's largest video...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Brazil's Biggest Domestic Surveillance Company Intelbras Profile on Jul 29, 2020
While Intelbras is not widely known outside of Latin America, Intelbras is a...
IPVM Editorial Staff on Aug 01, 2020
IPVM has the largest and most experienced editorial team covering video...
Startup Cawamo Presents Live Alerts With Edge AI and Cloud VMS on Sep 15, 2020
Cawamo, an Israeli edge-to-cloud analytics and VMS startup, presented its...
The NOT Outstanding Security Equipment Manufacturer 2020 on Oct 02, 2020
The "OSPAs" promised to be credible, transparent, and respectable. They have...
Multilaser / Giga Security Brazil Company Profile on Oct 05, 2020
As part of our expanded Latin America coverage, IPVM is profiling regional...
Startup Viisights Presents Behavioral Recognition for Public Safety on Aug 31, 2020
Viisights presented its behavioral recognition video analytics at the 2020...
ZeroEyes Presents Firearm Detection Video Analytics on Jul 09, 2020
ZeroEyes presented its Firearm detection Video Analytics system at the May...
Openpath Raises $36 Million on Jul 16, 2020
Openpath has raised $36 million as 2020 has become a boom year for access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...
Integrator Acquisitions 'A Good Market' During COVID-19, Says Greybeards on Jul 28, 2020
Industry broker Ron Davis of the "Greybeards" says that the integrator and...
Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020
Most China manufacturers are going to be impacted by the NDAA 'Blacklist...

Recent Reports

Consultants Online Show LIVE Today! on Oct 27, 2020
IPVM's 7th online show will feature 20+ consultants and recruiters presenting...
Eagle Eye Networks Raises $40 Million on Oct 27, 2020
Eagle Eye has raised $40 million aiming to "reinvent video...
Hikvision Q3 2020 Global Revenue Rises, US Revenue Falls on Oct 27, 2020
While Hikvision's global revenue rises driven by domestic recovery, its US...
VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...