Verkada Global Admin Vs Hikvision Backdoor
Which one was worse? And what does this say about video surveillance cybersecurity?
In 2017, Hikvision's backdoor shook the industry. Now, in 2021, Verkada's "global admin access" lead to a breach that made global news.
Untrustworthy
Both companies proved to be untrustworthy as these were the consequences of dangerous and unethical design decisions. Many 'hacks' are the result of exploiting obscure or unseen coding patterns that the provider did not foresee. These were not.
With Hikvision and Verkada, both of these companies put these in on purpose, hiding them from the public until outsiders publicized, forcing the companies to make changes after years of secretly including them.
Hikvision ********
********* ****-***** * ***** ****** ******** across ******** ** ** ****** ****** that **** ******** ** ******** ** the ****** ******* ***** ****** ******* logging ** ** **** ******* **** the ******** ***.
**** ************ **** ** *** ***** video ******** *****:
******* ****** *****
******* *** * **** **** ********* 'backdoor', ** **** ******* *** ********* as "****** ***** ******', ***** *** only ******* ****** ** *******, ** allowed ****** ** **********, *********, **** root ** *** ********** ** ** the *******.
** *** ***** *****, ******* ****** and ********* ******** '****** ***** ******', at ***** ******:
Cloud ******* ** ***
*** *********** ********** ******* ***** *** vulnerabilities ** **** ********* *** ******** in ******** **** *** *** *****-*******, requiring **** *** **** ** ****** the ******** ** ****** *** ************* while *******, ***** ***** *******, *** able ** ****** *** ******'* ******** all ** ****.
Dangers ** ***** / ******* ***** *****
**** *****-******* *******, *** ******** *** spy ** ***** ********* ******** **** want. *** **** **** ** *** very *** ****** **** *** ******** can ********** ***** **** *** ******** is ****** ** ****. **** ** not ******* ******* **** ********** *** even ** *** ****, * ******** would ***** **** ** ***** *** traffic *** ********* *** *** ****** a ****** **** ** ******** *** system (***** ** ************* ******** ***** certainly *****).
*** ****** ** * ***** ****** is **** **** ********, *** ******** can *********** ** ******* ** ***** the ******** / ***** ******, ********* the ******** ** *** ***** ** customers ***** **** (***** ***** ***** be **** ** ******).
Dangers ** *** ***** / ********* ********
**** ******* **** *** *** ***** managed, * ******* ***** ***** **** the ******** ** ******* ** ***'* organization **** * ******** *****-**. ***** and ****** *** ******** ** ******* to ****** *** ********, *** ******** will ******, *** ****** ** *****. Secondly, ******** *** ******** *** ********, the **** ****** ** * *** backdoor ***** ********* **** ******** *** remain ******* *** ***** ** ** until *** ******** ** ***** *** a ******** ****** ******** ** ** applied.
Verkada ********
*** **** ****** ******* ** ******* being ******* ** ****, *** *****, they **** ******** ***** ********* ** the ******* **** **** *** *********** and ***** ******* *********** *** ***** and *********,*** *******:
***:
*** ******* ******** '*********' *** '*****? Maybe. *** ******** ******* ****** ******** 'DANGEROUS' *** '*****'? ** '******-****' *****, yes, **** ***.
Which ** *****?
*** **** ****** *** **** **** companies.
** *** *** ****, ** ***** with *********, *** *** *** ** barricade / ***** /********** ****** **** *** ******** ***, if *** ** ** ********* *** never ************* ***** ****** ************ *** can ** **** *** **** *** be ******** ** ******** ***********, *** might ** **. ** ******, **** is ** *** ******* ** ****** it ********* ** ********** *** ****** and *****-***** ****** (*.*., ****** ** an *********).
***********, ********* *** **** ****** *****-******* video ************ (*.*., ***-*******) *** ** you *** ***** **** *** **** risk ** ******* - *** *** trust **** ********* **** *** ****** or ***** ****** ** ****** **** video?
Trust *********
***** ** *********, ** *** *** ever ** ******* **** * ******** is *** ******* * ********* ** a *******. ***** ******, ******* ***, "Show ** *** ***** **** ******* X *** * ********?" ** ******, when ***** ** ***** **** ******, the ******* ***** ** (** ****** because **** **** ** ******** ******** is * ****** ** ********). *** proving **** *************** ** **** *** companies *** **** **** *** ***** (as ********* *** ******* **** *** here). *** *** ***** ** ******* that ********* ** ******* ** **** or ******** ** ***** ** ******, etc. **** *** ***** *** *********. You **** ** ** **** ** trust **** **** **** ***, **** organization's ******, ***, ** **** *********, even ******'* *****.
Vote / ****
**** ** **** **** ***, *** since ********* ****-***** *** ******** * would ******** ** ***** * ****** worse? * ********** *** *** ******* that ********* *** ****, *** ****'* really ****** ******* ** **** **** huge ** * ****. ******* ***** to ** **** ** ******** ** negligence ** ******** ****** ********. * don't ***** ****** *** :)
** ***** *** ************* ***** ** most ******** *********** ***/***'*, *** *** servers **** ***** **** ******* *** be ********, ******** *** ***** ** the ******* ** ******. ***** ******* and ***** ********* *** *** **** access ** *** ******* ** ****** on, ***** *** ** **** ** serial ****** **** ******* **** *** units, ** **** * '*******' ** at * **** ***** ** *** firmware. *********'* ** ************* **** ***** the ********** ******** ******** ** ********* to ***** ***'*. ** *** **** verified ** ***** *******, **** **** OEM ******* **** **** ******* *** access.
******** ******* *** ***** ***** ******* providing ****** ****** ** *** ******* can *** ******* ****. *** ******* are ***** *** ******** ** **** from ********* ** *****.
***** ***** ******* *** ******* '*** door **' ******. ** * ****** obtained, ** ****** ******** ****** ** is **** (** ******** **** *******), access ** **** ** ******** *** client *******/*******/******** ** ******.
***** ********* *** ***** ******* *** serious *******, ** * ****** ** address ******** ****** ** **** *******. Once **, ***** ******* *** **** likely ** ******* **** ***** ****** to *** ******* ** ***** *** system *******.
**** *** *** ******** *****. ***** systems *** *** ******* ******* **** risks ** ******** ***** ****. *** industry ***** ** ******* **** *****, and ********* **** ********* *** **********.
** *** **** ****, **** ****** logins *** * **** *****, *** as **** ** *** ******** ****** in ****** ******** ** **, ***** is ****** * ****.
* ***-************ ** ******** ******* ******* would ** ** ********* *** ****** access *****. ** *** ** * pain ** ******, *** ***** ** worth ***********.
***** ** ****** ********* ********** **** the *******-*****... *** - " **'** incorporated * ***** *********** ******* ********** to **** ****. ** ***** ** fact, ***** ** ** **** ** document **." *** -" **, **, our **** **** ***** ** **** screened ** ** ****** *****? ** problem"
***** *** *** "**** **** *** utmost ******** ** *****" ******?
******* "********" ****. * ***** **** a "***** ** ******* ******" **** we ****** *** "******/**" *** ***** either/or *****'* ***, ** ******, * properly *********** ****.... *'** **-**** *** question *** ********-******* ***** **** ** be **** **** * ***** **** been ******* ****'* ***** ** ****.
****** ******** ** ***** -
***** ** *** ************* ** ***** that ** *** ******* ** ***** products. *** **** ********** ** ******** within ******* ********* ******* ****** *******, Security, *** ************* ******* ******** ** government, *************, **********, **********, *** ******* consumers.
******, ******, ****, *** **** ****** provide ‘*****’ ******** **** *** ** Code ***/** ************* ********** **** *** behind ********* *** ***** *** ***** network *******, ** ***** ** ******* ‘easy ******’ ** ***** *******. ** is *********** ****** ** ***, *** it **** ******** ********** ***** **** each ************ **** ***** **** ****** to **** ********* *** ******* ********.
** *** **** **** ******* ** truly ****. ********** ** **** ** big ********. ***** *** *** ******** added ** *** ***** ********, ** provided **** *** ******* ********** *** potential ***** ** *******.
*** ******** ******** *** ******** ** consumers ***** **** **** ****** **** ‘easy ******’ ** ***** ** ** able ** ******* *** ******* ******* that *** ** **** ******** **** commercial *** ******* ***********. *** ***** suspect **** *** ********* ********* ***** products **** **** *** **** **** vetting, *** ********** ******* ***** ********** with *** ***** *******.
** ***** ** **** *** **** to ** ** ******* **** ******** how **** ********** *****, *** *****, and ********. **** ** **** ******* provide *********** ** *** ***********, *** end ***** ***** ******** *** **** when ***** ******** **** ***** ***** technologies.
***, ** * ****'* ******* **** that * ****'* ***** ** #*, I ***** **** ******* **** ******** was ****. **** ********.
*** *** **** **** ***** *** Tricky-Verk **** ** ******* ***** ****** control *** **** ***********?
******* **** *** **** ******* ******* at ***** **. ****’* ********, ** Arizona, *** **** **** **** ** see * ******** ****** ** *** used ******* ****** ******* ***** ** open ******* *****, *** **** **** did **.
"******* **** *** **** ******* ******* at ***** **. ****’* ********, ** Arizona, *** **** **** **** ** see * ******** ****** ** *** used ******* ****** ******* ***** ** open ******* *****, *** **** **** did **."
**** *******. ****'* *** ** ** the *******-**** ** * ********* *********....**** not ** *** ***** ******... * mean ********.
** *****'* ****** ***** *** ** worse; **** ** ** ** ****. Many **** (*** **** ***** ********/********* MFG's) *** ***** **, **** **** happened ** **** ****** ******. ****.
******* ** ********** ***** ******* ***** is ** *** ** ****** ******* it ***** *** ******* ****** ** secured **** *** ***** ******. *** TruHikVision ******* **** ******* **** *** world **** *** ***, ***** ** ACLs *** ***** ** ******* **** on ******* ***** **** ** ***** to/from *** *****. *** **** *** NVRs ******** ** ******* ***** ** view **** ***** ** *** ******* network *** *** ****** *********** *** is ****** ****** *********** **** ** only ******* *** ****** *** **** limited ****** ** ********* ** *** internal *** *** ***** *** **** or *** *** *******. ** **** if *** **** ********** **** * backdoor *** **** ** *** ****** would **** ** **** **** ******* employees **** ******, ****** *** ******* IT ********* ** ** ******** *** manages ** ********** ********** * ********** on *** ******* ***. *********, ******* we ***** *** ****** (*** ** Axis **...) ** ** ****** ******* since ** *** ********* **** * near **** ***** ***** ******.
* ****** ** ****** **** ***** when ************ *** *********** *** ***** both ********* *** ******* ** **** as ****** *******.
* ********** *** ***** ***** ***** be ***********, *** * ****** ** local ***** ***** **** **** *** illusion ** ********, ******* ****** ********* it. ** ***** ** * **** feeling ** ******** ** ***** ******* at ***** * ** ******* ***-*** external ******** *******. * ***'* **** the ***** ** ****, *** ** left ********* ** **** ** **** an ******** ** ********?
******** *** ** ** ******** ** security ** ** ***'* ********** ********. With ******* *** **********, **'* ** to *** ** ********* ********. **** devices ******* **** ***********, **'* ** to **** ** ********* ** ********. Outsourcing ** * ***** ******** ** the **** ** ******* ********* ** too ****. *** ** **** ***'** outsourcing ** *** ***** ************.
** *** **** *** ********* (*********, money, *********), ***** ********** ****** *** to ******* **** *** ****** ******** cloud *** ******** *****. *** *** setup *********, *****, ****, ****** *******, monitor *** ******* ****, *** ** reasonably **** **** ** *** *** compromised **** ***** ******. **** ***** video, *** *** *** ** ** trust *** ********. *** *** ***** know *** ******* **** **** ******** doesn't **** ** ******** ***** ******** your *****.
* ***** ******** ** ***** ** it *** ***% ***********.
******* *** **** ****** **** ********** and *********. *** ******** *** *** intentional.
"******* *** **** ****** **** ********** and *********. *** ******** *** *** intentional. "
*** *** **** ***** ****? ** experience (** ***** ** ** ** many **********, **** ****** *** ******* sectors), ***, *** ******* ********, *** otherwise ** **.....
*** ** *******'* ****** *****, *************?
******** *** ***** ***** ******* *** a ******* ****** *** ****** *** intentional. ********* ** ********. **** **** have * **** **** **************** ** ***** ** ******* *** dinosaurs *** *****, *** **** **** **** *** them ******.
** * ***. *** ************* *** breach ** ***** *** ***********, ** was *** ******** ** *** ***** admin ******** **** *** *************. ******'* that ** **** ** *** ********* backdoor? ********* ****'* *** **********, *** they?
****** ** ***** *** **********. **** always ****** **** *****. ********* ** Vulnerability *** ********** *** *************. ******* to ******** *** ** ****** *** "tools" ***** *** ***** ** "*******" was ***********.
* ****** ***** *** ******** ******* comparison **** ****** ******* **. * have * *** ** ******** ******* but * **** ** ***** ********* wrong ******* * ***'* **** *** paying ** $**,*** * ***** *** maintenance *** ******* **** $**,*** * year ** ********.
*** ******** ******* *** *** **** been *********** (*** ****, *** *** cover-up). *** ***** ** ***, ** my *******, ***********. ******* *** ************* using ******* *** *********** ************ ******** to ***** **** ****** *** *********** nefarious *******. ********, **** **** ***** organizations *********** * ****** ** *****( if *** ******** *** ********** *** 3rd ***** *******). *** ********-*** *** the *****-**.
* *********** *****. ******* **** ******* devices ***** ***** ******* ****** ****. In ******, *** ******* ***** *** give **** ****** ** *******, *** pwning * ****** ***** ****** * camera (********** ** *** ****** *** on * **** **** ** ****** have ****🤞).
*******, *** ******* **** **** ****** to **** **** ******* *******, **** Tesla *** **********. ********* ** *** camera *********, **** ***** ********* ********* espionage. *'* *** **** ** ******** has *** ********* **** *** **** prominent. *** *** ******** ****** ***** up *** ** ** *** ***** number ** ***** ** ****** **********.
Both *** ************.
*** ** *** ***** (******) ******** to ******* ******* **** ******* *** Hik ********. ** *** ***, ** companies *** ** ******* (***** **** at ********) **** *** ********* **** this ** *** ****. **** **** out *** *** ***** ************ *** everyone. (****** *******)
**** *******, * ***'* ****** **** what ** ***. ***** ***** ** be * *** ***** ***** ** the *******. *** ***** ****** ** a ******* *** ********* **** **** and *** ***** **** ** **** internal ******** ********. *** * ****** one! ** ***** *****, ***** ** a *** ***** **** *** ************.
* **** *** * ***** *******.
* ***** **** *** ******* ****** was ***** **** ********* ******* ********* could ** ********** ********* **** ******* and ***** ** *******. **** ********* customers********* ********** ******, **** ** **** didn't ********* ** **.
*** ** ******* **** ********* ********* didn't **** ***** ***** ******** ***** Verkada ***. ** ** **, **** makes ** ***** *** ******* ** well.