Slashdot Mirror

← Back to Stories (view on slashdot.org)

AVTECH Shuns Security Firm and Leaves All Products Vulnerable Without a Patch (softpedia.com)

Posted by msmash on from the security-blues dept.

An anonymous reader writes: AVTECH, a Taiwanese CCTV equipment manufacturer, has failed to respond to Search-Lab, a Hungarian security firm, who spent more than a year trying to inform the company about 14 security bugs affecting the firmware of ALL its products. Almost a year after it first contacted the hardware maker, Search-Lab published a public advisory about the vulnerabilities it discovered, warning sysadmins that their AVTECH products may be in danger of exploitation and remote takeover. Search-Lab says their researchers is not the only one that spotted these issues. Currently, the term "AVTECH" is the second most popular search term on Shodan, where anyone can find more than 130,000 of these devices available online. Taking into account the recent attacks from IoT botnets, AVTECH is now on the same level of incompetence and indifference as other CCTV hardware makers such as AVer, Dahua, and TVT, all Chinese and Taiwanese companies. A list of confirmed affected firmware versions is available here, proof of concept exploitation code is available on GitHub, and an exploitation video is available here.

10 of 47 comments (clear)

  1. Re:IOT by sinij · · Score: 2, Funny

    On the contrary, I find the notion of a smart fridge sending out, in addition to storing, spam rather industrious.

  2. Re:You get what you pay for by The-Ixian · · Score: 3, Informative

    Sometimes they even get less security than they pay for!

    --
    My eyes reflect the stars and a smile lights up my face.
  3. Home Brew by Thelasko · · Score: 4, Interesting

    I'm curious if there are any home brew open source firmware options for these devices. Like DD-WRT only for CCTV. That way owners of these systems have an alternative.

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    1. Re:Home Brew by fuzzyfuzzyfungus · · Score: 3, Informative

      Nothing specific; though some IP cameras are incidentally supported because they are built on the same SoCs as routers.

      Just by way of example, since one is on my desk, the D-Link DCS-930L is essentially a Ralink RT5350F with a lousy webcam attached to its USB host port; all integrated into a single PCB. Since the RT5350 shows up in all kinds of little routers, it has OpenWRT support; and since it is primarily a router SoC, the camera is a USB device rather than some MIPI CSI atrocity.

      More generally, it just varies. A lot of the higher end DVRs are just x86s, since that's a cheap and easy way to get a punchy CPU, as much storage as you deem necessary; and optionally a bunch of PCI/PCIe capture cards to handle legacy analog devices; so putting your own OS on them isn't a terribly heroic endeavor(though support for the capture cards might be, what little support their is is typically aimed either at consumer entertainment devices or scientific/industrial framegrabbers, since the former has the biggest userbase and the latter has the deeper pockets). The cheap seats tend to be some ARM or MIPS SoC running a truly shoddy linux port(and have fun getting GPL compliance out of the vendor, not that you'd want see their kernel 2.4 hackjob anyway...); and so could be supported; but are likely to be a somewhat heroic undertaking unless enough interested people have the same hardware to work on it together.

    2. Re:Home Brew by Thelasko · · Score: 2

      ...unless enough interested people have the same hardware to work on it together.

      An article earlier this year revealed that 70 security camera vendors are using the same hardware. The firmware is compatible between all of them.

      --
      One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    3. Re:Home Brew by fuzzyfuzzyfungus · · Score: 2

      Indeed, I suspect that (as with low end routers) there are substantially fewer distinct designs than there are brand names and rebadges, which would make 3rd party firmware easier. On the minus side, in areas where rebadging is the rule it can be a real pain to ensure that you get the same hardware reliably: if your vendor is slapping their badge on one ODM's cheapo board today, they could(and not infrequently do) switch to slapping the same brand and model name on an entirely different board with approximately similar capabilities tomorrow.

      This is hardly unique to IP cameras and DVRs, the OpenWRT hardware support wiki is loaded with examples of routers that sell under the same model name and number but are totally different internally(as well as ones that are sold by completely different companies, and internally identical) and USB peripherals, the nastier PCI/PCIe cards; and even computers that aren't associated with 'business' brands that promise image stability will sometimes swap chips without notice.

      I'm not sure if it's a specific business decision, or some sort of culture/language thing; but these sorts of situations always struck me as an opportunity for some entrepreneurial type in China to simultaneously distinguish their product(albeit for a limited market) and get some software development and localization done more or less for free: Western FOSS tinkerers love cheap hardware to play with; and while some established vendors play fairly nice, the combination of 'IP' enthusiasm and a desire to tie hardware to various cloud services and app stores often limits how cooperative establshed western brands are with what the FOSS people want(eg. Intel recognizes the value of having non-awful, in-kernel, drivers for their NICs and chipsets and stuff, since Linux is serious business in the server market; but takes a "your motherboard comes with cryptographically signed UEFI, and you'll like it." attitude). If you have the necessary contacts and business relationships with hardware manufacturers, access to datasheets, etc. you could position yourself above the other rebadge outfits by assuring that your product has a known, stable, chipset and hardware design inside; and by being as helpful as possible to OpenWRT or an analogous effort; and both reap extra hardware sales from tinkerers who want to be sure that they are getting hardware with good 3rd party firmware support; and have the option of basing your official firmware on the 3rd party work; rather than the in-house atrocities that so often ruin otherwise decent hardware.

      I don't doubt that it is harder than it looks; and my Mandarin isn't remotely good enough to try; but if I had hardware that offers excellent value, ruined by firmware that is utter crap, it seems like this could be a win-win.

  4. Mistaken identity by HideyoshiJP · · Score: 2

    Man, this freaked me out for a minute. I thought they were talking about the AVTECH that makes environment monitors for datacenters. Don't get me wrong, those very well could have their own vulnerabilities, but it's a relief to know it's not this company.

  5. Re:IOT by lxs · · Score: 3, Funny

    ...or they will discontinue the service by next week.

    These are truly exciting times to be alive.

  6. No... by Anonymous Coward · · Score: 2, Informative

    And more worrisome:

    Most of these devices use specialized ARM processors with additional opcodes for the video encoding/decoding operations with proprietary software handling the image generation.

    Meaning: you can't simply replace it with an all open source stack, and in many cases can't even replace the system library with an alternative (musl just got switched out for uClibc in OpenWRT, having both a smaller profile and more complete modern conformance than either uClibc or glibc, albeit without legacy development compatibility (which is broken in many cases on glibc, and doesn't exist on uClibc anyway.)

    Point being: Unless somebody makes a concerted effort to reverse engineering those undocuemnted opcodes, or gets ahold of the proprietary datasheets/architecture manuals for those ip camera processors, making a complete open source distro for those devices will be difficult and time consuming, for something that is a nominalyl not for profit venture requiring greater than workday level effort for all but the intellectually advanced of programmers/embedded systems designers/reverse engineers/laypeople.

  7. Only when it costs them money. by Gravis+Zero · · Score: 3, Interesting

    I've said it before but it's worth repeating.

    IoT vendors will only secure their devices after it starts costing them money or are legally required to do so.

    The best option is to high jack the IoT devices to DDoS their makers because it creates a direct feedback loop. The more insecure devices they sell, the more it will cost them to host their company's website(s). For extra points, only target their parent company. ;)

    --
    Anons need not reply. Questions end with a question mark.