China/mac-address/backdoor

[LARMGUY]

I'm just going to throw this out there. It has been concerning me since security has gone IP.

1. Every IP device has to have a unique identification number the mac address.
2. Most of the world's cameras, access control boxes, security panels are made in China, Korea, Vietnam, Taiwan, etc.
3. What is the probability these communistic, hostile countries have programmed "back doors" into every product they produce?

Can anyone see the possible ramifications?

[LARMGUY]

120 views and no takers huh?

[SafeSmallTowns]

I don't know how probable it is, but it is certainly possible. There are two ways to do this: hardware and software. And one company may make the hardware and another company may make the software. Adding complexity, there may be many hardware manufacturers in each camera or system that make up the sum of it's parts. Additionally, there would need to be a motive or reason for doing this. "China" has no way of knowing where and how the cameras produced there will end up. It is far more likely that they don't have such a backdoor, but if you detect suspicious network traffic, you might want to take security precautions or switch cameras and notify the authorities. Why not try and find camera parts made in the US?

[LARMGUY]

Finally! There are intelligent life forms here. I have talked to several individuals in the IT industry. They say NOTHING is secure. Example, Stuxnet. The Chinese know when large shipments go out and one way would be by reversing the technical support route, anyone can determine who the end user could be. One scenario is they could leave the camera with a flaw that has to be corrected by the factory. The poor tech guy has no idea it is a ploy. It's not hard to backtrack anything if you really want to. Intel on commonly bought items such as cameras would be easy to find. The government usually puts jobs out for bids. That is easily tracked. We all know China follows all the rules. Finding a public IP address would be easy. Finding the back door through hardware and software would be the next challenge. Hard but not impossible.

Your thoughts?

[SafeSmallTowns]

To make the issue more complicated, sometimes backdoors are not programmed in maliciously, but for debugging purposes. The problem comes into play when a hacker discovers the backdoor exists and exploits it. This article talks about how China was initially blamed for a backdoor in a computer chip used by the US Military, but it ended up being a debugging program installed by a California-based firm: http://www.techspot.com/news/48817-c...-backdoor.html

[LARMGUY]

To make the issue more complicated, sometimes backdoors are not programmed in maliciously, but for debugging purposes. The problem comes into play when a hacker discovers the backdoor exists and exploits it. This article talks about how China was initially blamed for a backdoor in a computer chip used by the US Military, but it ended up being a debugging program installed by a California-based firm: http://www.techspot.com/news/48817-c...-backdoor.html

Here is a scenario. Would it be any different IF China was a favored nation and ally and never ever gave us any reason to think otherwise?
No is my answer. Power changes every day and corrupt leaders could overthrow any regime at any time. They could give vital information quickly to any subversive faction about our tactics, strength, whatever.

Like this
http://conservativebyte.com/2012/03/...-plan-on-iran/

[LARMGUY]

To make the issue more complicated, sometimes backdoors are not programmed in maliciously, but for debugging purposes. The problem comes into play when a hacker discovers the backdoor exists and exploits it. This article talks about how China was initially blamed for a backdoor in a computer chip used by the US Military, but it ended up being a debugging program installed by a California-based firm: http://www.techspot.com/news/48817-c...-backdoor.html

I found this while searching other forums.

Bit of a heads up about a bit of a disconcerting security issue in some ONVIF IP
cameras.

I had my eye on some low cost, Chinese OEM IP cameras because
they have good NAS compatibility (claimed Synology). They are branded as IPS,
Uvision, Gsvision, Sunvision, Aote among others. I was willing to put up with
the clunky ActiveX interface because I figured I'd only have to configure them
once and would be viewing the video through the NAS/NVR
interface.

Everything went fairly smoothly- I set the time, IP address,
changed the password- and when I went to log back in it would not accept the
same one copied and pasted. No problem- went for the old reset button and… no
reset button.

So I emailed the Chinese manufacturer, they asked for me to
give their technician access to my computer via TeamViewer so he could reset it-
I said that was not really an acceptable solution. So they sent me the default,
hard-written to firmware, root password for their cameras so I could just
remotely log-in and hard-reset the camera over telnet.

That's
right, there's a root user, but you can't change the
password.

Yeah- not too happy about that.

I spent a few
days going back and forth with them- explaining why, with these cameras in homes
and businesses all over the world this was a Bad Thing. Either they were playing
dumb and had to have it for the Powers That Be (as has been documented with
other network products of similar origin), or else they truly think it's ok.
Their attitude was basically that they had made a mistake in giving it to me-
and not in having one in the first place. Their "fix" was a promise to change
the hard-written root pass in future firmware revisions. Given that the password
is sent to the camera in plaintext, it's hardly likely the new one would remain
secret for long.

(In case you are wondering, even after a few hard reset
cycles the camera would still not accept a new admin password but that is no
longer really a concern for me.)

All this seems a bit insane. As we all
know few LANs are very secure- wifi is not tough to crack, we all password
protect our computers and NASs against this eventuality. As it stands, anyone
with access to the LAN that these cameras are on can take them all offline with
a few keystrokes, or reset the admin password, restore the original IP and leave
anonymous access on- so the owner would never know they had been compromised. Or
set them to forward images to an outside location.

As far as cameras that
are accessible via the Internet, many people will not change the cameras default
IP- which means that even on reset it won't lose its port mapping and video
could be viewed by anyone, anywhere. At the very least they could still disable
it. Other than that, root is root and someone with better Linux skills could
probably make more of it.

I'm posting this because as we all know there
is no security in obscurity- and if they could accidentally just email me the
root pass this is far from obscure. People have these cameras pointed at
playgrounds and in private homes- hoping they don't give the password to anyone
else (or that it is not already being used) is not really an option in my
opinion. I would never consider installing a camera with this kind of known
backdoor- perhaps others feel differently.

If you'd like to check your
camera, here is the information:

Not going to give this part

Credit to milo****