It’s pretty damn hard to make secure software. Years ago I commented on Shodan and worried that the IP video industry was next.
Run of the mill ignorance, carelessness, greed what have you, is so common that we scarcely care to click the link. Recently (or not) and old bug was discovered in Intel products that allowed remote control.
Now if you are commercial blogger (or “analyst” if you prefer), you’re not going to try to shed light on the issue. That just doesn’t trigger enough clicks and drama. It’s better to make some unsubstantiated claim that an “Intel backdoor is confirmed”.
I can guarantee that someone is now looking up the word “backdoor”, I’ll save you the trouble (it’s in the link above too)
A backdoor is a method, often secret, of bypassing normal authentication in a product, computer system, cryptosystem or algorithm etc. Backdoors are often used for securing unauthorized remote access to a computer, or obtaining access to plaintext in cryptographic systems.
So, yes, it is probably not a lie to use the word “backdoor”, but it sure is manipulative, something people with a certain mental defect excel at.
For l33t hackers, finding back-doors is sometimes a fun pastime. The purpose can be to cause extensive damage for lulz or filthy lucre, sometimes for companies, sometimes for governments. Usually, it’s a challenge to find vulnerabilities and defects that let’s you crawl into systems that should be locked down. But to the n00b, a backdoor might suggests that it was intentionally put there. After all, you don’t “accidentally” install a backdoor in your house.
Backdoors in code, however, come in various flavours,
- Deliberate backdoor intended to give an unknown user remote access after the user has deployed the device/software, thereby granting the attacker access. These can be baked into the device, or installed later as a trojan.
- Accidental backdoor caused by unexpected side-effects of the code. In the olden days, you could mess around IIS servers by using unicode strings in the URL.
- Accidental backdoor caused by gross negligence/incompetence on the manufacturers side. Hardcoded credentials is an example of such foolishness.
Today you are not going to get away with #1 and #3 for very long. The hackers at blackhat are not like mortal programmers, they understand assembly code, and will locate a hardcoded password or a backdoor in a few days.
But it’s a gradual scale from #2 to #3. For example, HTTP used to have something called “basic authentication“. It used Base64 encoding to hide the credentials in flight, and plenty of cameras and VMSs would use it. 15 years ago, basic authentication would probably have been considered a #2 issue, but today it’s clearly a #3 (a certain unmentionable blog used it not long ago).
You can make up your own mind if CWE-287 is a #1, #2 or #3. It could, conceivably, be a #1. But it will be very difficult to prove, unless you have network captures showing malicious activity initiated by someone associated to the manufacturer (US tech companies and NSA for example).
Another company was notified of a vulnerability on March 5th 2017, on the 12th a security bulletin is released, and the hacker then states :
“I have been communicating with Hikvision since I notified them and they have actually been been quite responsive.”
Quite responsive indeed.
Eventually we will have software in IP cameras that is safe enough that you can expose it to the internet. But for now, I would be extremely careful about opening my CCTV system to the internet.
In Hikvisions case, I think one of the issues is that to reset the cameras password you need to send a specially crafted payload to the device. This causes a lot of issues for lots of users and it strikes me as a potential attack vector. And rest assured that this is not the only issue in the cameras.
As time passes hackers find ways into older cameras that have long been discontinued, but have been deployed and are still operational, they may get more sophisticated in their attacks and find more complex ways of breaching the software.
I guess this was not as exciting a post as you had expected. I’m sorry. You will have to go somewhere else for BREAKING NEWS about the evil Chinese shell companies set up only to spy on you.