Amcrest products and KRACK vulnerability

Any major updates coming, Upcoming Software, General Security advice for others and topics alike Post them here so other users can chat with you.
Locked
smokeybandit
Posts: 16
Joined: Fri Jul 29, 2016 1:20 pm

Amcrest products and KRACK vulnerability

Post by smokeybandit »

Will Amcrest quickly be providing a patch for this?
Neptune
Posts: 13
Joined: Mon Oct 16, 2017 4:41 pm

Re: Amcrest products and KRACK vulnerability

Post by Neptune »

I am using multiple Amcrest cameras over wifi and since pretty much all wifi devices are impacted by the KRACK vulnerability, I am also eager to see this patched. I am already working on using ethernet instead until this is fixed and that not easy for some of the locations where these cameras have been installed.
Melvin
Site Admin
Posts: 2210
Joined: Wed Oct 14, 2015 2:20 pm

Re: Amcrest products and KRACK vulnerability

Post by Melvin »

Hi all,

Please ensure that the cameras' firmware is updated to the latest version. Also set up a strong password atleast 8 characters. We will periodically release updates against security threats.
Can't find your answer on the forum? Try our Knowledge Base! https://amcrest.zendesk.com/hc/en-us

Image
rdkls
Posts: 13
Joined: Tue Oct 17, 2017 11:08 am

Re: Amcrest products and KRACK vulnerability

Post by rdkls »

Melvin wrote:Hi all,

Please ensure that the cameras' firmware is updated to the latest version. Also set up a strong password atleast 8 characters. We will periodically release updates against security threats.
Melvin, someone on Amcrest's side needs to start taking this seriously. This is a major security issue and Amcrest's lack of official response to this is very concerning. Didn't Amcrest start selling their "own" product because of unaddressed Foscam security issues, that's what the foscam.us site alludes to anyways.

I reached out to support via email and utilized the chat feature on the site (yes, I know chat is sales), but neither of them could provide insight or seemed to know what they were doing, or care for that matter; I had to define the acronym "ETA". :roll:

I guess it's time to move on from Amcrest to a more competent provider for my security camera solutions.

These CVE's were provided to the industry over 6 months ago under responsible disclosure, and are only just now being publicized. Being that Amcrest is a provider of security cameras and devices, touting wireless as a functionality of their product offering; it is absolutely unacceptable to not have any kind of response regarding a vulnerability of this magnitude by now.

Email & Chatlog here. < Updated
Last edited by rdkls on Thu Oct 19, 2017 10:10 am, edited 1 time in total.
Melvin
Site Admin
Posts: 2210
Joined: Wed Oct 14, 2015 2:20 pm

Re: Amcrest products and KRACK vulnerability

Post by Melvin »

Hello rdkls ,

As per the update we have most vulnerabilities were fixed in the latest firmware for IP cameras.
Can't find your answer on the forum? Try our Knowledge Base! https://amcrest.zendesk.com/hc/en-us

Image
rdkls
Posts: 13
Joined: Tue Oct 17, 2017 11:08 am

Re: Amcrest products and KRACK vulnerability

Post by rdkls »

Melvin wrote:Hello rdkls ,

As per the update we have most vulnerabilities were fixed in the latest firmware for IP cameras.
Melvin, where is this information published on your site? I read the release notes for my camera models and neither of them called the WPA2 security flaw out.

The only thing listed in the release notes is either "various security improvements" or "security improvements", something of this magnitude needs to be specifically called out. Until these specific vulnerabilities are addressed/specifically mentioned, I will (and many others should) assume that they are not remedied in your product.
Last edited by rdkls on Tue Oct 17, 2017 3:49 pm, edited 2 times in total.
Neptune
Posts: 13
Joined: Mon Oct 16, 2017 4:41 pm

Re: Amcrest products and KRACK vulnerability

Post by Neptune »

Melvin wrote:Hi all,

Please ensure that the cameras' firmware is updated to the latest version. Also set up a strong password atleast 8 characters. We will periodically release updates against security threats.
Thank you for the generic suggestion, but a strong password does not address the security vulnerability in question. A response that actually addresses the expressed concerns would be much more appreciated. Like I said, I am currently in the process of de-featuring the Amcrest products that I own until this vulnerability is addressed. I was able to update all of my linux devices, from laptops and servers, to my Android cell phone within a day from when this 802.11 WPA vulnerability was announced and numerous other manufacturers released firmware updates immediately. A simple acknowledgement of the impacted Amcrest products and an ETA for addressing the issue would be an appropriate response and help build trust in the company's ability to address to serious security issues. Suggesting that I use a strong password is not acceptable.
Intrigued
Posts: 9
Joined: Sun Jun 25, 2017 2:37 pm

Re: Amcrest products and KRACK vulnerability

Post by Intrigued »

rdkls wrote:The only thing listed in the release notes is either "various security improvements" or "security improvements", something of this magnitude needs to be specifically called out.
I would say anything related to security fixes / bugs / etc. should be fully disclaimed. Months ago, I asked about the "security improvements" for my camera (IP3M-943) 03-28-17 firmware and never got a response specifying what that was. It doesn't make sense to me since I can't check anything to verify the fixes or further test them. Moreover, blindly updating doesn't work for me, since time and time again firmware updates break things that worked perfectly before. I do accept that KRACK is an exception, a forced update giving the implications, but I still think Amcrest should be more precise in their change logs when addressing security issues. Even update old ones and say exactly what they did.
rdkls
Posts: 13
Joined: Tue Oct 17, 2017 11:08 am

Re: Amcrest products and KRACK vulnerability

Post by rdkls »

Seems that Amcrest is still just another Foscam.

If no sufficient official response is received within 48 hours of this post, I will discontinue use of the few I have in production, go through painstakingly cancelling POs with any Amcrest product on them, and advise all colleagues and clients to avoid their use; at least until someone on Amcrest's side starts taking this security stuff seriously... they are a provider of security cameras and solutions/devices, after all.
t84a
Posts: 205
Joined: Fri Jun 10, 2016 1:41 pm

Re: Amcrest products and KRACK vulnerability

Post by t84a »

While I feel your pain, I'd say over 80% of the devices are still vulnerable. Andriods are NOT safe. Apple is in BETA. ASUS has released nothing. If you're that concerned, stop using all your wifi devices. No one isreally protected yet.
Locked