Wrongly Accused Critical Vulnerability for Vivotek

Author: Brian Karas, Published on Jul 13, 2017

Vulnerabilities are an increasing branding and business problem for video surveillance manufacturers. However, sometimes vulnerabilities reported are not as critical as the reports claim.

Vivotek was recently faced with one but the vulnerability was meaningfully overstated. IPVM discussed this with the researcher who initially reported them and Vivotek, providing a more accurate assessment of the risks inside this report.

*************** *** ** ********** ******** *** ******** ******* *** ***** surveillance *************. *******, ********* *************** ******** *** *** ** ******** as *** ******* *****.

******* *** ******** ***** **** *** *** *** ************* *** meaningfully **********. **** ********* **** **** *** ********** *** ********* reported **** *** *******, ********* * **** ******** ********** ** the ***** ****** **** ******.

[***************]

Vulnerability *******

***-****-****** ****** ** * ******** ***** ** **.*, *** ********* a ************* ** * *** ****** **** *** ** ********* to ***** ** *************** ******** (*********) ** ******* ***** ******** as ****.***-****-****** ****** ** * *.*, *** ********* * ************* ** a ******** *** ****** **** *** ** ********* ** ***** an *************** ******** ** **** *** **** ** *** ******, including ****** ***** **** ** *** ******** ********.

Original ********** ** ******* **********

******* **, * ******** ********** ** ***** *** **** **** ** "Cursered" *** "************"********* ******* ** *** ******** ** **** ****. ** ********* *********** *** ********** * ******* ******** ***** for ********, *** ******** **** ***** ******** *** ********** **** of ***** ***************.

NOT ********* ** *************** *****

***** *** ***'* ***** **** *** *************** ** *** ******* a ***** ** *******, **** ******* *** *** ********** ********* the ************* *** *********** **** * ***************, ****** *** **** ************ *** *** ****** ** ***** remote ****** **** ** ***** ********.

Admin-Level ****** ********

*** *************** ******** ******* ** *** *** ********* **** *** administration *****, *** ** * ******** ********** *** **** ********** to ***** **** ** *****-***** *****. ***** ***** *** ********* the ******* *** *************** ******, ******* ************ ********** ******* ***** this.

************* *** ***'* ** ******* *** *********** ** **** ******* access ** *** ****** ***** *** ******* ***** ** *, and ***** *** ************** ***** *** **** **** ** ** 8. ***** ***** *********** **** ** ******* ******* ***********, *** vulnerabilities ****** **** **** ****** ** ** ********* ** ****-***** scenarios.

Default ** ********

*** *******, ********* *** ************ ** **** *****, ** **** Vivotek ******** ** ** ********, ******** *** **** ** ****** the ****** ****** * ******** ** ***********. **** ** * security **** ** ******.

*******'* ******** ********* ************** *** **** ******** ** *** ***** **** ***** ********* firmware, ************ ***** *** * ****** ********, *** ******* ** the ***** ** ***** **** ** ** *********. ***** *** follow *******'* ***** *** ******* **** ********* ***** ************* ****** the ******* ** ***** *************** ***** *********. *******, ******* ***** improve *** ******** ** ******* ****** ********* ** *******.

Vivotek ******* ** ******* ********

******* ****** **** **** **** ***** ** **** ************* **** first *********, *** **** **** ******* ** ******** ******* ** resolve **. ********** ****** ** ************, ********** ** **** ******** ******* ********* ** **** **, 2017.

OEM/ODM ****** *** ********

******* **** ******** ***/*** ******** *** **** ********* ** *** industry. ********* ** *******, ** **** ***** ***** ******** *** firmware ********* ** *** ******* ***'*** *** *******, *** **** those ******** ***** *** **** *******'* *******, *** ********** ***************.

Few ******** ********** *******

* ****** ***** ******** ********** *** ********-********** ******* *******, *** many ** ***** ******** ** ************** *****, ********** **** *** specified ** ***** **** ***** ** **** ********.

Risk ********-***

*******, ***** *************** **** * ********** *** ****, ************ ******* their ****** ***** *** ** ************* ******* **** ** ******* a ****** ***** ********, ********* ********* ***** *** ******* **, if **** **** *** *******. *******, ******* **** ** ***** the ********* *** ********* ** *** ****** ** ******** ***** on *** ******, ** ******** **** *** ****** **** * botnet ******, ****** ** ******* ******* ****** ****** **** *** not ******* **** ********* *****, ** ***** **** *********.

UPDATE **** **

******* *** ******* ******* ******** *** *** ******** ******. ******** can ** ***** *********'* ******* ****, *** ******** **** **** * "****.**" ****.

Comments (1)

Brian Karas

IPVM | 07/25/17 08:39pm

******: ******* *** ******* ******* ******** *** *** ******** ******. Firmware *** ** ***** *********'* ******* ****, *** ******** **** **** * "****.**" ****.

Login to read this IPVM report.

Why do I need to log in?

IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Hacking

Hikvision Backdoor Exploit on Sep 18, 2017

Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras. As the researcher, Monte...

September IP Networking Course on Sep 14, 2017

LAST Chance - Registration is ending. Register now. This is the only networking course designed specifically for video surveillance professionals...

Fortune 500 Company Bars Dahua and Hikvision on Aug 30, 2017

A Fortune 500 company has barred Dahua and Hikvision cameras from a large RFP due to cyber security concerns, IPVM has confirmed with the...

Security Press Wrong About New NY State Video Law on Aug 29, 2017

SecurityInfoWatch wrongly declared: N.Y. governor signs bill outlawing video surveillance of neighbors SDM wrongly affirmed: It is now illegal to...

Hikvision Happy With Bad Security Unless Hit With Bad Press on Aug 28, 2017

Hikvision is happy to have bad cyber security unless they are hit with bad press, as we detail inside. When you look at the pattern of their...

‘Experts' Fail On Dumbo IP Camera ‘Hack' on Aug 24, 2017

Dumbo, revealed by Wikileaks, has become big news. Unfortunately, 'experts' in the security industry have gotten it wrong, incorrectly contending...

Avigilon CEO Attacks Asian Companies Cyber Insecurity on Aug 18, 2017

Avigilon CEO is taking aim at their Asian competitors. And he is going directly after these company's cyber security issues. In this note, we...

Hikvision Responds To Cracked Security Codes on Aug 15, 2017

Hikvision has responded to IPVM's report on Hikvision's security code being cracked, both with a 2 page update to dealers and communication...

Vulnerability Directory For Access Control Cards on Aug 14, 2017

Knowing which access credentials are insecure can be unclear, especially because most look and feel the same. Even the most insecure 125 kHz types...

Hikvision Security Code Cracked on Aug 08, 2017

Hikvision's 'security code' feature has been cracked and a program generating security codes is being distributed online. IPVM has obtained and...

Most Recent Industry Reports

Avigilon Touting 'Made In America' on Sep 18, 2017

Canadian manufacturer Avigilon, who completed a US manufacturing facility in 2015, is now running a marketing campaign touting 'Made In America',...

Cloud Guy Prints Book, Misses Irony on Sep 15, 2017

On-premise security systems are dead. But $75 print books are alive and well. Such are the lessons from Brivo's CEO new book "The Five...

Forgotten Password Problem Importance on Sep 15, 2017

Forgotten passwords has become a major industry topic. For example, Hikvision has been emailing admin passwords in plain text until IPVM's...

September IP Networking Course on Sep 14, 2017

LAST Chance - Registration is ending. Register now. This is the only networking course designed specifically for video surveillance professionals...

Hikvision Launching Ezviz Pro on Sep 14, 2017

Hikvision is launching Ezviz Pro. In 2015, Hikvision expanded Ezviz, a direct to consumer offering, to North America. Now, Ezviz 'Pro' is...

Genetec Launches Community Connect Examined on Sep 14, 2017

Genetec has done best in large-scale, enterprise systems and relatively worse in smaller systems such as SMB. Now, Genetec is launching...

Master Keying Tutorial on Sep 14, 2017

Mechanical keys are the most fundamental, albeit unsophisticated, form of access control. Like access control, Master Keying allows large scale use...

Startup Turing Video Segway-Based Security Robot Profile on Sep 13, 2017

If security robots can not replace guards, perhaps the next best thing is a robot the guard can actually ride. Turing Video has raised $5...

Fail Safe vs. Fail Secure Tutorial on Sep 13, 2017

Few terms carry greater importance in access control than 'fail safe' and 'fail secure'. Access control professionals must know how these concepts...