As the August 13 deadline looms for the US ban on Chinese surveillance cameras, the news cycle is re-engaged with the issue. The panic about banned cameras still being in operation shines a spotlight on both the severity of the issue and the dire need to find a solution.
Through our research, based on tens of millions of embedded device binaries, it’s clear that the banned devices lack basic security building blocks and consequently expose users to the security threats that are alleged by the US.
One may ask – are the banned Chinese devices the only vulnerable devices in the field? The answer is surely no. Many devices from various countries also lack a proper security state, however, they were not banned for use by the US government – for example, D-Link camera, Amazon Ring, LG Hom-Bot, Cisco routers, and many more.
As part of deep research conducted by our security team, a few well-known vendors which are widely used were found vulnerable – QNAP, Synology, and many more which cannot be mentioned yet, as VDOO adheres to a responsible disclosure process.
However, the banned Chinese devices have some security issues of the highest severity that could potentially cause significant damage.
Research findings indicate a grim security state
Indeed, most of the Chinese devices inspected internally, using our security automation tools, were exposed to high risk since they do not follow basic security practices.
Our researchers found remote unauthenticated takeover zero-day vulnerabilities in a few different Chinese vendors; Foscam cameras, with 52 unique models affected, and Hikvision cameras, with 200-400 million affected devices deployed in the field. There are other Chinese vendors with vulnerable devices which will be disclosed in the future as part of the responsible disclosure process. In most cases, as was with Foscam and Hikvision, the vendor worked closely with us to promptly solve the security issues.
Detailed below are the basic security requirements that were not implemented in almost all inspected Chinese devices. These requirements are critical in order to secure embedded devices:
1. Build software using critical compiler and linker security flags – These are very basic software compilation mitigation methods (Stack Canaries & ASLR) which were not implemented properly in any of the inspected devices. As such, it is relatively easy for an attacker to gain code execution access on these devices and be able to execute buffer-overflow based attacks.
2. Disable all shell command execution features in CGI/PHP scripts – This is a very simple step aimed to prevent command injection attacks in which an attacker can remotely exploit the device in server-side processing mechanisms (for example a CGI binary or PHP scripts). It is possible to avoid command injection while still retaining the ability to get input from OS commands by running commands without the shell.
3. Use of default passwords, weak password hashing, and password reuse – Many of the device vendors did not require the administrator to change the default password on first login. Even when the passwords were changed, they were usually stored with weak hashing algorithms (PAM descrypt/md5crypt or various unsalted hashes) which makes them much easier to crack after dumping an example firmware. This is a serious issue because users usually reuse passwords across multiple devices, therefore, the exposure of the user’s password in a vulnerable device can be utilized for a targeted attack on the user’s accounts in services such as mailbox, bank account, etc.
The practical bottom line of the security requirements above is that the device user is potentially exposed to surveillance and data theft, as well as eavesdropping, and secret photo shooting or video filming – depending on the device capabilities.
What can the government and end users do?
One of our recommendations for the US and any other government, as well as for the private end-user, is to use only IoT devices which are certified and standardized according to a reliable body that uses neutral technologies to assess the device’s security risks. Such certification can indicate that the most important security requirements were implemented, which dramatically reduces the chances of cyber-attacks or exploits.
Particularly for the situation in the news today about thousands of banned cameras still in use at strategic organizations, there are device-specific embedded runtime agents which can be installed on deployed devices and protect them in real-time while already in use. The implementation of such solutions can dramatically enhance the device’s security level to achieve unprecedented protection of sensitive assets, as well as to allow real-time monitoring and intelligence on attempted attacks.
Steps should be taken by the Chinese vendors
The banned device vendors could have avoided such a situation by implementing security best practices – a process that today can be done effectively and at large scale thanks to security automation solutions. If they take responsible action to this crisis and implement basic security requirements, which can easily be done, they can surely begin to repair the damage that has been done to their reputations.
There are advanced security solutions that exist today that can completely change the security state of the embedded devices of the banned vendors. The choice is in their hands.
Is there room for optimism?
In terms of improving the security state of embedded devices – we believe there is room for optimism – mainly because today there is much more emphasis on data privacy as reflected in the US with California’s SB-327 bill and Oregon House Bill 2395, and in Europe with GDPR. In terms of the specific banned Chinese vendors – it depends on their future actions and the responsibility they take to secure their devices.
With regulators having less and less patience for security violations, and with governments, enterprises, and consumers having less and less tolerance for risk, the trend is toward more secure devices. We see many device makers actively adding security to their products. These companies realize they must responsibly provide protection for their users and ultimately for all of us.