AVTECH Shuns Security Firm and Leaves All Products Vulnerable Without a Patch (softpedia.com)

← Back to Stories (view on slashdot.org)

AVTECH Shuns Security Firm and Leaves All Products Vulnerable Without a Patch (softpedia.com)

Posted by msmash on Wednesday October 12, 2016 @02:50AM from the security-blues dept.

An anonymous reader writes: AVTECH, a Taiwanese CCTV equipment manufacturer, has failed to respond to Search-Lab, a Hungarian security firm, who spent more than a year trying to inform the company about 14 security bugs affecting the firmware of ALL its products. Almost a year after it first contacted the hardware maker, Search-Lab published a public advisory about the vulnerabilities it discovered, warning sysadmins that their AVTECH products may be in danger of exploitation and remote takeover. Search-Lab says their researchers is not the only one that spotted these issues. Currently, the term "AVTECH" is the second most popular search term on Shodan, where anyone can find more than 130,000 of these devices available online. Taking into account the recent attacks from IoT botnets, AVTECH is now on the same level of incompetence and indifference as other CCTV hardware makers such as AVer, Dahua, and TVT, all Chinese and Taiwanese companies. A list of confirmed affected firmware versions is available here, proof of concept exploitation code is available on GitHub, and an exploitation video is available here.

47 comments

Min score:

Reason:

Sort:

IOT by zlives · 2016-10-12 06:11 · Score: 1

another perfect example of why everything doesn;t fucking need to be connected to the internet
1. Re:IOT by omnichad · 2016-10-12 06:33 · Score: 1
  
  It's one of the core features in security DVRs. Certainly a lot more useful than a connected fridge. Security is as possible here as it is with a dedicated server. IoT is still just computers when you get to the root of it.
2. Re:IOT by sinij · 2016-10-12 06:35 · Score: 2, Funny
  
  On the contrary, I find the notion of a smart fridge sending out, in addition to storing, spam rather industrious.
3. Re:IOT by Anonymous Coward · 2016-10-12 06:59 · Score: 0
  
  It's one of the core features in security DVRs. Certainly a lot more useful than a connected fridge. Security is as possible here as it is with a dedicated server. IoT is still just computers when you get to the root of it.
  Sure; and we learned the lesson long ago that the only thing that leads to security is a mixture of free software, full disclosure and financial pressure. For many years Microsoft did absolutely nothing, then an onslaught of serious vulnerabilities and aggressive worms disclosed openly forced them to fix their security or lose customers. Their software is now almost as good as their F/OSS competitors and the only reason that Windows machines are more insecure are market things that they have to do such as Telemetry which they need to have for advertising reasons without which consumer systems wouldn't be profitable.
  Unfortunately with IoT systems there's no long term relationship with the customer who most likely just throw it away if it breaks so the financial pressure part is missing. Even modern worms don't attempt to destroy the devices, just use them for profit. The only way to handle this is to have ISPs block insecure IoT devices and insist on fully F/OSS user upgradable devices for the rest of us. Where are these?
4. Re:IOT by TechyImmigrant · 2016-10-12 06:59 · Score: 1
  
  It just got me a Amcrest PoE camera.
  I'm not sure why it needs to be on anything other than it's own lan segment accessible only to zoneminder. Vulnerabilities are presumably in there and are never going to be patched.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
5. Re:IOT by TechyImmigrant · 2016-10-12 07:17 · Score: 1
  
  I want to be able to connect my security camera system to the Internet so I can check on things remotely.
  There's Nest for that. You have to pay the hosting fee, however they're probably going to maintain the software as a result.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
6. Re:IOT by b0bby · 2016-10-12 07:17 · Score: 1
  
  Do you have external access to your zoneminder system?
7. Re:IOT by lxs · 2016-10-12 08:05 · Score: 3, Funny
  
  ...or they will discontinue the service by next week.
  These are truly exciting times to be alive.
8. Re:IOT by TechyImmigrant · 2016-10-12 08:21 · Score: 1
  
  No.
  If I did, it would be through a VPN but those are not exactly easy to get right these days with all the prime number issues.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
9. Re:IOT by TechyImmigrant · 2016-10-12 08:26 · Score: 1
  
  Thinking about it, I can X over SSH to get in. I do that but not to monitor cameras. It's there to have a record when crap goes down.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
10. Re:IOT by b0bby · 2016-10-12 08:35 · Score: 1
  
  Ah. I have been looking at the Amcrests, and I have set up zoneminder before, but I want remote access for my application. I may actually end up with some cloudy cameras (Blink or Arlo maybe), since at least they are connecting out to a server and not allowing access in. In theory they should be more secure that way.
11. Re:IOT by TechyImmigrant · 2016-10-12 08:38 · Score: 1
  
  ...or they will discontinue the service by next week.
  These are truly exciting times to be alive.
  Indeed.
  In other respects the new cameras are neat. Nice high resolution colour pictures over a wide range of light levels and direct streaming to ethernet.
  The consumer's dilemma is strong with this one. So much shiny, such deep vulnerabilities.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
You get what you pay for by sinij · 2016-10-12 06:26 · Score: 1

Consumers get all the security they are willing to pay for.
1. Re:You get what you pay for by The-Ixian · 2016-10-12 06:55 · Score: 3, Informative
  
  Sometimes they even get less security than they pay for!
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:You get what you pay for by Anonymous Coward · 2016-10-12 07:16 · Score: 0
  
  "Real" CCTV solutions are still a total shit show wrt to security and I believe it is still considered best practice to put pretty much any IP based CCTV system on a physically isolated network.
3. Re:You get what you pay for by Anonymous Coward · 2016-10-12 20:09 · Score: 1
  
  "To me, as a consumer, security of my IoT stuff is of no use, and what havoc my insecure IoT devices might wreak on the Internet is not my problem. Moreover, I want what I buy to be cheaper, so if security has to be sacrificed, I'm okay with that. I won't buy an expensive secure device, while I can buy a cheaper, insecure one instead."
  Now, I am a network administrator and obviously I don't think like above. I just wanted to point out an obvious flaw of the entire IoT concept. And the flaw is that consumers have to pay for something (security) that is of no value for them. Economics just doesn't work like that. The only way out now seems to (globally) regulate the hell out of the IoT market, which is against all principles of market economy, but is still the lesser evil.
me doesn't speak english by Lead+Butthead · 2016-10-12 06:27 · Score: 1

I am guessing they have ONE guy answering these e-mail, and that person isn't fluent in English (if at all.)
As long as order continue to pour in, there's no problem.

--
ELOI, ELOI, LAMA SABACHTHANI!?
1. Re:me doesn't speak english by Whiteox · 2016-10-12 15:46 · Score: 0
  
  It ain't English. It is Hungarian, a whore of a language at the best of times. Trying to get a Taiwanese to understand the Magyar tongue is a lesson in frustration.
  
  --
  Don't be apathetic. Procrastinate!
2. Re:me doesn't speak english by Anonymous Coward · 2016-10-12 20:14 · Score: 0
  
  Yet I suspect that to an English-speaking person it would be more difficult to learn Taiwanese than Hungarian, Finnish, Turkish or even Korean.
3. Re:me doesn't speak english by Whiteox · 2016-10-13 20:19 · Score: 1
  
  There is a Turkic 'bridge' where some words may have common origins. Tengir in Mongolian - 'wide blue sky' is similar to the Magyar Tenger meaning 'the blue sea'.
  Other borrowings through the Khazak/Tibetan tribal languages might be common as well.
  
  --
  Don't be apathetic. Procrastinate!
China. by Dishevel · 2016-10-12 06:34 · Score: 0

Not even once.

--
Why is it so hard to only have politicians for a few years, then have them go away?
1. Re:China. by Anonymous Coward · 2016-10-12 06:58 · Score: 1
  
  Taiwan isn't China
2. Re:China. by Anonymous Coward · 2016-10-12 07:14 · Score: 0
  
  They're just ethnic Chinese, who speak Chinese and have a very Chinese culture. Many of them go to university in mainland China. Not Chinese at all.
3. Re:China. by Anonymous Coward · 2016-10-12 07:21 · Score: 0
  
  Taiwan may agree with you, but China doesn't. It's best to not get into who owns disputed areas unless you actually have a stake in the argument (i.e. live there).
Typical of Mosty Companies by Anonymous Coward · 2016-10-12 06:48 · Score: 0

This is a typical situation with most firms ignoring support calls or answering them with a "we will reply as soon as we can" but you never get a reply. Being a bit of a fascist I would like to see these companies who ignore things (especially security issues) go belly up big time so we can all feel nice and warm
I saw what you did there by Provocateur · 2016-10-12 06:49 · Score: 0

After all this is about popular security cameras. And you wrote:

IoT is still just computers when you get to the root of it.
Well said. Bravo! And well played!

--
WARNING: Smartphones have side effects--most of them undocumented.
Comment removed by account_deleted · 2016-10-12 06:57 · Score: 1

Comment removed based on user account deletion
You dawg... by Thud457 · 2016-10-12 06:59 · Score: 1

I heard you like exploits, so we didn't secure our webcams so you can be part of a DDOS botnet while random people on teh intarwebs spy on your baby.

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
1. Re:You dawg... by The-Ixian · 2016-10-14 09:13 · Score: 1
  
  It's good to be a part of something bigger than yourself....
  
  --
  My eyes reflect the stars and a smile lights up my face.
Yey... by Anonymous Coward · 2016-10-12 07:11 · Score: 0

Yey... more IoT botnets... I love DDoS attacks on Steam while I'm playing.
Makes a great Christmas Present by Anonymous Coward · 2016-10-12 07:15 · Score: 1

Perhaps I buy one for a (Not So Good) Friend..... :)
Prices are not too bad.
http://amzn.to/2e9WRKM
PROS
Great hardware
Great Installation options (poe/ac/alarm trigger cables)
Solid construction
Great picture with beautiful wide angle and resolution
Great night vision (not all washed out like others)
CONS
Uhm, simply doesn't work half the time.
Camera suddenly goes offline, is not responsive to web or software connections
The mac software "Video Viewer" crashes 80% of the time when trying to load the camera
The ePTZ feature doesn't seem to work at all
The mobile device video quality is very poor (even set to highest settings)
The IOS app "EagleEyes" only supports AVTECH cams, so I ended up using a third party app
No support at all
We tried contacting avtech through their website and have never received a response.
Home Brew by Thelasko · 2016-10-12 07:16 · Score: 4, Interesting

I'm curious if there are any home brew open source firmware options for these devices. Like DD-WRT only for CCTV. That way owners of these systems have an alternative.

--
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
1. Re:Home Brew by fuzzyfuzzyfungus · 2016-10-12 07:52 · Score: 3, Informative
  
  Nothing specific; though some IP cameras are incidentally supported because they are built on the same SoCs as routers.
  
  Just by way of example, since one is on my desk, the D-Link DCS-930L is essentially a Ralink RT5350F with a lousy webcam attached to its USB host port; all integrated into a single PCB. Since the RT5350 shows up in all kinds of little routers, it has OpenWRT support; and since it is primarily a router SoC, the camera is a USB device rather than some MIPI CSI atrocity.
  
  More generally, it just varies. A lot of the higher end DVRs are just x86s, since that's a cheap and easy way to get a punchy CPU, as much storage as you deem necessary; and optionally a bunch of PCI/PCIe capture cards to handle legacy analog devices; so putting your own OS on them isn't a terribly heroic endeavor(though support for the capture cards might be, what little support their is is typically aimed either at consumer entertainment devices or scientific/industrial framegrabbers, since the former has the biggest userbase and the latter has the deeper pockets). The cheap seats tend to be some ARM or MIPS SoC running a truly shoddy linux port(and have fun getting GPL compliance out of the vendor, not that you'd want see their kernel 2.4 hackjob anyway...); and so could be supported; but are likely to be a somewhat heroic undertaking unless enough interested people have the same hardware to work on it together.
2. Re: Home Brew by Anonymous Coward · 2016-10-12 08:54 · Score: 1
  
  Look for "3 dumb routers" by Steven Gibson and the security now podcast. And you'll get your answers.
3. Re:Home Brew by Thelasko · 2016-10-12 09:39 · Score: 2
  
  ...unless enough interested people have the same hardware to work on it together.
  An article earlier this year revealed that 70 security camera vendors are using the same hardware. The firmware is compatible between all of them.
  
  --
  One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
4. Re:Home Brew by fuzzyfuzzyfungus · 2016-10-13 01:51 · Score: 2
  
  Indeed, I suspect that (as with low end routers) there are substantially fewer distinct designs than there are brand names and rebadges, which would make 3rd party firmware easier. On the minus side, in areas where rebadging is the rule it can be a real pain to ensure that you get the same hardware reliably: if your vendor is slapping their badge on one ODM's cheapo board today, they could(and not infrequently do) switch to slapping the same brand and model name on an entirely different board with approximately similar capabilities tomorrow.
  
  This is hardly unique to IP cameras and DVRs, the OpenWRT hardware support wiki is loaded with examples of routers that sell under the same model name and number but are totally different internally(as well as ones that are sold by completely different companies, and internally identical) and USB peripherals, the nastier PCI/PCIe cards; and even computers that aren't associated with 'business' brands that promise image stability will sometimes swap chips without notice.
  
  I'm not sure if it's a specific business decision, or some sort of culture/language thing; but these sorts of situations always struck me as an opportunity for some entrepreneurial type in China to simultaneously distinguish their product(albeit for a limited market) and get some software development and localization done more or less for free: Western FOSS tinkerers love cheap hardware to play with; and while some established vendors play fairly nice, the combination of 'IP' enthusiasm and a desire to tie hardware to various cloud services and app stores often limits how cooperative establshed western brands are with what the FOSS people want(eg. Intel recognizes the value of having non-awful, in-kernel, drivers for their NICs and chipsets and stuff, since Linux is serious business in the server market; but takes a "your motherboard comes with cryptographically signed UEFI, and you'll like it." attitude). If you have the necessary contacts and business relationships with hardware manufacturers, access to datasheets, etc. you could position yourself above the other rebadge outfits by assuring that your product has a known, stable, chipset and hardware design inside; and by being as helpful as possible to OpenWRT or an analogous effort; and both reap extra hardware sales from tinkerers who want to be sure that they are getting hardware with good 3rd party firmware support; and have the option of basing your official firmware on the 3rd party work; rather than the in-house atrocities that so often ruin otherwise decent hardware.
  
  I don't doubt that it is harder than it looks; and my Mandarin isn't remotely good enough to try; but if I had hardware that offers excellent value, ruined by firmware that is utter crap, it seems like this could be a win-win.
Well, then by ThatsNotPudding · 2016-10-12 07:17 · Score: 1

Why shouldn't white hats now start crafting and sending kill bits to these cunts' tawdry wares? It could honestly be justified as self-defence.
Mistaken identity by HideyoshiJP · 2016-10-12 07:17 · Score: 2

Man, this freaked me out for a minute. I thought they were talking about the AVTECH that makes environment monitors for datacenters. Don't get me wrong, those very well could have their own vulnerabilities, but it's a relief to know it's not this company.
I just don't get it... by fuzzyfuzzyfungus · 2016-10-12 07:36 · Score: 1

Why is it that, even after a a couple of decades of experience and examples, a company would just ignore security researchers?

If you are a real asshole; and think you can get away with it, I can see why you might try to threaten them into silence; but if you can't do that, or you aren't scum, they are doing your work for you. What do you gain by not taking advantage of that?

Especially in this case. By the look of their product lineup, these guys appear to have aspirations higher than the '8 lousy cameras bundled with a POS DVR and sold under a mystery brand' caliber of 'security' product(they allege some institutional deployments; and they offer some SAS-attached drive shelves for their bigger DVRs); if you are trying to play with the professionals, isn't free security advice a bonus?
1. Re:I just don't get it... by Anonymous Coward · 2016-10-12 07:48 · Score: 1
  
  Because the Chinese industry doesn't give a good god damn about security, it only cares about putting out the cheapest possible product for western markets, and cutting literally every corner that they can legally (and sometimes illegally) cut in order to bring the overall cost of goods down.
  And before you think I'm blaming the Chinese or Taiwanese people themselves, their hands are tied: This is what happens when customers demand everything be ever-cheaper. Once you've optimized a product well enough, the only option is to sacrifice quality in order to bring the costs even lower. This is the situation that the west has made for itself; each and every one of you who buys the cheapest products you can find, this is your own doing. This isn't the fault of China or Taiwan, it's the fault of each and every one of us.
2. Re:I just don't get it... by mhkohne · 2016-10-12 08:16 · Score: 1
  
  Because it doesn't affect the bottom line. Until it hurts the manufacturer to be insecure, they won't give a crap. These Chinese companies are the 'commodity -whatever-' business. That means pushing the costs of design and production as close to zero as physically possible. So unless their existing customer base suddenly decides to sue them for their incompetence, or a regulation appears that makes them fix it, or new customers simply stop buying, they have ZERO reason to change anything.
  
  --
  A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
3. Re:I just don't get it... by Anonymous Coward · 2016-10-12 09:43 · Score: 0
  
  Because the Chinese industry doesn't give a good god damn about security, it only cares about putting out the cheapest possible product for western markets, and cutting literally every corner that they can legally (and sometimes illegally) cut in order to bring the overall cost of goods down.
  And before you think I'm blaming the Chinese or Taiwanese people themselves, their hands are tied: This is what happens when customers demand everything be ever-cheaper. Once you've optimized a product well enough, the only option is to sacrifice quality in order to bring the costs even lower. This is the situation that the west has made for itself; each and every one of you who buys the cheapest products you can find, this is your own doing. This isn't the fault of China or Taiwan, it's the fault of each and every one of us.
  That's a cop out. Consumers don't sit there and hope year after year that costs for electronics will eventually come down before they make their purchases. These companies purposely undercut the market with cheaper products. Since it's China they have no accountability for what they do as well. They cheat, lie, steal and step on the toes of anyone who gets in their way. It's one of the many reasons why American companies are hesitant to open business in China.
  The same thing happens in the USA also but our companies get regulated to the ground. Chinese companies only get in trouble if they happen to hurt someone in power inside China.
No... by Anonymous Coward · 2016-10-12 08:36 · Score: 2, Informative

And more worrisome:
Most of these devices use specialized ARM processors with additional opcodes for the video encoding/decoding operations with proprietary software handling the image generation.
Meaning: you can't simply replace it with an all open source stack, and in many cases can't even replace the system library with an alternative (musl just got switched out for uClibc in OpenWRT, having both a smaller profile and more complete modern conformance than either uClibc or glibc, albeit without legacy development compatibility (which is broken in many cases on glibc, and doesn't exist on uClibc anyway.)
Point being: Unless somebody makes a concerted effort to reverse engineering those undocuemnted opcodes, or gets ahold of the proprietary datasheets/architecture manuals for those ip camera processors, making a complete open source distro for those devices will be difficult and time consuming, for something that is a nominalyl not for profit venture requiring greater than workday level effort for all but the intellectually advanced of programmers/embedded systems designers/reverse engineers/laypeople.
1. Re:No... by Anonymous Coward · 2016-10-16 20:33 · Score: 0
  
  Usually not additional opcodes, this is not allowed by ARM. In MIPS and Tensilica you can do it though. Normally they just add a VPU (Video Processing Unit) to the bus which you give the address of a new frame and new h264 or mjpeg data comes out in some other buffer.
Only when it costs them money. by Gravis+Zero · 2016-10-12 13:10 · Score: 3, Interesting

I've said it before but it's worth repeating.
IoT vendors will only secure their devices after it starts costing them money or are legally required to do so.
The best option is to high jack the IoT devices to DDoS their makers because it creates a direct feedback loop. The more insecure devices they sell, the more it will cost them to host their company's website(s). For extra points, only target their parent company. ;)

--
Anons need not reply. Questions end with a question mark.
should be legal to DDoS companies with own gear by Gunstick · 2016-10-12 21:28 · Score: 1

There should be a legal exception that it is allowed to make your, and other people's, devices phone home to the original manufacturer with Gbit speeds.
The less they patch or the more they produce shitty hardware, the bigger they need to invest in anti DDoS measures.
At some point it will be cheaper to simply patch the stuff.

--
Atari rules... ermm... ruled.