Critical Vulnerabilities Found in GeoVision Surveillance Devices
GeoVision, a Taiwanese provider of video surveillance systems and IP cameras, has recently addressed three of four significant vulnerabilities that potentially allowed cyber attackers to intercept network traffic and execute man-in-the-middle attacks. These vulnerabilities were identified by Acronis, a cybersecurity firm, during a routine security audit of a major retailer based in Singapore.
According to Acronis, the uncovered flaws could enable malicious actors to maintain prolonged access to networks, monitor internal users, and steal sensitive information undetected. The seriousness of the situation is underscored by the ability of attackers to exploit fingerprint data to gain unauthorized access to personal devices and homes, making it easier to commit identity theft.
The identified vulnerabilities affect at least six families of devices, with over 2,500 susceptible units spread across countries including Brazil, the United States, Germany, Taiwan, and Japan. Notably, the vulnerabilities could allow remote attackers to potentially compromise thousands of additional devices.
The first major issue involves a previously unknown root password that grants an attacker unauthorized access to the device merely by using the default password, “admin.” This vulnerability could allow an attacker to remotely log into the affected systems, posing serious security risks.
Another serious vulnerability concerns hardcoded shared cryptographic private keys utilized for Secure Shell (SSH) authentication, while a third flaw allows unauthenticated access to system logs on affected devices. This lack of security controls can lead to significant data leakage, exposing sensitive information without the need for authentication.
Furthermore, a critical buffer overflow vulnerability in GeoVision’s firmware allows for the execution of unauthorized code on affected fingerprint readers, requiring no prior authentication to exploit. Rated with a CVSS score of 10, this flaw represents a severe threat to security.
Acronis initially reported these issues to GeoVision in August 2022, with follow-up communications in September and December of the same year, and further engagement with SingCERT regarding their findings. While GeoVision has since released fixes for three of the vulnerabilities with the latest firmware version (1.22), the buffer overflow flaw remains unfixed.
The vulnerabilities have been officially acknowledged by Taiwan’s Computer Emergency Response Team (TWCERT), which has issued advisories reiterating the critical bugs and the availability of firmware updates. However, the fourth vulnerability, which could permit attackers to exploit a faulty parameter to manipulate memory management and redirect execution flow, remains undisclosed in terms of technical specifics.
If exploited, an attacker could gain full control of any compromised device, opening the door to the installation of malicious firmware, which could irrevocably compromise network security. Acronis representatives expressed their dismay at the slow response to such critical vulnerabilities, emphasizing the ongoing risks associated with IoT security flaws.
In terms of potential attack methodologies, this incident illustrates various tactics within the MITRE ATT&CK framework, including initial access via flaws in default credentials, persistence through backdoor exploits, and privilege escalation through unauthorized firmware deployment. Cybersecurity practitioners and business owners must remain vigilant, as the presence of these vulnerabilities highlights a critical need for robust security measures in IoT device deployments.