Significant Vulnerability in Hikvision Cameras

For the past several months, VDOO’s security research teams have been undertaking broad-scale security research of leading IoT products, from the fields of safety and security. In most cases, the research was carried out together with the device vendors for the sake of efficiency and transparency.

As part of this research, VDOO researchers found zero-day vulnerabilities in devices of several vendors. These vulnerabilities were disclosed to the vendors, in accordance with responsible disclosure best practices, and will be shared gradually after the disclosure periods are concluded.

One of the vendors for which we found vulnerable devices was Hikvision. Our team discovered a vulnerability in Hikvision security cameras. Exploiting the discovered vulnerability, an adversary who successfully obtains the IP address of the camera can remotely execute code with root privileges on the camera (via LAN or internet). VDOO has responsibly disclosed this vulnerability (CVE-2018-6414) and engaged with Hikvision’s security team to solve the matter.

Continue reading “Significant Vulnerability in Hikvision Cameras”

Giving Back – Securing Open Source IoT Projects

For the past several months, the security research teams at VDOO have been undertaking broad-scale security research of leading IoT products, from the fields of safety and security. In most cases, the research was carried out together with the device vendors for the sake of efficiency and transparency.

The research goal is to contribute knowledge and tools to mitigate risks, as well as encourage the devices’ manufacturers to implement the right security for their products. We believe that an appropriate implementation of the security essentials will dramatically decrease the chances of exploiting vulnerabilities on the device.

Open-source projects are implemented in many connected devices. In order to provide the highest security level for those devices as well, the research focuses on some of the most common projects. The findings are then implemented in all of our automated IoT security solutions for the widest risk mitigation coverage.

As part of this research, our researchers discovered zero-day vulnerabilities in several known open-source projects. In this article, we will discuss vulnerabilities found in 3 different projects – in the popular Lighttpd web server, the Live555 Media Library and a Linux driver for the Realtek’s RTL8189ES Wi-Fi chip.

Continue reading “Giving Back – Securing Open Source IoT Projects”