Jump to content
Security Installer Community
  • entries
    14
  • comments
    27
  • views
    23,288

Leave Security To The Experts?...


Joe Harris

3,649 views

blog-0945103001359198126.jpgSecurity Flaw

Some of you may be aware that last year there was some exposure given to a vulnerability in Trendnet camera firmware allowing access to their consumer webcam devices despite password protection being enabled.

They claimed to have released a patch within a month to solve the issue and to have contacted every customer to advise them to update their devices.

This is (despite the assurances of Trendnet) still a common issue, to help highlight it a real time map was produced showing where such devices were located and allowing you to connect directly to them.

The website has now been taken down thankfully as the goal of highlighting the issue in mainstream media again was achieved.

Professional Security

This is a pretty good demonstration though of just how prolific an issue this can be when Joe Public gets his hands into the pot but it also reminds me of the many poorly secured 'professional' installations I have come across in my time (I'm sure you have too) and it is hopefully a wake up call to some businesses to improve their security practices.

How would you feel if 'XYZ Security - Live CCTV feeds' was the next google map mashup launched showing devices which you are maintaining or monitoring?

Also take note that despite the publicity around the Trendnet devices, they are not the only ones affected. There was a website called Shodan HQ launched some time ago which gives the ability to search devices which are 'web facing' (in other words can be connected to over the internet) and list those matching specific url strings or other flags. This offers much more capability than Google searches for example in highlighting potential 'target devices'.

It is already possible now to list unsecured access points on some very well known 'professional' DVRs and NVRs.

Ease of connectivity is very much a double edged blade. We must remember that many of the devices we use are now starting to utilise built in web servers and connectivity.

Considerations

How are you ensuring that you are aware when exploits are announced on devices you utilise?

What are your plans to identify, notify affected users and upgrade potentially affected devices quickly and effeciently?

Are you considering these issues when investigating new web facing technology?

How do you measure for and protect against potential built in backdoor access to foreign equipment?

As well as looking outwards at your clients are your own systems secured and protected?

Is technology advancing too quickly to ensure adequate security is deployed?

As always I welcome your thoughts, questions, answers and debate.....

6 Comments


Recommended Comments

very interesting, although you could have posted the trendmap earlier as I would have enjoyed looking to see if there anything local out there...

 

are the proper stuff like heitel secured any better ?

Link to comment

You can still access the lists and local devices can still be shown via sites like Shodan (Swap happyland for the city of your choice - or remove it for full gb listing)

 

Also there are pastebin listings of devices and other websites like cryptogasm showcasing connected devices.

 

The point about heitel is basically what I am trying to convey in the article.

 

This exploit was discovered as trendnet devices were widely deployed and a user was experimenting with bypassing security measures.  The user posted details on his blog as he was as suprised as anybody else at how easy it was to bypass all password security by affixing a simple string to the end of the url to access a script within a folder hosted on the devicem or by feeding a string of data that was too long as one off the variables (sFilter)

 

The worrying side of things which I did not want to add to the original blog post was that due to a lack of 3rd party accreditation the only reason we have not seen more exploits in commercial / professional devices is down to obscurity.  Which is never a long standing defense particularly in these days of ebay sold second hand items.

 

Do you think that professional security devices will be more securely coded than mass produced consumer devices?  From the speghetti code I have seen on some devices so far I do not think that is the case.

 

A lack of resources at manufacturer level and no 3rd party pen testing tells me that it is only a matter of time.

Link to comment

EN signalling standards require the device to be protected from substitution. Messages and polls also need to be substitution and encrypted which the UK and European test houses can approve products to. You can go further and get your solution penetration tested too. If your buying products which havent been tested under the EN framework then your going to be vulnerable. Make sure your installing products that have been tested to "do what they say on the tin".

Link to comment

Test!

 

This is why we have standards, rules and regulations. Was this product proved to be of a suitable state? Was the installer acredited in any way? If the answers are yes we have a problem. If the answers are no do we need to worry?

Link to comment

@ Chris - I am talking about other interfaces on the device - not signalling or polling.  Where are the regulatory controls for web servers built into devices etc...

 

@ Carl - The point highlighted is that this exploitation of a consumer device is a mirror for potential exploitation of non-consumer devices.

 

The only reason that this is not happening in our industry is through less exposure and obscurity.  As equipment is replaced and things end up in the hands of curious members of the public then we will very possibly end up with a similar exploit affecting equipment we all use.

 

A 'hack' or exploit affecting old machines may be inherited by newer firmware also (they rarely go back to the drawing board) so do not think that up to date hardware or firmware will resolve the issue unless the specific flaw is fixed.

 

This occurred because so many people had access to the device and one person got curious and a manufacturer was lazy in their coding.  A function probably used for test purposes was left in the official firmware release of a product.

 

I have reviewed some 'professional' equipment code already and I have to tell you now, it is often spaghetti code (in other words put together to make it work but not efficient / clean / organised code).

 

There are no standards on device access through other interfaces and developer counts in manufacturers are low as price pressure hits.

 

When time is money code is rushed.

 

We need to be pro-active in ensuring that our industry does not end up with egg on its face through a lack of controls.

Link to comment
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.