Amcrest products and KRACK vulnerability

Any major updates coming, Upcoming Software, General Security advice for others and topics alike Post them here so other users can chat with you.
Neptune
Posts: 13
Joined: Mon Oct 16, 2017 4:41 pm

Re: Amcrest products and KRACK vulnerability

Post by Neptune »

t84a wrote:Well, androids are not protected nor are the majority of devices.
Neptune wrote:
t84a wrote:While I feel your pain, I'd say over 80% of the devices are still vulnerable. Andriods are NOT safe. Apple is in BETA. ASUS has released nothing. If you're that concerned, stop using all your wifi devices. No one isreally protected yet.
Both Google and Apple have released statements about addressing the issue, and it would satisfy me for now if Amcrest did the same. My Android phone uses LineageOS which has been patched as of this morning along with many other Linux based devices. I am aware of which devices I own that have not been conclusively patched and they are turned off, so yeah... I'm that concerned. My Amcrest cameras are among those turned off devices, which is why I am here.
Here's my response from before, since you seem to have forgotten we already had this conversation. I'm not sure why it is relevant that other devices are vulnerable. Anyone who has read anything about KRACK knows that. I'm not on the Amcrest forum to talk about the vulnerabilities from other manufacturers. I do not expect them to fix the problems of other manufacturers, I'm here to see when the vulnerable devices that Amcrest maintains will be patched. It is really quite simple...
t84a
Posts: 205
Joined: Fri Jun 10, 2016 1:41 pm

Re: Amcrest products and KRACK vulnerability

Post by t84a »

I hear you but you imply that others have patched their devices while they have not. These are $60-$80 cameras. Commercial IP cameras go for about $1500 each. I get where you're going but be realistic. Amcrest is no Google or Apple. As I posted earlier, nothing from Asus. You would think they would habe something to say.

I'm really not worried about it where I live. It would be pretty easy to spot a physical intruder. I also have a Fingbox which wouod alert me it a "fake" network were to be established. This will take time. The ultimate fix is probably an updated WPA protocol.
Neptune
Posts: 13
Joined: Mon Oct 16, 2017 4:41 pm

Re: Amcrest products and KRACK vulnerability

Post by Neptune »

t84a wrote:I hear you but you imply that others have patched their devices while they have not. These are $60-$80 cameras. Commercial IP cameras go for about $1500 each. I get where you're going but be realistic. Amcrest is no Google or Apple. As I posted earlier, nothing from Asus. You would think they would habe something to say.

I'm really not worried about it where I live. It would be pretty easy to spot a physical intruder. I also have a Fingbox which wouod alert me it a "fake" network were to be established. This will take time. The ultimate fix is probably an updated WPA protocol.
I am not implying that devices have been patched when they haven't. I pointed out companies (Google and Apple) that have acknowledged the issue and stated an intent to patch. I also pointed out that many groups have been patching their devices, including many that do not have the same resources as Google or Apple. LineageOS, is maintained by a limited number of contributers, not a corporation. They patched it right after the announcement. As was the Linux kernel and relevant Linux packages. This also goes for LEDE, an open source router firmware project, that patched the issue within a couple days. Here is a list of other manufacturers that have acknowledged or patched the issue: Cisco, DD-WRT, Intel, Microchip, Microsoft, Netgear, Raspberry Pi, and several others. Many of the patched devices are consumer products in the price range of the Amcrest cameras or less. It does not take billions of dollars in revenue to address this issue.

It is great that you are not worried about it. it is certainly clear from your responses.
t84a
Posts: 205
Joined: Fri Jun 10, 2016 1:41 pm

Re: Amcrest products and KRACK vulnerability

Post by t84a »

Post a link from another low end camera manufacturer that has addressed this. Foscam?
US-CERT has known of the bug for some months and informed vendors ahead of the public disclosure to give them time to prepare patches and prevent the vulnerability from being exploited in the wild -- of which there are no current reports of this bug being harnessed by cyberattackers.
Again, there should be no real panic just yet.
Neptune
Posts: 13
Joined: Mon Oct 16, 2017 4:41 pm

Re: Amcrest products and KRACK vulnerability

Post by Neptune »

Here you go, Netgear Arlo cameras. That took me all of 3 minutes to find. Next time why don't you Google around yourself?
https://kb.netgear.com/000049498/Securi ... -2017-2837

I am well aware that there are many, many unpatched devices out there and it will take a long time to get even the majority of them patched. I understand the scale of the issue. However, Amcrest is not responsible for the majority of those devices. They have maybe a few dozen camera models, many of which probably use similar firmware and chipsets. I am advocating to have a known and well publicized security vulnerability fixed in a set of security cameras produced by a company who's slogan is "Simple. Reliable. Secure." Just go look at the logo. Look at CTRL+F and see how many time "security" is found on this page alone. For a company that claims to be focused on security, there have been minimal responses regarding this issue and those statements are filled with inaccuracies about the threat.

You seem more concerned that Asus has not released a response, and that is fine. If I were using Asus devices with the stock firmware, I would be on those forums wanting answers too.

As for there not being reports of the bug being utilized by hackers and no need for panic yet... I would much rather this issue be patched before said panic ensues.
t84a
Posts: 205
Joined: Fri Jun 10, 2016 1:41 pm

Re: Amcrest products and KRACK vulnerability

Post by t84a »

Wait. You're comparing Amcrest to Netgear? Wow. Also, aren't Arlos like $250? Ok, so Netgear acknowledges they have a problem. Now what? If you have any history with Amcrest, Foscam, or any of these low end Chinese cameras, you would have more realistic expectations. Go buy a $250 Arlo and you're no better off. An immediate solution is a Fingbox-$116 at Amazon.
Neptune
Posts: 13
Joined: Mon Oct 16, 2017 4:41 pm

Re: Amcrest products and KRACK vulnerability

Post by Neptune »

Just looking at Amazon I have found Amcrest cameras as high as $775 and Arlo cameras as low as $84. So, there is definitely an overlap in the price range. Netgear has stated they will be patching the Arlo cameras automatically. I don't own one, so I cannot tell you if they have pushed the update yet or not. If they have patched it, yeah, I would be better off in this regard. I do not care to have an Arlo camera though. You asked for a link from a manufacturer of a low cost camera and I provided a link to the first one I found on Google. However, I do own some Amcrest cameras and I would like to see them patched. From a company that claims to be security focused, that should not be an unreasonable request, and seeing the posts by others in this thread I am not alone. It is clear you do not have the same expectations or concerns and I do not expect to convince you otherwise.
rdkls
Posts: 13
Joined: Tue Oct 17, 2017 11:08 am

Re: Amcrest products and KRACK vulnerability

Post by rdkls »

@t84a (I don't think tagging works, but I want you to know this is directed at you), give it a rest. If you're not concerned with it, move on and stop with the conjecture.

Amcrest's history is precisely why we are concerned with the lack of acknowledgement/response from them.

Do you know their history? Amcrest IS Foscam.

They ended their partnership with the previous manufacturer due to "their (own) experiences and customer feedback" surrounding the security risks that were not being addressed.

They re-branded and are now working with "the second largest security camera manufacturer in the world" with a "deep commitment to end-user privacy and security, highly reliable software and hardware...."

Directly from the source:
Image

The context of the security risk at hand, versus the risks that created turmoil previously, holds no relevancy. Obviously Amcrest is not solely responsible for the WPA2 vulnerability, whereas the manufacturers of their equipment under the Foscam name were absolutely responsible for their shortcomings.

The problem here is the fact that Amcrest has yet to even acknowledge this (publicly). Deduction tells us that a security-centric company's lack of public disclosure regarding a flaw/risk of this magnitude likely suggests that they aren't addressing it appropriately. Especially considering that this flaw has only recently be disclosed to the public by the engineer who discovered it. Which means manufacturers/vendors have had this information for a significant amount of time already.

On that note, it isn't unlikely that other, less moral researchers or engineers (see: black hats), may have also discovered or have known about this without disclosing it and may have been using this for nefarious purposes.

If you don't see the hypocrisy or concern, that's fine... but those of us with our heads on straight, that understand the history and implications of not only the risk/flaw at hand, but also understand Amcrest's history and supposed mission statement... well, we do care.

I'm now unaffected since I've already decommissioned their products in my environments, but I wanted to chime in here.
t84a
Posts: 205
Joined: Fri Jun 10, 2016 1:41 pm

Re: Amcrest products and KRACK vulnerability

Post by t84a »

Amcrest is not Foscam. These guys just switched from selling Foscam to the current ones (labeled as Amcrest).

For others who think they need to panic, I offer this specific:
Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network).
This essentially means the only time an intruder can grab your key is when a device requests to join the network. So with respect to your cameras, an intruder would need to hang out at your house hoping your cameras reboot and join the network again.

I'm not discounting the enormity of this issue but I think wireless cameras are low onthe risk scale. This issue will take a long time to resolve.
Neptune
Posts: 13
Joined: Mon Oct 16, 2017 4:41 pm

Re: Amcrest products and KRACK vulnerability

Post by Neptune »

t84a wrote:
Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network).
This essentially means the only time an intruder can grab your key is when a device requests to join the network. So with respect to your cameras, an intruder would need to hang out at your house hoping your cameras reboot and join the network again.
Unfortunately we are talking about an issue over an RF medium. Have you never had WIFI issues at home because a neighbor set up a new router on the same channel? Perhaps you haven't, but it does happen. It is not difficult to jam the frequencies occupied by an access point and cause a device to lose connection, this can be done using the same transceiver. Just pick the same channel as the AP and start broadcasting. Then turn off the jamming and start waiting for that reconnect sequence. Any WIFI device can get triggered to reconnect if the packet error count gets high enough. It does not take long and I am sure that anyone attempting to utilize the KRACK exploit would know how to trigger a reconnect. I agree that this issue is enormous, but security cameras are not less susceptible than any other device until the firmware is patched.
Locked