Amcrest products and KRACK vulnerability

[Intrigued]

We hope to come up with a fix pretty soon. We will keep you updated on the status.

This was 20 days ago. So, I wonder if the status is the same or at least Amcrest is beta testing firmwares.

[entresec]

This was 20 days ago. So, I wonder if the status is the same or at least Amcrest is beta testing firmwares.

Agreed. Can we get an update please Melvin?

[tickerguy]

MD5 for password hashes? I almost spit out my coffee. I wouldn't be bragging about that on a public forum. Hey Amcrest, we love your hardware, but you're going to have to do a little better. This is a big deal, and your response needs to match. I don't want to worry about my neighbor's teenage kid learning about this on 4chan and trying to hack the neighborhood with a pringles can.

MD5 is the "digest" authentication on web auth. No, it's not enough, which is why people want to run SSL back to the cameras too! Between MD5 AND an SSL connection you're reasonably safe, EVEN IF the WiFi is insecure. Of course this assumes you are using a certificate either you issued AND have the CA for on your other end (so you can verify it) or a public certificate (from a public CA and can verify it); if you're ignoring the issuer (no chain verification) then SSL can be MITM'd too, although that would require doing it twice -- and that's much harder than doing it once!

[rdkls]

Bumping this up because it has yet to be addressed and potential new customers should be aware.

[linuxnutt]

Amcrest has been promising to fix this vulnerability since it first came out, but there has been no movement on providing any patch. The vulnerability was announced in Octoner 2017. VULNERABILITY LIKE THIS ONE NEEDS IMMEDIATE ATTENTION !!! HOW ABOUT IT AMCREST WHERE IS IT! This vulnerability effects all wifi client products. A patch needs to be released that will fix this for all wifi enable clients. Until this company is willing to patch their products in a responsible professional manner, and in a timely fashion it should be boycotted by everyone. Old and new customers need to know this. This company claims to be concerned about security and providing secure products, but so far it is falling short of this, way short. It is really laughable, I'm sorry pitiful and I hope no one buys an other products from them until they show a willingness to fix there own products. Sorry Amcrest just bing honest. Change the perception and fix your products. Everyone please keep asking for the Krack vulnerability to be fixed. If enough of us keep after it maybe it will have an effect, and please let them know we are also voting with our valets by not buying any other products. Spread the word. Please!!

[ktwa]

I just installed kali linux and tested an IPM-HX1B with the KRACK attack scripts. It looks like this model is affected by the all zero key reinstallation attack. This is likely the worst of the vulnerabilities. I hope Amcrest is going to patch the problem soon.

[rdkls]

I'm beyond civility; throw your Amcrest devices in the trash or dissect them for spare parts. If you absolutely must keep them, set their DNS servers to random private or APIPA addresses (169.254.255.253, 169.254.255.254). I went a step further, dumped them in their own VLAN/subnet and configured an ACL to only let them talk to internal networks.


*Over 3600 attemps in the approximately 10 minutes I had the ACL configured, and I have P2P disabled!

The firmware page doesn't even provide firmware, only a subscription option that sends you to aweber.com/scripts/addlead.pl... interesting to note that all though fanboys claim that Amcrest is not Foscam (anymore), Foscam's own privacy policy states that aweber manages their email marketing campaign. Any other scenario, I'd say that it's just coincidence, but given the track record and shady behavior I've seen so far, I'm going to advise you to err on the side of caution and toss these things.

[rdkls]

13 hours and 330,000 attempts to call something.

[Balnacra]

I sent an email to Amcrest back in May asking about their plans to address KRACK, and all I got were evasive non- responses. Basically they have no plans to fix anything. Their lofty goal statements about their noble purpose and values are pure BS. They compete on price only. Everything else (security, service, integrity, etc.) is a distant second. Won't buy anything from them again.

[rdkls]

I hadn't checked in on this in a long time, figured I'd ask a (sales) rep via chat today for an update... more of the same.