AVTECH Shuns Security Firm and Leaves All Products Vulnerable Without a Patch

An anonymous reader writes: AVTECH, a Taiwanese CCTV equipment manufacturer, has failed to respond to Search-Lab, a Hungarian security firm, who spent more than a year trying to inform the company about 14 security bugs affecting the firmware of ALL its products. Almost a year after it first contacted the hardware maker, Search-Lab published a public advisory about the vulnerabilities it discovered, warning sysadmins that their AVTECH products may be in danger of exploitation and remote takeover. Search-Lab says their researchers is not the only one that spotted these issues. Currently, the term "AVTECH" is the second most popular search term on Shodan, where anyone can find more than 130,000 of these devices available online. Taking into account the recent attacks from IoT botnets, AVTECH is now on the same level of incompetence and indifference as other CCTV hardware makers such as AVer, Dahua, and TVT, all Chinese and Taiwanese companies. A list of confirmed affected firmware versions is available here, proof of concept exploitation code is available on GitHub, and an exploitation video is available here.

IOT

[zlives]

another perfect example of why everything doesn;t fucking need to be connected to the internet

Re:

[omnichad]

It's one of the core features in security DVRs. Certainly a lot more useful than a connected fridge. Security is as possible here as it is with a dedicated server. IoT is still just computers when you get to the root of it.

Re:

[TechyImmigrant]

It just got me a Amcrest PoE camera.

I'm not sure why it needs to be on anything other than it's own lan segment accessible only to zoneminder. Vulnerabilities are presumably in there and are never going to be patched.

Re:

[b0bby]

Do you have external access to your zoneminder system?

Re:

[TechyImmigrant]

No.

If I did, it would be through a VPN but those are not exactly easy to get right these days with all the prime number issues.

Re:

[TechyImmigrant]

Thinking about it, I can X over SSH to get in. I do that but not to monitor cameras. It's there to have a record when crap goes down.

Re:

[b0bby]

Ah. I have been looking at the Amcrests, and I have set up zoneminder before, but I want remote access for my application. I may actually end up with some cloudy cameras (Blink or Arlo maybe), since at least they are connecting out to a server and not allowing access in. In theory they should be more secure that way.

Re:

[sinij]

On the contrary, I find the notion of a smart fridge sending out, in addition to storing, spam rather industrious.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TechyImmigrant]

I want to be able to connect my security camera system to the Internet so I can check on things remotely.

There's Nest for that. You have to pay the hosting fee, however they're probably going to maintain the software as a result.

Re:IOT

[lxs]

...or they will discontinue the service by next week.

These are truly exciting times to be alive.

Re:

[TechyImmigrant]

...or they will discontinue the service by next week.

These are truly exciting times to be alive.

Indeed.
In other respects the new cameras are neat. Nice high resolution colour pictures over a wide range of light levels and direct streaming to ethernet.

The consumer's dilemma is strong with this one. So much shiny, such deep vulnerabilities.

You get what you pay for

[sinij]

Consumers get all the security they are willing to pay for.

Re:You get what you pay for

[The-Ixian]

Sometimes they even get less security than they pay for!

Re:

[Anonymous Coward]

"To me, as a consumer, security of my IoT stuff is of no use, and what havoc my insecure IoT devices might wreak on the Internet is not my problem. Moreover, I want what I buy to be cheaper, so if security has to be sacrificed, I'm okay with that. I won't buy an expensive secure device, while I can buy a cheaper, insecure one instead."

Now, I am a network administrator and obviously I don't think like above. I just wanted to point out an obvious flaw of the entire IoT concept. And the flaw is that consumers

me doesn't speak english

[Lead Butthead]

I am guessing they have ONE guy answering these e-mail, and that person isn't fluent in English (if at all.)
As long as order continue to pour in, there's no problem.

Re:

[Whiteox]

There is a Turkic 'bridge' where some words may have common origins. Tengir in Mongolian - 'wide blue sky' is similar to the Magyar Tenger meaning 'the blue sea'.
Other borrowings through the Khazak/Tibetan tribal languages might be common as well.

China.

[Dishevel]

Not even once.

Re:

[Anonymous Coward]

Taiwan isn't China

I saw what you did there

[Provocateur]

After all this is about popular security cameras. And you wrote:
 
IoT is still just computers when you get to the root of it.

Well said. Bravo! And well played!

You dawg...

[Thud457]

I heard you like exploits, so we didn't secure our webcams so you can be part of a DDOS botnet while random people on teh intarwebs spy on your baby.

Re:

[The-Ixian]

It's good to be a part of something bigger than yourself....

Makes a great Christmas Present

[Anonymous Coward]

Perhaps I buy one for a (Not So Good) Friend..... :)

Prices are not too bad.
http://amzn.to/2e9WRKM

PROS
Great hardware
Great Installation options (poe/ac/alarm trigger cables)
Solid construction
Great picture with beautiful wide angle and resolution
Great night vision (not all washed out like others)

CONS
Uhm, simply doesn't work half the time.
Camera suddenly goes offline, is not responsive to web or software connections
The mac software "Video Viewer" crashes 80% of the time when trying to load the camera
The ePTZ fe

Home Brew

[Thelasko]

I'm curious if there are any home brew open source firmware options for these devices. Like DD-WRT only for CCTV. That way owners of these systems have an alternative.

Re:Home Brew

[fuzzyfuzzyfungus]

Nothing specific; though some IP cameras are incidentally supported because they are built on the same SoCs as routers.

Just by way of example, since one is on my desk, the D-Link DCS-930L is essentially a Ralink RT5350F with a lousy webcam attached to its USB host port; all integrated into a single PCB. Since the RT5350 shows up in all kinds of little routers, it has OpenWRT support; and since it is primarily a router SoC, the camera is a USB device rather than some MIPI CSI atrocity.

More generally, it just varies. A lot of the higher end DVRs are just x86s, since that's a cheap and easy way to get a punchy CPU, as much storage as you deem necessary; and optionally a bunch of PCI/PCIe capture cards to handle legacy analog devices; so putting your own OS on them isn't a terribly heroic endeavor(though support for the capture cards might be, what little support their is is typically aimed either at consumer entertainment devices or scientific/industrial framegrabbers, since the former has the biggest userbase and the latter has the deeper pockets). The cheap seats tend to be some ARM or MIPS SoC running a truly shoddy linux port(and have fun getting GPL compliance out of the vendor, not that you'd want see their kernel 2.4 hackjob anyway...); and so could be supported; but are likely to be a somewhat heroic undertaking unless enough interested people have the same hardware to work on it together.

Re:

[Thelasko]

...unless enough interested people have the same hardware to work on it together.

An article earlier this year revealed that 70 security camera vendors are using the same hardware. [slashdot.org] The firmware is compatible between all of them.

Re:

[fuzzyfuzzyfungus]

Indeed, I suspect that (as with low end routers) there are substantially fewer distinct designs than there are brand names and rebadges, which would make 3rd party firmware easier. On the minus side, in areas where rebadging is the rule it can be a real pain to ensure that you get the same hardware reliably: if your vendor is slapping their badge on one ODM's cheapo board today, they could(and not infrequently do) switch to slapping the same brand and model name on an entirely different board with approxima

No...

[Anonymous Coward]

And more worrisome:

Most of these devices use specialized ARM processors with additional opcodes for the video encoding/decoding operations with proprietary software handling the image generation.

Meaning: you can't simply replace it with an all open source stack, and in many cases can't even replace the system library with an alternative (musl just got switched out for uClibc in OpenWRT, having both a smaller profile and more complete modern conformance than either uClibc or glibc, albeit without legacy deve

Re: Home Brew

[Anonymous Coward]

Look for "3 dumb routers" by Steven Gibson and the security now podcast. And you'll get your answers.

Well, then

[ThatsNotPudding]

Why shouldn't white hats now start crafting and sending kill bits to these cunts' tawdry wares? It could honestly be justified as self-defence.

Mistaken identity

[HideyoshiJP]

Man, this freaked me out for a minute. I thought they were talking about the AVTECH [avtech.com] that makes environment monitors for datacenters. Don't get me wrong, those very well could have their own vulnerabilities, but it's a relief to know it's not this company.

I just don't get it...

[fuzzyfuzzyfungus]

Why is it that, even after a a couple of decades of experience and examples, a company would just ignore security researchers?

If you are a real asshole; and think you can get away with it, I can see why you might try to threaten them into silence; but if you can't do that, or you aren't scum, they are doing your work for you. What do you gain by not taking advantage of that?

Especially in this case. By the look of their product lineup, these guys appear to have aspirations higher than the '8 lousy came

Re:

[Anonymous Coward]

Because the Chinese industry doesn't give a good god damn about security, it only cares about putting out the cheapest possible product for western markets, and cutting literally every corner that they can legally (and sometimes illegally) cut in order to bring the overall cost of goods down.

And before you think I'm blaming the Chinese or Taiwanese people themselves, their hands are tied: This is what happens when customers demand everything be ever-cheaper. Once you've optimized a product well enough, the

Re:

[mhkohne]

Because it doesn't affect the bottom line. Until it hurts the manufacturer to be insecure, they won't give a crap. These Chinese companies are the 'commodity -whatever-' business. That means pushing the costs of design and production as close to zero as physically possible. So unless their existing customer base suddenly decides to sue them for their incompetence, or a regulation appears that makes them fix it, or new customers simply stop buying, they have ZERO reason to change anything.

Only when it costs them money.

[Gravis Zero]

I've said it before [slashdot.org] but it's worth repeating.

IoT vendors will only secure their devices after it starts costing them money or are legally required to do so.

The best option is to high jack the IoT devices to DDoS their makers because it creates a direct feedback loop. The more insecure devices they sell, the more it will cost them to host their company's website(s). For extra points, only target their parent company. ;)

should be legal to DDoS companies with own gear

[Gunstick]

There should be a legal exception that it is allowed to make your, and other people's, devices phone home to the original manufacturer with Gbit speeds.
The less they patch or the more they produce shitty hardware, the bigger they need to invest in anti DDoS measures.
At some point it will be cheaper to simply patch the stuff.