Internet of Things is becoming ever more popular, and vendors seek to capitalize on that: nowadays the manufacturing process of some security cameras is more alike to that of an Internet of Things device, rather than a security device. This reckless attitude undoubtedly leads to security vulnerabilities in critical systems.
Our lead researcher Kirils Solovjovs participated in IT security conference “Cyberchess 2016” jointly organised by CERT.LV and ISACA Latvia, where he presented his research on the security of Milesight IP security cameras. Multiple major security vulnerabilities were presented (CVE-2016-2356, CVE-2016-2357, CVE-2016-2358, CVE-2016-2359, CVE-2016-2360). The presence of vulnerabilities in the wild was verified in cooperation with CERT.LV by testing a Latvian public institution with more than 100 products by this vendor.
Given that vendor is located outside EU, Kirils initiated an international responsible disclosure process, working with the vendor, CERT.LV, the public institution, the installer, HackerOne Inc., and CERT/CC.
The presentation covers the technical aspects of vulnerabilities (presented publicly for the first time), lessons learned, and recommendations to security officers and policy makers. Video recording is also available.
Last weekend the Institute of electronics and computer science (EDI) hosted MAKE RIGA Hacking competition 2016, which is set to become a yearly tradition. Co-owner of 1st Ltd Kirils Solovjovs defended his champion title by attaining first place once again.
“The number and variety of challenges as well as the number of contenders is clearly increasing, providing for a lively competition. I was not originally planning to attend, but seeing the high response rate, I decided to give it a go and sign up for the competition on its second day. One could say that ending up at the top this year was a pleasant accident,” champion Kirils Solovjovs said with a smile.
This year the organizers had prepared 33 challenges – 57% more than the previous year – to wrestle with in the following categories among others:
- Internet of Things,
- WiFi security,
- social engineering,
- embedded device and microchip analysis,
- radio intercept and decoding,
- RFID security,
- reverse engineering software binaries,
- security of network services.
This year’s competition was well attended with 38 participants taking part from all around Latvia. Contenders included IT professionals, scientists and other interested parties.
The gold trophy was won by IT security expert Kirils Solovjovs who maxed out at 162 points. Krišjānis Stikāns was well behind with 99.5 points. Bronze trophy was awarded to Aleksandrs Levinskis for scoring 91 points. He was closely trailed by Dāvis Mosāns and “mkz” who scored 90 and 89 points respectively. Six of 33 challenges remained unsolved by anyone.