![]() Vendor replies "Actually the universal password requirement was get form our customer. Follow-up with the vendor, details resubmitted, fix and disclosure timeline proposed to the vendor Vulnerability details submitted to the vendor Second try to get vendor's security contact CVE assignment by Oct 2013 - First try to get vendor's security contact I try to do what I can with my software based firewall.Multiple DVR/CCTV/IPcam Manufacturers web interface admin-level hardcoded 'backdoor' - Hunt, Huntelec plus around 40 vendors customizing Hunt products ![]() Personally though its just being knowledgeable / educated of this and that and knowing of it but not something you should lose sleep over. The difficult piece here is once the encrypted tunnel is established you can't really look at the data too easily that is passing inside of the tunnel. You can also utilize pieces of an SSL tunnel for an SSH tunnel and vice versa. ![]() Lou difficult as it may sound an application can be written such that a click of a link will set up an ssh tunnel unsuspectingly right to the the inside of your LAN. I have also seen one unmentioned ISP vendor tell my sister in law to remove the firewall such that she would be able to access everything and not have any problems and that in fact was provided as a solution to her issues. Residential installs / many DIY's many folks start to configure this and that get frustrated some then just make it work seeing the end results and not really knowing if something is left open to the internet. That said though with the aforementioned security flaws then it really appears that it doesn't matter if the manual and the security on the devices is configured. This is though one of many times that I have seen this sort of stuff with commercial installations. The owner was totally unaware of this and was content with the ability of remote access. These DVRs though had security configurations but had been left at the default. That said the owner's concerns were not of security but rather just relating to the ability to see the video remotely with the PDA phones utilized by the owners of the company. I then look at the other two locations via the WAN links and did notice that they were open to the internet and had been left with the default passwords. I then tried the default access and passwords and all of them worked (routers, firewall and DVRs). That said I asked for the passwords to access the routers and DVRs. It was an issue of the firewall / router that had not been configured properly. ![]() I reviewed the configuration on site at the location that didn't work. Note that this system was professionally installed. That said the owner asked if I could look at the system and get the remote access to work on the third setup. The issue was that one was a new office and remote access didn't work. If MiCasaVerde's environment were compromised, an attacker would not only have access to your Vera, but could also use it as a jump point into your network.Īpproximately two weeks ago I was asked to look at a CCTV system which had two DVRs for 16 cameras at three locations in the midwest. It connects out to a cloud service with an SSH tunnel. However, the one that DOES worry me is my Vera. I'm not worried about most of these devices. And my firewall rules only permit the traffic that is required to make things work. I have a separate security zones for cameras, security system related stuff, HA, audio, phones, wireless, and workstations/laptops. What do you think the security is gonna be like? It's not just camera/DVR manufacturers printers, prox card controllers, and just about any embedded device manufacturer doesn't consider security a priority. Just look at the web interfaces on these cameras, they all look like my 4 year old did them. And one of my coworkers just found a bunch of flaws in D-link cams (published).īottom line is, the companies making equipment like this either don't care about security, or are hiring people that know nothing about secure coding (which means they still don't care). The software on my OpenEye cams is the same software on some Axis cameras, so those are likely vulnerable also. I year or so ago, I found a bunch of flaws in OpenEye cameras (I didn't publish).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |