Amcrest products and KRACK vulnerability

Any major updates coming, Upcoming Software, General Security advice for others and topics alike Post them here so other users can chat with you.
entresec
Posts: 6
Joined: Fri Oct 27, 2017 11:47 am

Re: Amcrest products and KRACK vulnerability

Postby entresec » Tue Nov 07, 2017 9:52 pm

Bump. Still waiting on a response for one or more of these:

1) Was Krack patched in the latest round of firmware updates? If so, which ones specifically?
2) If not, when can we expect a response as to when you'll know more, or when a fix will be issued?

For reference, here is the link to the disclosure, which talks about this mainly being a client side attack (i.e. Amcrest Camera):

https://www.krackattacks.com/

Melvin
Site Admin
Posts: 2240
Joined: Wed Oct 14, 2015 2:20 pm

Re: Amcrest products and KRACK vulnerability

Postby Melvin » Wed Nov 08, 2017 1:14 pm

Hello all,

The KRACK mainly aim at the routers, hackers utilize this flaw to create a fake AP to be disguised as your WiFi. And then they build Phishing website to steal your account or credit card information. Basically, the flaw exists during the handshaking i.e. authenticating process, so your password of the router is safe.

Hacker must be around your location to fake your WiFi; Information is not encrypted so they can steal them via package capturing or Phishing sites.

For our device, the account credentials are encrypted by the MD5 algorithm so it cannot be cracked that easily. And our video stream is also secured.
Can't find your answer on the forum? Try our Knowledge Base! https://amcrest.zendesk.com/hc/en-us

Image

entresec
Posts: 6
Joined: Fri Oct 27, 2017 11:47 am

Re: Amcrest products and KRACK vulnerability

Postby entresec » Wed Nov 08, 2017 2:17 pm


Hello all,

The KRACK mainly aim at the routers, hackers utilize this flaw to create a fake AP to be disguised as your WiFi. And then they build Phishing website to steal your account or credit card information. Basically, the flaw exists during the handshaking i.e. authenticating process, so your password of the router is safe.


Hi Melvin,

The above information is inaccurate. Please see the link I posted. Here are excerpts taken from said link, whose author is the person who published this vulnerability.

"During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks."

Me: Apple and Windows do not make routers. This attack affects clients as well. A full ist of known devices is available here, which includes more then just routers: https://www.kb.cert.org/vuls/byvendor?s ... rchOrder=4

"As a proof-of-concept we executed a key reinstallation attack against an Android smartphone."

Me: Again, not a router.

"Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network)."

Me: Note the reference to client here. This is not the router.

(Under the FAQ) "Is it sufficient to patch only the access point? Or to patch only clients?

Currently, all vulnerable devices should be patched. In other words, patching the AP will not prevent attacks against vulnerable clients. Similarly, patching all clients will not prevent attacks against vulnerable access points. Note that only access points that support the Fast BSS Transition handshake (802.11r) can be vulnerable."

Me: See above where it says "patching the AP will not prevent attacks against vulnerable clients"

Back to my original question, when will we know when a patch will come out for our cameras? Clearly now, the answer is that the existing firmware did not patch this issue. (Me reading between the lines from your last response)

samsf28
Posts: 1
Joined: Wed Nov 08, 2017 3:06 pm

Re: Amcrest products and KRACK vulnerability

Postby samsf28 » Wed Nov 08, 2017 4:06 pm

Hi Melvin, when can we expect to get firmware updates that patches this vulnerability? From all the articles about it, they all mention it as a client side issue too.

Melvin
Site Admin
Posts: 2240
Joined: Wed Oct 14, 2015 2:20 pm

Re: Amcrest products and KRACK vulnerability

Postby Melvin » Wed Nov 08, 2017 4:25 pm

Hello entresec,

Thank you for the detailed post. This issue is already under the review of our R&D team. We hope to come up with a fix pretty soon. We will keep you updated on the status.
Can't find your answer on the forum? Try our Knowledge Base! https://amcrest.zendesk.com/hc/en-us

Image

Neptune
Posts: 13
Joined: Mon Oct 16, 2017 4:41 pm

Re: Amcrest products and KRACK vulnerability

Postby Neptune » Wed Nov 08, 2017 4:37 pm

Melvin wrote:Hello entresec,

Thank you for the detailed post. This issue is already under the review of our R&D team. We hope to come up with a fix pretty soon. We will keep you updated on the status.


Wow. We are five pages into this thread that was started October 16th and multiple people have discussed this issue in detail. Today you give a word-for-word duplicate response that was given to rdkis on October 19th (second page of the thread) saying that this is not a problem and your customers are safe, but now we will get a fix "pretty soon." This is just absurd. Yeah, I'd like a fix... and you should have given us this response weeks ago instead of pretending that you understand the issue and ignoring users that are ceasing use of your product because of your failure to take this seriously.

entresec
Posts: 6
Joined: Fri Oct 27, 2017 11:47 am

Re: Amcrest products and KRACK vulnerability

Postby entresec » Wed Nov 08, 2017 4:41 pm

Melvin wrote:Hello entresec,

Thank you for the detailed post. This issue is already under the review of our R&D team. We hope to come up with a fix pretty soon. We will keep you updated on the status.


Thanks Melvin. Please ask your Dev team to consider this a critical vulnerability, which generally means resolution within <30 days. I look forward to your updates.

svd
Posts: 2
Joined: Thu Oct 19, 2017 11:43 am

Re: Amcrest products and KRACK vulnerability

Postby svd » Wed Nov 08, 2017 4:46 pm

Hopefully a patch will be available soon.


Following information is also incorrect
Melvin wrote:Hello all,
For our device, the account credentials are encrypted by the MD5 algorithm so it cannot be cracked that easily. And our video stream is also secured.


md5 can be relatively easily be cracked nowadays. And please explain how an rtsp stream is secured from snooping? I am pretty sure it is not.

Neptune
Posts: 13
Joined: Mon Oct 16, 2017 4:41 pm

Re: Amcrest products and KRACK vulnerability

Postby Neptune » Wed Nov 08, 2017 4:57 pm

You're right, it isn't. And I would be shocked if Melvin knew that. All he did was copy-paste a response that someone else made three weeks ago (taken from a reply by rdkis):

Image

dynostatic
Posts: 3
Joined: Wed Nov 08, 2017 1:58 pm

Re: Amcrest products and KRACK vulnerability

Postby dynostatic » Thu Nov 09, 2017 6:36 am

MD5 for password hashes? I almost spit out my coffee. I wouldn't be bragging about that on a public forum. Hey Amcrest, we love your hardware, but you're going to have to do a little better. This is a big deal, and your response needs to match. I don't want to worry about my neighbor's teenage kid learning about this on 4chan and trying to hack the neighborhood with a pringles can.

Every wireless product you have ever made that supports WPA needs a patch, and that needs to be on a timetable and publicly posted.


Return to “General Security Chat”

Who is online

Users browsing this forum: No registered users and 1 guest