In this episode of the podcast, host Paul Roberts connects with Noam Moshe, a lead vulnerability researcher at the firm Claroty about critical vulnerabilities he discovered in Axis IP cameras – a fixture of large corporations and sensitive government agencies. Discover how attackers could hijack entire fleets of cameras, manipulate video feeds, and pivot into sensitive networks—and what organizations must do to defend against these IoT and cyber-physical system threats.
[Video Podcast] | [MP3] | [Transcript]
One of the notable “cyber” trends we’ve seen the last decade is the broadening landscape of cyber attacks. Malicious campaigns these days target not just Windows workstations and conventional IT infrastructure like application servers and networking infrastructure – but a diverse and growing population of “Internet of Things” devices that are deployed in homes, businesses, critical infrastructure and more.
The incident that brought this change to light was, of course, the Mirai botnet back in 2016 (read SL’s coverage of that attack). That saw broadband routers and other devices enlisted in a massive botnet that helped take down DNS provider DYN, resulting in massive outages. More recently, hacking crews such as the China-backed actors Volt Typhoon have aggressively targeted IoT devices like end of life broadband routers and IP cameras to build out attack platforms like the KV-Botnet, which have then been used to conduct both disruptive and espionage focused campaigns against telecommunications networks and critical infrastructure.
A popular target in those Volt Typhoon campaigns: Axis IP cameras – commercial grade devices manufactured by a Sweden-based Axis Communications: a key supplier of IP cameras to western governments and economies that have grown wary of buying hardware from Chinese firms.
Why Axis? In this podcast interview recorded at this year’s Black Hat Briefings in Las Vegas, Nevada, I speak with Noam Moshe, a lead vulnerability researcher at Claroty Inc and the lead for Claroty’s Team 82.
In this conversation, Noam and I discuss findings from research he did on Axis IP cameras and that he presented at Black Hat. That included serious vulnerabilities discovered in a proprietary Axis communication protocol. Noam and I also discuss the implications of “black box” IoT devices and the security risks lurking in their software for organizations and the broader cybersecurity landscape.
Phish where the fish are
Noam told me his research into Axis IP cameras was inspired by their prevalence in sensitive environments and the significant impact that exploited vulnerabilities have had in the past. Axis, a leading brand in IP cameras and video surveillance, sees extensive use due to international restrictions on Chinese devices. As a result, Axis’s dominance in the market makes it a vital subject for security research.
Noam’s approach involved examining heavily used Axis devices for vulnerabilities that malicious actors could exploit. As part of their research, Noam and his team uncovered significant vulnerabilities in the Axis .remoting protocol, a proprietary protocol integral to Axis servers managing such cameras.
Dragons Be There! The Axis .Remoting Protocol
Specifically, the Axis .remoting protocol facilitates remote procedure calls, allowing clients to invoke functionalities on servers. Noam explained that while handling basic primitives poses little security risk, complications arise when complex types and classes require serialization and deserialization. As part of their research, Noam discovered that, by exploiting serialization in the protocol, attackers could control Axis server operations, potentially leading to code execution. To demonstrate an attack, Noam employed “man-in-the-middle” strategies, allowing interception and decryption of communications, thereby revealing critical data flows and vulnerabilities within the protocol. Despite encryption, Axis’s use of custom, proprietary protocols and lack of adequate security oversight meant these vulnerabilities went undetected for years, Noam said.
Axis’s Response
Upon discovery, Noam’s team responsibly disclosed these vulnerabilities to Axis. The company responded in a timely manner: issuing patches for the discovered flaws.
In our talk, we discussed the growing security awareness among device makers like Axis, which has a formal disclosure process and easy-to-access resources for independent researchers like Noam. And we talked about the broader need for industry to embrace responsible disclosure and transparency in addressing vulnerabilities.
Security Measures for Organizations
And, while Axis’s response to the Claorty research checks all the boxes, Noam’s discoveries raise age-old questions about what follows. In other words: whether organizations using Axis products will actually apply the patches promptly. That’s because, even with Axis urging its customers to update their systems, many devices may remain exposed if users do not heed these warnings and apply the necessary updates. Finally, Noam and I talk about how organizations integrating IP cameras and other IoT devices into their IT infrastructure should respond to disclosures like those in his Black Hat presentation.
According to Noam, organizations understanding and mitigating cybersecurity risks is crucial. He suggests several layers of defense. Among them:
- Risk Assessment and Mitigation: Recognizing the inherent risks in internet-exposed servers and services enables organizations to devise ways to limit exposure, such as using VPNs or segmenting sensitive networks.
- Network Hygiene and Segmentation: Implementing least privilege access and ensuring robust network segmentation can help isolate compromised devices and contain potential breaches.
- Visibility and Traffic Analysis: Organizations should prioritize network traffic analysis, turning unknown threat vectors into known entities to mitigate vulnerabilities proactively.
Conclusion
Research like Noam’s is invaluable. Absent the (pro bono) work of researchers like him, it is likely that serious security flaws like those he discovered in the .remoting protocol would remain undiscovered -at least by the “good guys.” If nothing else, Noam’s work and his talk at Black Hat highlighted the critical need for continuous security assessment and proactive response to emerging vulnerabilities. As the Internet of Things (IoT) proliferates, understanding and addressing risks inherent in these technologies will be critical to efforts to safeguard sensitive data and critical infrastructure globally. Through diligent research and awareness, the cybersecurity community can continue to push for more secure and resilient technological ecosystems.
Video
https://www.youtube.com/watch?v=81hOHTBgavk[/embed]
Transcript
Noam Moshe, Claroty: So my name is Noam Moshe. I am the team lead for Claroty Team 82, and the lead vulnerability researcher.
Paul Roberts (Editor, Security Ledger): And Noam, thanks for taking the time to speak to me. We’re here at the Black Hat briefings in Las Vegas. How’s the show been for you?
Noam Moshe, Claroty: Ooh, it’s been busy. I’ve met a lot of cool people. I love attending Black Hat and speaking at Black Hat.
Paul Roberts (Editor, Security Ledger): Yeah.
Noam Moshe, Claroty: It’s an awesome community and I’m looking forward to Defcon, which is similar but with a twist.
Paul Roberts (Editor, Security Ledger): Are you doing a talk at Defcon?
Noam Moshe, Claroty: Yeah. Also on the Axis research
Paul Roberts (Editor, Security Ledger): So really interesting research that you published into exploitable remotely exploitable vulnerabilities in Axis IP cameras…
Noam Moshe, Claroty: We do what we [00:01:00] call XIOT protection or CPS protection. Yeah. Essentially anything that is not a Windows computer… and we do see a lot of Windows. I can tell you, like when you’re talking about engineering work stations and stuff, you see a lot of Windows, especially in medical. But essentially we try and take a look at any sort of device that could be used by attackers to cause some physical damage and attack the CPS ecosystem.
And specifically in Axis, we have it in both ways. First of all, it’s an iot device. We see it a lot in a lot of sensitive information. Of course, it can be used for espionage. We see it more and more in the Volt Typhoon, Salt Typhoon, IO control – attackers taking a look at IOT devices as a pivot point and to stay undetected in networks.
So it is very present in the world of CPS and critical infrastructure. In digital, it’s a classic iot device, right? A machine and half black box that you are [00:02:00] unaware what’s going on in it, right? What’s sitting on it, and how it can be used to attack your networks.
Paul Roberts (Editor, Security Ledger): Historically, the InfoSec industry has been very focused on windows, software and Windows dominated networks. But as you point out, there are more and more devices. Non-traditional endpoints that are showing up in these environments, and many of them are not running windows. They’re running. Embedded Linux or what have you.
Noam Moshe, Claroty: Exactly. They’re the underbelly of our networks. They are hidden, unprotected, black boxes. We have no idea what’s going on. And many times attackers are using these devices to stay undetected in the networks and move laterally. And I believe it’s one of the more interesting attack surfaces that we see being exploited more and more today.
Paul Roberts (Editor, Security Ledger): Now with Axis, we know like the KV botnet was compromising Axis…or is? was? compromising Axis IP cameras. This was the one that was used [00:03:00] by. Volt Typhoon or Salt Typhoon… can’t remember which one.. for attacks on, communications infrastructure and stuff like that. Is that just a reflection of the fact that, Axis cameras are pretty common? There are a lot of ’em out there and sensitive environments?
Noam Moshe, Claroty: Exactly. Axis is a leading brand in the world of IP camera and video surveillance. And we do see less and less players in that field. More countries, western countries began banning usage of Chinese devices, right?
In government, institution, medical, all of that sort. And this leaves the consumer with less options to pick from. And this is why we see such a big player, such as Axis being heavily used in various industries.
Paul Roberts (Editor, Security Ledger): So Swedish company. Solidly Western European and obviously make good hardware…
Noam Moshe, Claroty: A very, very big presence in the United States. From the servers we saw on the internet of one installation type, 6,500, 4,000 [00:04:00] were in the United States.
Paul Roberts (Editor, Security Ledger): Wow.
Noam Moshe, Claroty: So we can see them dominating the United States.
Paul Roberts (Editor, Security Ledger): So talk a little bit about how you, what got you digging into the Axis software and look for, vulnerabilities. What was it that prompted that?
Noam Moshe, Claroty: So in general, we try and take apart, heavily used devices that could be exploited by attackers. And this was what led us down to the Axis rabbit hole. More specifically, one of the things I love the most when researching and finding vulnerabilities in iot devices is looking for centralized servers.
Essentially one server that controls a whole fleet of devices. Because by exploiting this one specific server, you are able to pivot, move laterally and basically take control over a huge fleet, which could be composed of thousands or tens of thousands of devices.
And this is exactly the example. We managed to uncover vulnerabilities in the Axis .remoting [00:05:00] proprietary protocol that is used by Axis servers. These servers manage Axis cameras and allow you to basically control your fleet, change configuration, modify framework settings, backups, and of course, the main use case is consuming video feeds.
And by uncovering the vulnerabilities in decentralized servers, you an attacker is able to pivot. To old managed IP cameras, which is such a huge impact,
Paul Roberts (Editor, Security Ledger): It gives you an eye into that company, right? That organization and a lot…
Noam Moshe, Claroty: An eye, and the ability to control it. You are only able to espionage and leak data. You are also able to alter data. Think, one of the things I wanted to do in this research is like a James Bond ha. Hacking an IP camera and replaying an old video,
Paul Roberts (Editor, Security Ledger): Send somebody in, but then cut out that video. Exactly. So that so that they’ve disappeared from
Noam Moshe, Claroty: Yeah. Basically a secret agent.
Paul Roberts (Editor, Security Ledger): An Ocean’s 11 type of thing?
Noam Moshe, Claroty: Exactly. And I do believe, like this is completely doable by polling and [00:06:00] centralized servers.
Paul Roberts (Editor, Security Ledger): Yeah. So this custom protocol, how common is it that a hardware vendor will have their own protocol for their, client server interactions?
Noam Moshe, Claroty: In the world of industrial controls, this is super common. If you’re looking at the main vendors and essentially every vendor in that. Landscape, you see them implementing a proprietary protocol, undocumented and like super closed source that is used to communicate between their product. So it is very common. We do see it a lot. And essentially this close I system enables researchers to try and dissect and understand and analyze the protocol and in the process uncover vulnerabilities that could affect a wide range of devices in that line of work that use this protocol.
Paul Roberts (Editor, Security Ledger): Is the use of custom proprietary protocols because of the demands of these deployments? Or do you [00:07:00] think it’s a “security through obscurity” type play where ‘ if we have our own protocol and we don’t document it, then people aren’t gonna be able to hack it because they don’t know how it works’?
Noam Moshe, Claroty: So it’s a bit of both. And in addition to that, simply every vendor trying to build their own ecosystem essentially, not only locking you…
Paul Roberts (Editor, Security Ledger): A “walled garden.”
Noam Moshe, Claroty: Exactly, yeah. And you wanna be able to control everything that talks to your devices. The easiest way is to build your own protocol. And we do see a lot of these protocols being used, these proprietary protocols and personally like this is one of my favorite things to do is analyzing, uncovering and wrapping and having good understanding of these proprietary protocols.
Paul Roberts (Editor, Security Ledger): So literally for this protocol, there was no documentation? There’s nothing you could refer to, to help understand.
Noam Moshe, Claroty: Yeah. And in addition to that, the entire protocol was fully encrypted using MTLS. Meaning essentially you had no easy way of knowing what’s going on under the hood without [00:08:00] actually researching the protocol, you would never know what’s going on under the hood and what kind of messages are being sent to the client and the server.
And this was exactly the starting point of my research. I wanted to be able to see sniff and see clear text packets of the Axis remoting protocol. At this point, I didn’t know its name even of the Axis protocol…
Paul Roberts (Editor, Security Ledger): As a security researcher, when you see them encrypting that protocol and, using a custom protocol in your mind, is that ” Ooh! I bet, there are some interesting things going on there.” Or does it like…
Noam Moshe, Claroty: So it’s obviously better than not encrypting anything at all. Especially because this protocol is supposed to be used over differen.NETworks. Essentially bridging to networks. And because of that, it was essential to do use encryption. But many times people hear “encryption” and see “security,” and this is, couldn’t be, further from the truth, because encrypting a protocol does not make it secure. And…
Paul Roberts (Editor, Security Ledger): As you showed in your research.
Noam Moshe, Claroty: [00:09:00] Yeah, of course. And just because the protocol uses encryption does not mean it is secure. It might make the researching the protocol a bit harder. And I do believe this is one of the reasons why these vulnerabilities went uncovered for so many years. Yeah. Because the Axis _.remoting _protocol is not new at all. It was used on in Axis devices for years and years, and only now we were able, like the security community, were able to uncover it. And the reason for that was A: the protocol is fully encrypted, so no one had a, no one was able to glimpse the protocol and B: it was a lot of researching this proprietary protocol. And this is once, this was one of the reasons why it went unguarded.
Paul Roberts (Editor, Security Ledger): Talk about the vulnerabilities that you, so you were basically able, just for the listeners, you basically set up a man in the middle attack to intercept the communications between the server and the Axis cameras and decrypt them and analyze the [00:10:00] communications. Talk about what you found when you did that.
Noam Moshe, Claroty: Essentially, the Axis .remoting is an RPC remote procedure protocol. It enables the client to invoke some kind of functionality on the server. Let’s say, for example, you want to log in, then you invoke the log on async function. Or if you wanna list cameras, you can invoke that specific function that handles it. The problem is when more complicated types are needed for different functionality. The entire application was written in native .NET meaning it’s not browser based. And the entire RPC was using serialization to basically send serialized objects over the wire.
And when we’re talking about primitives, like strings, integer stuff of that sort, that’s no problem at all. I can send you a string or an integer and nothing will happen, right? But sometimes more complicated types should be used, which are classes. And this introduces the process of [00:11:00] serialization and de serialization, essentially taking an in-memory class in the server or the client and transform it to a byte representation on strings or objects.
And that way I’m able to pass along classes between different processes, different computers, over the wire, you name it. And in .NET this could be, and in general, even this is serious security concern because. If it enables the client to decide what kind of classes will be created on the servers backend, it could lead to unexpected results, side effects, and -many times- to code execution.
Paul Roberts (Editor, Security Ledger): Malware.
Noam Moshe, Claroty: Exactly. You essentially create your own class you control on the server, not something the server intended to actually have. And this was the first vulnerability we found that de serialization vulnerability in the Axis .remoting protocol. Now this in .NET enables immediate core execution once you know how to communicate with the protocol.
And then [00:12:00] we developed two approaches to full exploitation. The first one is via “man in the middle” which is limited because it requires user interaction. It requires the man in middle setup. And the second one is full pre-auth. No prior knowledge, no credentials. All you need to do is to be able to connect to a server and you are able to fully execute code on the server’s backend.
Paul Roberts (Editor, Security Ledger): And would these servers be publicly accessible generally?
Noam Moshe, Claroty: So when we’re talking about IP cameras for organizations, we’re not talking about 1, 2, 3 cameras. Big organizations have hundreds, thousands, or like many different physical sites, and somehow you need to connect them remotely. And you wanna be able to monitor, view, consume the feed. See that everything’s okay remotely.
And for that you need to have remote access. And because of that and because the Axis .remoting protocol is fully encrypted, fully authenticated, many users do expose it to the internet and even it’s stated by [00:13:00] Axis that if you want to have remote access…
Paul Roberts (Editor, Security Ledger): It’s like a VPN servers.
Noam Moshe, Claroty: Exactly right. VPN server requires authentication This it fully encrypted. That’s why we allow ourselves to expose it to the internet. And because of that we see many servers. And once again, this is like a server manages thousands of cameras.
So it’s not only one device. It could basically compromise an entire company. And we see thousands and thousands of different servers exposed online, mostly in Western countries, mostly in the U.S.
Paul Roberts (Editor, Security Ledger): So you discovered these vulnerabilities, obviously you reported them to Axis. Axis has issued patches for them. How would an attack play out? What would…
Noam Moshe, Claroty: So the only thing that’s needed by an attacker is to be able to access the port – the communication port for the Axis .remoting, which should be forwarded in the firewall if you wanna expose this service.
So in order to exploit the attack, we discovered like you need to chain a few different vulnerabilities. The core one is [00:14:00] the decentralization vulnerabilities that once you are able to send Axis remote in packets, you are able to cause decentralization and execute code on the service end. The issue was- for us as researchers- that in order to communicate in Axis .remoting, you need to pass an M-T-L-M-S-S-P challenge response. Essentially requiring full authentication, to start communicating with a server This meant that the vulnerability could not be exploited pre-auth, and instead you need to have valid credentials on the server’s host.
Now we managed to bypass this requirement by exploiting vulnerabilities in a fallback port. Essentially, if the main port is inAxisible to the client, they use a different port, which uses a little bit of a different protocol. This protocol is implemented not via MTLS, but instead over, once again, very proprietary protocol over http, which is…
Paul Roberts (Editor, Security Ledger): Axis protocol.
Noam Moshe, Claroty: Yeah. However, behind the scenes it uses the [00:15:00] same Axis .remoting primitives. And it is also susceptible to the same vulnerability. And in this fall back protocol, we managed to find like an alternate path that enabled us to bypass the authentication requirement, allowing us to start speaking in Axis .remoting and exploit the server.
So to answer your question on attack, when to do is to use this protocol to know how to start talking with a server, use the alternate path. Begin the entire handshake, which is a complicated process. You can read more about it in the blog or the slides. And then once you’re able to send Axis packets, Axis .remoting packets, you can send a malicious packet to the server.
Paul Roberts (Editor, Security Ledger): So you can, you would, you can take over the control server. And then also as I understand it, the client software as well, which is used more on the, for individual users to view Axis streams on the camera.
Noam Moshe, Claroty: So if we’re talking about the first attack scenario we imposed of many in the middle . because. Both the client and the server will use the same libraries for the Axis remodeling protocol [00:16:00] stack, they are both susceptible to the dissolution vulnerability, meaning if you met in the middle of the connection, you are able to attack the server and you’re able to also attack the client, essentially attacking both ends.
And to make matters worse, once you control the server, you are able to use legitimate features in order to actually exploit the cameras manages exactly right. At the end of the day, Axis supports something that’s called packages.
It enables administrators to modify the behavior of the cameras and you are able to build either get Axis approved packages, community built ones, or build your own using the Axis SDK. So once you control the server, the management server, you are able to infect all the cameras it manages with a malicious package, gaining full control over them as well.
So we are able to exploit the client, the server, and all the cameras.
Paul Roberts (Editor, Security Ledger): And in your experience, would organizations that have Axis cameras or something [00:17:00] like them deployed, are they looking for unusual? Are they monitoring traffic between the control servers and the cameras to look for, oh, hey, that’s a package. Like we don’t recognize that package.
Noam Moshe, Claroty: So it is a legitimate traffic at end of day. the difference between adding a package and let’s say change new configuration or even doing a backup is very minor. At the end of the day, the only difference is with the API that you use in the HDP web request to the camera.
Paul Roberts (Editor, Security Ledger): Hard to monitor for.
Noam Moshe, Claroty: Very hard to monitor. Yeah. You need to be very fine grained. Very knowledgeable of the Axis ecosystem, and I do not believe when organizations monitor it. In addition to that, because Axis cameras are IP cameras, IOT devices, there’s obviously no almost all cases, no anti viewers or anything that enables you to actually log the camera itself.
Paul Roberts (Editor, Security Ledger): They’re resource constrained. Yeah.
Noam Moshe, Claroty: Low level devices. Devices using Axis OS -Linux based, but still very limited.
Paul Roberts (Editor, Security Ledger): We think about cameras, obviously, they allow surveillance of an [00:18:00] organization that’s very valuable for a, let’s say, a state sponsored actor. But with KV Botnet and others, we realized also that they could be used potentially for other types of password spraying attacks or, enrolled botnets and so on.
Noam Moshe, Claroty: And also deploying ransomware – an attacker could use the camera as a pivot point into different networks and different segments of the network.
Paul Roberts (Editor, Security Ledger): What’s your take? Do most organizations have the IP cameras kind of air gap from the rest of their network or…
Noam Moshe, Claroty: So it really depends. Yeah. If you’re talking like a BMS device Yeah. Like management, it might be in the entire BMS lan. And that way it exposes additional resources for attackers to takeover. It really goes like case by case.
Paul Roberts (Editor, Security Ledger): Reading your research and understanding the sort of, it’s, it seems like the Axis control server and infrastructure really is reliant on like active directory and kind of Windows infrastructure. Exactly.
Noam Moshe, Claroty: It is a Windows machine. It is a software based server that is using [00:19:00] Windows .NET application. At the end of the day, it’s a windows server, right? That’s all it is. So it could be located in your server’s VLAN. The cameras could be located in the, yeah, in many VLANs, because at the end of the day, you have thousands of cameras. Different physical locations, different offices, layers, floors, you name it.
Paul Roberts (Editor, Security Ledger): Okay, here are the tough questions. What was the response of Axis when you contacted them about these and what do we, what should we under? So they’ve issued patches for these vulnerabilities but is for most of their customers, is it clear that they will have applied the patches or is it possible that many of these systems will continue to go unpatched?
Noam Moshe, Claroty: So lemme start by talking about the disclosure process. we’ve contacted Axis directly. Yeah. And they were super responsive and it was a great responsible disclosure process. I’ve disclosed vulnerabilities to probably a hundred brands over the last five years, and Axis was. [00:20:00] One of the better ones.
Paul Roberts (Editor, Security Ledger): Had a clear portal…
Noam Moshe, Claroty: Had a clear portal, had a clear endpoint contact information and more importantly, super responsive, super proactive, making sure their devices are protected. And I can tell you that for after we gave them our report, it took between a few weeks and few months.
It depends on the specific vulnerability because some were tougher to solve, but they made patches as soon as possible and pushed their clients to update it.
Paul Roberts (Editor, Security Ledger): Does Axis have a bug bounty program?
Noam Moshe, Claroty: They do. They do. They do.
Paul Roberts (Editor, Security Ledger): Did you get a bounty?
Noam Moshe, Claroty: We do not. We do it pro bono. This is not a service we sell. We do the entire vulnerability research as an open source, fully free of charge with the goal of helping improve security.
Paul Roberts (Editor, Security Ledger): Okay. So is user like auto update type functionality?
Noam Moshe, Claroty: So it’s not auto update, but it does pop up like, “Hey, there’s a major security update. Please update.” And because it’s a Windows server, and it’s not like an industrial environment, [00:21:00] it is easier for users to update. A kudos and credit when credit is due super responsible. At the end of the day, there’s almost no device software product that has no vulnerabilities.
The only question is how much time- which translates to money- you put in as a researcher. So I do believe that everything has vulnerabilities in it. And me personally, when I look for brands, I look for brands that researchers already took a look at. Because it means they, they cover their bases. So when it’s not black mark on their yard, and they were super professional into fixing them in regards to patching, then yeah. It is not like industrial low level device. It’s a Windows server that enables you to automatically update it. So we do believe that if all customers (should have) a few months to patch. We do not talk about the technical details before giving the customers enough time to patch. And we do urge them as [00:22:00] an Axis to patch and make sure they are more protected.
Should we be concerned that it took you to find this vulnerability in their custom protocol that’s been in their product for many years. That they weren’t doing the type of research you are doing internally to find it themselves.
So not necessarily, because at the end of the day, like I’ve said, everything has vulnerabilities.
And even after I’ve taken a look at it, I’m sure another researcher can put in the time and find more vulnerabilities. And when talking about security matureness. I believe the best practice is how companies actually handle responsible exposure from the community. Because no matter how much time, effort, money, like dedicated people they put in place to make sure that their devices are protected still the security research community, which I do believe are, is a great community, will have findings and the best [00:23:00] way, and we do see like in general, the entire industry adopting it is to have responsible disclosure policies, endpoints, portals, front door contacts. Yeah. And have a way for a security researcher to contact and responsibly disclose vulnerabilities. And I can tell you that if five years ago it was very rare and we almost saw none of the companies using it, we now see more and more companies using it. Having a dedicated team that handles these reports. And I do think this is the right direction. And we do see the community moving forward.
Paul Roberts (Editor, Security Ledger): When you read your research report, some of the things, some of the concerns are it seems like the infrastructure of these camera networks is a little bit loose, like self signed certificates, and you, it was very easy for you to construct a man in the middle attack that presumably a malicious actor could construct as well and so on.
Do you think Axis and other IP camera makers need to take [00:24:00] a harder look at, closing down some of those open doors for malicious actors? So maybe getting stop using self sign certificates make main middle attacks harder to carry out.
Noam Moshe, Claroty: Exactly. So I think the community is moving in that direction and we see more and more companies implementing full on PKIs enabling users to stay fully protected.
And to actually be able to trust all the moving parts in the networks and we see it even industrial devices that are now beginning to implement full PKIs. And I do believe this is the correct way to able to approach things. There is fallback like from a usability point of view, it makes it harder for user to easily jump in and configure a new camera. But I do believe it’s needed and worth the hassle for a user.
Paul Roberts (Editor, Security Ledger): Okay. Final question is for the many organizations that are using IP cameras to monitor their facilities and so on , they’re not gonna be able to [00:25:00] hire somebody like you to come in and pen test the system. What might they do to limit their exposure or the risk of vulnerability like this?
Noam Moshe, Claroty: So I think it’s twofold. First, you need to understand the risk. If you expose a server, expose a service, expose anything to the internet, you put risk on yourself. And when you understand the risk, you’re able to take a secure assessment and be able to mitigate as much as possible.
If it means using A VPN or even saying, yeah, I do understand that I’m putting my this specific Windows machine at risk and I’ll do my best to limit it in case it gets exploited. So the first thing is understanding the risk and working to mitigate and reduce it much possible. The second thing is having proper network hygiene and segmentation.
Meaning if a device, if a silver device, IP camera [00:26:00] does get exploited and does get remote core execution by a threat actor, we need to be able to. Close it as much as possible, be able to know what kind of access it has in the network and have a “least privilege” kind of access. And of course has visibility in network traffic analysis and to be able to understand what is happening in our networks, we need to essentially tell this undervalue blind spot into the spotlight and to be able to understand what’s going on.
Paul Roberts (Editor, Security Ledger): Really good, really really interesting research.
Noam Moshe, Claroty: Thank you.
Paul Roberts (Editor, Security Ledger): Thank you so much for coming in and talking to us on Security Ledger Podcast.
Noam Moshe, Claroty: Thank you.
