Hikvision Feeds a Troll

It’s possible to turn someone towards the light, and eventually lead them to salvation.

A prominent member of the Westboro Baptist Church, Megan Phelps-Roper made a TED speech about it. What saved Megan was not someone yelling in her face. She was conditioned to expect exactly that from the misguided heathens of the world. Instead, someone approached her with curiosity, warmth and civility and lead her out of the congregations grasp. The “enemy” is rarely a mindless drone out to do evil. Although, our leaders would prefer we see things that way.

Our industry has a variant of the WBC, and Hikvision has chosen a different approach to liberate the members of the sect.

a site that has always trafficked in nefarious insults and innuendo. Hiding behind a keyboard, the tabloid’s staff takes unfounded potshots at our entire industry, bullying one company at a time.

and

Instead, he chooses to distract manufacturers with his pursuit of financial gain and efforts to fulfill his delusions of grandeur.

The problem with this sort of message is that the hardcore members are expecting exactly this sort of rhetoric, thereby further entrenching them in their beliefs. Ultimately the blogger will surely capitalize of the increased attention being paid. I thought it was common knowledge that trolls have an insatiable appetite for the kind of copy Hikvision just released.

jh
More please!

Members of the sect can attend a “university” (not at all like this one) and even make the “dean’s list“. This is impressive stuff, and these people are not going to be swayed by a manufacturer having a breakdown in their public relations department. Furthermore, I suspect Hikvision has several active subscriptions, thereby directly funding the site.

I think Hikvision is correct in calling it cyber-bullying. It has all the traits of schoolyard terrorism; the ring-leader points out an arbitrary enemy, then manipulates the enemy to react. Steps in to protect the flock from the aggressor. If it gets too hot, the ring-leader can count on his 3 or 4 lackeys to do the dirty work.

In this case, the sin of the “enemy” is that the company is partially owned by the Chinese government. Therefore, every vulnerability found in a Hikvision camera is proof positive that the Chinese government is spying on us. I don’t buy that. Governments don’t have to own a company to assert influence over it.

You might remember Stuxnet a vulnerability in SCADA equipment was exploitable by governments and for-lulz hackers alike. Vulnerabilities will continue to exists as long a fallible humans write the code. As long as fallible humans install and (fail to) maintain the equipment we will continue to see flaws and problems. Unfortunately, a lot of companies have deployed small time-bombs with terrible security in place, not just Hikvision.

When I was in the army, we had padlocks on our lockers. On the first day, we were instructed to get a hair-cut “to not look like faggots” (I kid you not, that’s what he said), and then to make sure our lockers were safely locked. The reasoning (for locking up) is that you can’t really trust anyone, and giving the bad apples the opportunity to steal was almost as bad as the guy stealing. At a company I worked for a long time ago (starts with an M), someone shat on the toilet seat in the offices restroom. Someone we had lunch with, talked about code, movies, politics and music with, went to the bathroom, and shat on the seat, leaving it there for some poor soul to find.

Same thing goes for your IP camera. Sticking that thing on the internet, REGARDLESS of manufacturer ownership is like leaving your locker unlocked. You are tempting the swines of the world to mess around, and when they do, we all lose.

madness

Advertisements

Clickbaiting Copycat Caught

It’s pretty damn hard to make secure software. Years ago I commented on Shodan and worried that the IP video industry was next.

Run of the mill ignorance, carelessness, greed what have you, is so common that we scarcely care to click the link. Recently (or not) and old bug was discovered in Intel products that allowed remote control.

Now if you are commercial blogger (or “analyst” if you prefer), you’re not going to try to shed light on the issue. That just doesn’t trigger enough clicks and drama. It’s better to make some unsubstantiated claim that an “Intel backdoor is confirmed”.

ipvm

I can guarantee that someone is now looking up the word “backdoor”, I’ll save you the trouble (it’s in the link above too)

A backdoor is a method, often secret, of bypassing normal authentication in a product, computer system, cryptosystem or algorithm etc. Backdoors are often used for securing unauthorized remote access to a computer, or obtaining access to plaintext in cryptographic systems.

Wikipedia

So, yes, it is probably not a lie to use the word “backdoor”, but it sure is manipulative, something people with a certain mental defect excel at.

For l33t hackers, finding back-doors is sometimes a fun pastime. The purpose can be to cause extensive damage for lulz or filthy lucre, sometimes for companies, sometimes for governments. Usually, it’s a challenge to find vulnerabilities and defects that let’s you crawl into systems that should be locked down. But to the n00b, a backdoor might suggests that it was intentionally put there. After all, you don’t “accidentally” install a backdoor in your house.

Backdoors in code, however, come in various flavours,

  • Deliberate backdoor intended to give an unknown user remote access after the user has deployed the device/software, thereby granting the attacker access. These can be baked into the device, or installed later as a trojan.
  • Accidental backdoor caused by unexpected side-effects of the code. In the olden days, you could mess around IIS servers by using unicode strings in the URL.
  • Accidental backdoor caused by gross negligence/incompetence on the manufacturers side. Hardcoded credentials is an example of such foolishness.

Today you are not going to get away with #1 and #3 for very long. The hackers at blackhat are not like mortal programmers, they understand assembly code, and will locate a hardcoded password or a backdoor in a few days.

But it’s a gradual scale from #2 to #3. For example, HTTP used to have something called “basic authentication“. It used Base64 encoding to hide the credentials in flight, and plenty of cameras and VMSs would use it. 15 years ago, basic authentication would probably have been considered a #2 issue, but today it’s clearly a #3 (a certain unmentionable blog used it not long ago).

You can make up your own mind if CWE-287 is a #1, #2 or #3. It could, conceivably, be a #1. But it will be very difficult to prove, unless you have network captures showing malicious activity initiated by someone associated to the manufacturer (US tech companies and NSA for example).

Another company was notified of a vulnerability on March 5th 2017, on the 12th a security bulletin is released, and the hacker then states :

“I have been communicating with Hikvision since I notified them and they have actually been been quite responsive.”

Quite responsive indeed.

Eventually we will have software in IP cameras that is safe enough that you can expose it to the internet. But for now, I would be extremely careful about opening my CCTV system to the internet.

In Hikvisions case, I think one of the issues is that to reset the cameras password you need to send a specially crafted payload to the device. This causes a lot of issues for lots of users and it strikes me as a potential attack vector. And rest assured that this is not the only issue in the cameras.

As time passes hackers find ways into older cameras that have long been discontinued, but have been deployed and are still operational, they may get more sophisticated in their attacks and find more complex ways of breaching the software.

I guess this was not as exciting a post as you had expected. I’m sorry. You will have to go somewhere else for BREAKING NEWS about the evil Chinese shell companies set up only to spy on you.