Amcrest products and KRACK vulnerability

Any major updates coming, Upcoming Software, General Security advice for others and topics alike Post them here so other users can chat with you.
Neptune
Posts: 13
Joined: Mon Oct 16, 2017 4:41 pm

Re: Amcrest products and KRACK vulnerability

Postby Neptune » Tue Oct 17, 2017 8:04 pm

t84a wrote:While I feel your pain, I'd say over 80% of the devices are still vulnerable. Andriods are NOT safe. Apple is in BETA. ASUS has released nothing. If you're that concerned, stop using all your wifi devices. No one isreally protected yet.


Both Google and Apple have released statements about addressing the issue, and it would satisfy me for now if Amcrest did the same. My Android phone uses LineageOS which has been patched as of this morning along with many other Linux based devices. I am aware of which devices I own that have not been conclusively patched and they are turned off, so yeah... I'm that concerned. My Amcrest cameras are among those turned off devices, which is why I am here.

rdkls
Posts: 13
Joined: Tue Oct 17, 2017 11:08 am

Re: Amcrest products and KRACK vulnerability

Postby rdkls » Tue Oct 17, 2017 9:12 pm

t84a wrote:While I feel your pain, I'd say over 80% of the devices are still vulnerable. Andriods are NOT safe. Apple is in BETA. ASUS has released nothing. If you're that concerned, stop using all your wifi devices. No one isreally protected yet.


Neptune wrote:Both Google and Apple have released statements about addressing the issue, and it would satisfy me for now if Amcrest did the same. My Android phone uses LineageOS which has been patched as of this morning along with many other Linux based devices. I am aware of which devices I own that have not been conclusively patched and they are turned off, so yeah... I'm that concerned. My Amcrest cameras are among those turned off devices, which is why I am here.


To mirror what @Neptune said; the difference is that those companies have specifically called out and addressed the issue at hand, whereas Amcrest has yet to even acknowledge it publicly.

For now, wireless functionality has been disabled on any unpatched device within my control.

zeb
Posts: 9
Joined: Tue Oct 03, 2017 8:59 am

Re: Amcrest products and KRACK vulnerability

Postby zeb » Wed Oct 18, 2017 4:03 am

Melvin wrote:Hi all,

Please ensure that the cameras' firmware is updated to the latest version. Also set up a strong password atleast 8 characters. We will periodically release updates against security threats.


Hi Melvin. Although this advice is certainly correct, it is still irrelevant to the issue at stake. Unless you can confirm the latest firmware has been patched against this vulnerability, the length of the password has no effect on KRACK. Can you please return to the developer team and let us know if the latest firmware versions (e.g. for the IP2M-841 V2.520.AC00.18.R) have been patched already, and if not, how long this will take before they are, since this is a critical vulnerability. Thanks in advance.

rdkls
Posts: 13
Joined: Tue Oct 17, 2017 11:08 am

Re: Amcrest products and KRACK vulnerability

Postby rdkls » Thu Oct 19, 2017 10:11 am

Received another response from "R&D".

Image

svd
Posts: 2
Joined: Thu Oct 19, 2017 11:43 am

Re: Amcrest products and KRACK vulnerability

Postby svd » Thu Oct 19, 2017 11:46 am

I am too waiting for an official statement for this grave issue. I need to shutdown my wireless cameras until this is resolved, rtsp streams are unencrypted and relied on the wpa2 encryption. Need to look for a secure aware brand to replace my cameras if no statement will be made.

Neptune
Posts: 13
Joined: Mon Oct 16, 2017 4:41 pm

Re: Amcrest products and KRACK vulnerability

Postby Neptune » Thu Oct 19, 2017 11:54 am

It is quite concerning how little awareness Amcrest has shown regarding this issue in the responses that have been provided. the KRACK vulnerability is mainly a client-side issue, and only impact routers that are acting as bridges and thus need to act as a client to another router. Yes, the handshaking between the client and the router is the source of the issue, but the attack operates by tricking the client into connecting to a fake access point. It is dangerous for a security oriented company to be making completely false statements like "If customers updated the firmware of their router, then I think they will be definitely safe." Every client needs to be patched even if the router has been, since it is the client that is vulnerable.

t84a
Posts: 201
Joined: Fri Jun 10, 2016 1:41 pm

Re: Amcrest products and KRACK vulnerability

Postby t84a » Fri Oct 20, 2017 7:27 am

Buy a Fingbox and it will alert you if someone tries to create a fake network. Right now, every attempt to block ths threat is in beta or nonexistent. Also understand, someone has to be physically in range of your wifi to do this.

Neptune
Posts: 13
Joined: Mon Oct 16, 2017 4:41 pm

Re: Amcrest products and KRACK vulnerability

Postby Neptune » Fri Oct 20, 2017 3:31 pm

t84a wrote:Buy a Fingbox and it will alert you if someone tries to create a fake network. Right now, every attempt to block ths threat is in beta or nonexistent. Also understand, someone has to be physically in range of your wifi to do this.

You can block the threat by patching your client devices against the vulnerability and many devices have already been patched, some even before KRACK was announced publicly. If device manufacturers take security seriously and provide updated firmware, there is no need for a third-party device. I do not think anyone posting here is unaware of the proximity required for KRACK. I lock the door to my house even though only someone who is "physically in range" of the doorknob could open it if it was unlocked.

t84a
Posts: 201
Joined: Fri Jun 10, 2016 1:41 pm

Re: Amcrest products and KRACK vulnerability

Postby t84a » Sat Oct 21, 2017 7:35 pm

Well, androids are not protected nor are the majority of devices.

markplewis
Posts: 45
Joined: Fri Sep 02, 2016 12:41 pm

Re: Amcrest products and KRACK vulnerability

Postby markplewis » Sun Oct 22, 2017 11:28 pm

Melvin, please don't do this. Amcrest has not addressed this vulnerability and you know that. Yet you post something here that suggests updating to the latest firmware will protect us. Why would you do that, buddy? Really, just why?

Oh, and please give Adam Ravat a call and tell him we're still waiting for this fix:

Amcrest staff member, Jun 27, 2015:

"Because our plugins were developed utilizing NPAPI, we are affected by this in addition to hundreds, if not thousands of other developers who utilized NPAPI for their plugins.We are currently in development of plugins that will work on Chrome's newest versions, without NPAPI. The scheduled timeline for this to be available has been stated to be September."


Return to “General Security Chat”

Who is online

Users browsing this forum: No registered users and 1 guest