Category: Technical

Posted on

Significant Vulnerability in Hikvision Cameras

For the past several months, VDOO’s security research teams have been undertaking broad-scale security research of leading IoT products, from the fields of safety and security. In most cases, the research was carried out together with the device vendors for the sake of efficiency and transparency.

As part of this research, VDOO researchers found zero-day vulnerabilities in devices of several vendors. These vulnerabilities were disclosed to the vendors, in accordance with responsible disclosure best practices, and will be shared gradually after the disclosure periods are concluded.

One of the vendors for which we found vulnerable devices was Hikvision. Our team discovered a vulnerability in Hikvision security cameras. Exploiting the discovered vulnerability, an adversary who successfully obtains the IP address of the camera can remotely execute code with root privileges on the camera (via LAN or internet). VDOO has responsibly disclosed this vulnerability (CVE-2018-6414) and engaged with Hikvision’s security team to solve the matter.

Continue reading “Significant Vulnerability in Hikvision Cameras”

Posted on

Giving Back – Securing Open Source IoT Projects

For the past several months, the security research teams at VDOO have been undertaking broad-scale security research of leading IoT products, from the fields of safety and security. In most cases, the research was carried out together with the device vendors for the sake of efficiency and transparency.

The research goal is to contribute knowledge and tools to mitigate risks, as well as encourage the devices’ manufacturers to implement the right security for their products. We believe that an appropriate implementation of the security essentials will dramatically decrease the chances of exploiting vulnerabilities on the device.

Open-source projects are implemented in many connected devices. In order to provide the highest security level for those devices as well, the research focuses on some of the most common projects. The findings are then implemented in all of our automated IoT security solutions for the widest risk mitigation coverage.

As part of this research, our researchers discovered zero-day vulnerabilities in several known open-source projects. In this article, we will discuss vulnerabilities found in 3 different projects – in the popular Lighttpd web server, the Live555 Media Library and a Linux driver for the Realtek’s RTL8189ES Wi-Fi chip.

Continue reading “Giving Back – Securing Open Source IoT Projects”

Posted on

Installing Dropbear with Enhanced Security Options

This guest article is a detailed guide to the Dropbear SSH service, intended for technical readers. It is meant to be one of the first in the VDOO Library, a collection of in-depth technical articles and guides which would provide practical advice to device makers, administrators and users.

Our guest writer, Donald A. Tevault, is a Linux security expert, instructor and consultant, and the author of the book “Mastering Linux Security and Hardening”.

Continue reading “Installing Dropbear with Enhanced Security Options”

Posted on

Major Vulnerabilities in Foscam Cameras

For the past several months, VDOO’s security research teams have been undertaking broad-scale security research of leading IoT products, from the fields of safety and security. In most cases, the research was carried out together with the device vendors for the sake of efficiency and transparency.

As part of this research, VDOO researchers found zero-day vulnerabilities in devices of several vendors. These vulnerabilities were disclosed to the vendors, in accordance with responsible disclosure best practices, and will be shared gradually after the disclosure periods are concluded.

Continue reading “Major Vulnerabilities in Foscam Cameras”

Posted on

5 Initial Steps to Mitigate Security Threats in Consumer IoT Products

The major botnet variants seen over the last few years have been enabled primarily by a lack of basic security engineering practices applied to consumer IoT devices. BASHLITE, Mirai, Remaiten and Linux.Darlloz all relied at least partially on dictionary attacks that took advantage of well-known default username/password combinations to compromise devices.

Continue reading “5 Initial Steps to Mitigate Security Threats in Consumer IoT Products”

Posted on

IoT Security Foundations: Authentication on the Internet of Things

This article is part two of the IoT Security Foundations series. In this post we will introduce authentication, its pitfalls, and what makes it interesting in the Internet of Things. This article focuses on password authentication mechanisms, the most common ways they get broken, and the right measures that IoT makers can take to achieve a high level of security. There are other advanced authentication methods, that can be more secure or more efficient than password authentication under specific scenarios, but we will leave the details of those for a later article in this series.

Continue reading “IoT Security Foundations: Authentication on the Internet of Things”