Significant Vulnerability in Hikvision Cameras

For the past several months, VDOO’s security research teams have been undertaking broad-scale security research of leading IoT products, from the fields of safety and security. In most cases, the research was carried out together with the device vendors for the sake of efficiency and transparency.

As part of this research, VDOO researchers found zero-day vulnerabilities in devices of several vendors. These vulnerabilities were disclosed to the vendors, in accordance with responsible disclosure best practices, and will be shared gradually after the disclosure periods are concluded.

One of the vendors for which we found vulnerable devices was Hikvision. Our team discovered a vulnerability in Hikvision security cameras. Exploiting the discovered vulnerability, an adversary who successfully obtains the IP address of the camera can remotely execute code with root privileges on the camera (via LAN or internet). VDOO has responsibly disclosed this vulnerability (CVE-2018-6414) and engaged with Hikvision’s security team to solve the matter.

Continue reading “Significant Vulnerability in Hikvision Cameras”

Giving Back – Securing Open Source IoT Projects

For the past several months, the security research teams at VDOO have been undertaking broad-scale security research of leading IoT products, from the fields of safety and security. In most cases, the research was carried out together with the device vendors for the sake of efficiency and transparency.

The research goal is to contribute knowledge and tools to mitigate risks, as well as encourage the devices’ manufacturers to implement the right security for their products. We believe that an appropriate implementation of the security essentials will dramatically decrease the chances of exploiting vulnerabilities on the device.

Open-source projects are implemented in many connected devices. In order to provide the highest security level for those devices as well, the research focuses on some of the most common projects. The findings are then implemented in all of our automated IoT security solutions for the widest risk mitigation coverage.

As part of this research, our researchers discovered zero-day vulnerabilities in several known open-source projects. In this article, we will discuss vulnerabilities found in 3 different projects – in the popular Lighttpd web server, the Live555 Media Library and a Linux driver for the Realtek’s RTL8189ES Wi-Fi chip.

Continue reading “Giving Back – Securing Open Source IoT Projects”

The Time for Security Is Now

The connectivity revolution is changing our lives. It allows us to interact with many of the devices we own, allows them to learn from their use, improves efficiency and saves resources.

As part of this revolution, manufacturers are now being motivated to explore new areas in which they have no previous experience; from embedding new components into their devices, through writing dedicated additional code for connectivity, to integrating with other solutions. In order to satisfy market expectations, as well as enjoy a competitive advantage, many manufacturers rush to ‘connect’ their products, focusing on ease of use and leaving out anything that can slow down production or require any (additional) expertise.

Continue reading “The Time for Security Is Now”

VDOO Takes Part in NTIA’s Initiative for Software Transparency

A software product’s code-base grows over time with added functionality resulting in the use of potentially numerous new 3rd party libraries. Some of these libraries are well-maintained by commercial organizations and some are maintained by communities of open source developers. Over time, it is easy for a development team to lose track of these software components, resulting in gaps in visibility into component vulnerabilities. This can have an impact on the security of the product and introduce un-needed risk into end-user customer organizations.

Continue reading “VDOO Takes Part in NTIA’s Initiative for Software Transparency”

Response to Hikvision’s recent publication regarding a vulnerability found by VDOO researchers

a purple surveillance camera and text

For the past several months, VDOO’s security research teams have been undertaking broad-scale security research of leading IoT products, from the fields of safety and security and in particular leading security cameras (as part of project Vizavis). In most cases, the research was carried out together with the device vendors for the sake of efficiency and transparency.

Continue reading “Response to Hikvision’s recent publication regarding a vulnerability found by VDOO researchers”

Who’s in charge? The written and unwritten contracts between the consumer, the manufacturer and the state

When you purchase an electronic device, how do you know it will work? How can you be sure that it will not harm your environment or even your safety? How can you know that the device will not be used as means of espionage?

Continue reading “Who’s in charge? The written and unwritten contracts between the consumer, the manufacturer and the state”

Why generic solutions are no longer relevant for IoT security

generic-solution

The world we live in rapidly becoming more and more connected, on every thinkable level. From home devices, through wearables and all the way to medical solutions. This, of course, is the Digital Revolution, enabling consumers, businesses and industries to make better, more informed, real-time decisions to provide the best experience to the end user. This goes hand in hand with the growing ease of doing business and seamless engagement.

Continue reading “Why generic solutions are no longer relevant for IoT security”