Tag Archives: CERT.LV

Vulnerabilities of Milesight IP security cameras

Internet of Things is becoming ever more popular, and vendors seek to capitalize on that: nowadays the manufacturing process of some security cameras is more alike to that of an Internet of Things device, rather than a security device. This reckless attitude undoubtedly leads to security vulnerabilities in critical systems.

Our lead researcher Kirils Solovjovs participated in IT security conference “Cyberchess 2016” jointly organised by CERT.LV and ISACA Latvia, where he presented his research on the security of Milesight IP security cameras. Multiple major security vulnerabilities were presented (CVE-2016-2356, CVE-2016-2357, CVE-2016-2358, CVE-2016-2359, CVE-2016-2360). The presence of vulnerabilities in the wild was verified in cooperation with CERT.LV by testing a Latvian public institution with more than 100 products by this vendor.

Given that vendor is located outside EU, Kirils initiated an international responsible disclosure process, working with the vendor, CERT.LV, the public institution, the installer, HackerOne Inc., and CERT/CC.

The presentation covers the technical aspects of vulnerabilities (presented publicly for the first time), lessons learned, and recommendations to security officers and policy makers. Video recording is also available.

First public presentation

We are happy to announce our participation in the yearly IT Security Conference “Our information security – key to the future“, which is jointly organised by CERT.LV and ISACA Latvia. The conference will be held on October 23 at the Radisson Blu Hotel Conference Centre in Riga, Latvia.

During the conference our lead researcher Kirils Solovjovs will be giving a presentation on the practical side of IT security in Latvia.

The language of the presentation will be Latvian and the slides will be available on our website after the presentation.