Hi all!
I am engaged in the development of firmware for CCTV cameras for b2b and b2c services, as well as those involved in federal-scale video surveillance projects.
About how we started, I wrote in .
Since then, a lot has changed - we began to support even more chipsets, such as mstar and fullhan, for example, met and made friends with a large number of both foreign and domestic manufacturers of IP cameras.
In general, camera developers often come to us to show new equipment, discuss the technical aspects of the firmware or the production process.
But, as always, strange guys sometimes come - they bring frank china of unacceptable quality with firmware full of holes, and hastily smeared with the emblem of a third-rate factory, but at the same time claiming that they developed everything themselves: both circuitry and firmware, and they got a type completely Russian product.
Today I will tell you about some of these guys. To be honest, I am not a supporter of public flogging of careless "import substitutes" - I usually decide that we are not interested in relations with such companies, and on this we part with them.
But, however, today, reading the news on Facebook and drinking morning coffee, I almost spilled it after reading that Rosnano's daughter company ELVIS-NeoTech, together with Rostec, will supply tens of thousands of cameras to schools.
Under the cut are the details of how we tested them.
Yes, yes - these are the same guys who brought me frankly cheap and bad China, under the guise of their own development.
So, let's get to the facts: They brought us a VisorJet Smart Bullet camera, from a domestic one - it contained a box and a QCD acceptance sheet (:-D), inside was a typical Chinese modular camera based on the Hisilicon 3516 chipset.
After the firmware dump was made, it quickly became clear that the real manufacturer of the camera and firmware is a certain Brovotech office, which specializes in the supply of IP cameras with customization. Separately, I was outraged by the second name of this office ""- a clumsy fake of the name of the company Ezviz - b2c daughter of one of the world leaders Hikvision. Hmm, everything is in the best traditions of Abibas and Nokla.
In the firmware, everything turned out to be ± standard, unpretentious in Chinese:
Firmware files
├── alarm.pcm
├── bvipcam
├── cmdserver
├── daemonserver
├── detections
├── font
├── lib
...
│ └── libsony_imx326.so
├── reset
├── start_ipcam.sh
├── sysconf
│ ├── 600106000-BV-H0600.conf
│ ├── 600106001-BV-H0601.conf
...
│ └── 600108014-BV-H0814.conf
├── system.conf -> /mnt/nand/system.conf
├── version.conf
└── www
...
├── logo
│ ├── elvis.jpg
│ └── qrcode.png
From the domestic manufacturer we see the file elvis.jpg - not bad, but with an error in the name of the company - judging by the site they are called "elvees".
The camera is responsible for bvipcam, the main application that works with A/V streams and is a network server.
Now about holes and backdoors:
1. It's very easy to find a backdoor in bvipcam: strcmp (password, "20140808") && strcmp (username, "bvtech"). It is non-disabled, and runs on non-disabled port 6000
2. /etc/shadow has a static root password and an open telnet port. Not the most powerful macbook bruteforced this password in less than an hour.
3. The camera can give all saved passwords via the control interface in clear text. That is, by accessing the camera using the backdoor logopass from (1), you can easily find out the passwords of all users.
I did all these manipulations personally - the verdict is obvious. Third-rate Chinese firmware, which cannot even be used in serious projects.
By the way, later I found - they did more in-depth work on the study of holes in cameras from brovotech. M-yes.
Based on the results of the survey, we wrote a conclusion to ELVIS-NeoTech with all the facts found. In response, we received a chic answer from ELVIS-NeoTech: “The firmware for our cameras is based on the Linux SDK from the controller manufacturer HiSilicon. Because these controllers are used in our cameras. At the same time, our own software was developed on top of this SDK, which is responsible for the interaction of the camera using data exchange protocols. It was difficult for the testers to figure this out, as we did not provide root access to the cameras.
And when assessing from the outside, an erroneous opinion could form. If necessary, we are ready to demonstrate to your specialists the entire process of manufacturing and flashing cameras in our production. Including show part of the source codes of the firmware.
Naturally, no one showed the source.
I have decided not to work with them anymore. And now, two years later, Elvees' plans to produce cheap Chinese cameras with cheap Chinese firmware under the guise of Russian development have found their way.
Now I went to their site and found that they have updated the line of cameras and it has ceased to look like Brovotech. Wow, maybe the guys realized and corrected themselves - they did everything themselves, this time to be honest, without leaky firmware.
But, alas, the simplest comparison "Russian" camera gave a result.
So, meet the original: cameras from an unknown vendor milesight.
Why is this milesight better than brovotech? From the point of view of security, most likely, nothing - a cheap solution to purchase.
Just look at the screenshot of the web interface of milesight and ELVIS-NeoTech cameras - there will be no doubt: the "Russian" VisorJet cameras are a clone of milesight cameras. Not only the pictures of the web interfaces match, but also the default IP 192.168.5.190, and the drawings of the cameras. Even the default password is similar: ms1234 vs en123456 for the clone.
In conclusion, I can say that I am a father, my children go to school and I am against the use of Chinese cameras with leaky Chinese firmware, Trojans and backdoors in their education.
Source: habr.com