Posts Tagged ‘ChaninKim’
[DefCon32] The Edges of Surveillance System and Its Supply Chain
As artificial intelligence advances image processing, surveillance technologies proliferate, raising privacy concerns amid rising hacks and illicit collections. Chanin Kim and Myounghun Pak, offensive researchers, probe network video recorders (NVRs), pivotal yet understudied components. Their analysis targets market leaders Hikvision, Dahua, Uniview, and Synology’s Surveillance Station, uncovering vulnerabilities exploitable worldwide and amplifying impacts through OEM supply chains.
Chanin and Myounghun’s journey, spanning four months and yielding a substantial bounty, begins with firmware extraction challenges. They bypass U-Boot mitigations via UART, JTAG, and eMMC methods, extracting systems for scrutiny. HTTP communications and binary analyses reveal flaws, with OEM validations extending reach.
The surge in surveillance, valued at $4.1 billion globally, stems from pandemic demands for monitoring in retail, urban planning, and access control. NVRs store and manage footage from CCTVs and IP cameras, often internet-accessible, making them prime targets.
Limited prior research on NVRs, contrasted with extensive CCTV studies, motivates their focus. Shodan scans reveal over 30,000 exposed devices, echoing past exploits like Mirai botnets leveraging Hikvision RCEs.
Firmware Extraction Methodologies
Extraction proves arduous. Hikvision and Dahua support limited access but restrict root, necessitating alternatives. UART on Hikvision yields shells post-soldering, while Dahua requires JTAG for U-Boot interruption.
Uniview demands eMMC dumping via adapters, bypassing encryptions. Synology’s package simplifies via SSH.
Bypasses include patching U-Boot for boot delays and exploiting environment variables. These enable comprehensive analyses.
Discovered Vulnerabilities and Exploits
Analyses uncover stack overflows, command injections, and credential leaks. Hikvision’s overflows in HTTP handlers allow RCE, while Dahua’s injections in recovery endpoints enable reboots or shells.
Uniview exposes hardcoded credentials and overflows in authentication. Synology suffers overflows in login processes.
Chaining yields scenarios: credential stuffing grants admin, injections open reverses, scanning locates Windows hosts for plugin RCEs, mirroring wild attacks.
Demonstrations automate compromises, shutting devices or commandeering networks.
Supply Chain Ramifications
OEM dynamics amplify risks. Hikvision and Dahua supply rebranded products to Lorex, Luma, Amcrest, and EZVIZ. Similar logics and firmwares mean vulnerabilities propagate.
Purchased devices confirm: four of six Hikvision flaws affect Annke; four of seven Dahua issues impact Swann and Reolink.
CVEs assigned via Korean CNA increase recognized flaws by 61%. Shodan estimates 130,000 Hikvision and 100,000 Dahua units vulnerable.
Recommendations for Defense
Offensive researchers should prioritize HTTP and private protocols beyond studied surfaces. Users avoid external exposures, leveraging vendor DDNS for secure access.
Their findings underscore surveillance’s dual-edged nature, urging robust protections amid expanding deployments.