Cyber Security Penetration Test Report

Hanwha Vision Network Camera

September, 2024

Background

Hanwha Vision has performed penetration tests on its products through trusted third-party white hackers. These hackers utilize professional diagnostic techniques and hacking tools. Hanwha Vision believes this activity enhances product security and expects that disclosing the processes and results will build customer trust.

Testing Purpose

Penetration testing is conducted for various reasons, including:

Preventing vulnerabilities that could lead to serious personal information leakage, particularly relevant for surveillance equipment.
Identifying vulnerabilities inadvertently introduced during development, such as from source code changes or platform upgrades.
Demonstrating a commitment to product security from a customer's perspective, fostering trust in the protection of private information and control systems.
Proactively assessing for emerging or newly discovered vulnerabilities that may not be widely published.

For more robust testing, Hanwha Vision collaborates with trusted third-party security agencies.

About STEALIEN

STEALIEN specializes in analyzing vulnerabilities across various service environments, including web, mobile, IoT, and cloud services. They create realistic threat scenarios and suggest appropriate countermeasures. STEALIEN has won international hacking competitions like CodeGate and DefCon and has experience identifying vulnerabilities in products from global vendors such as Windows Kernel, Google Chrome, Adobe, and VMware. STEALIEN has a strong relationship with Hanwha Vision and conducted this penetration test.

Testing Target and Scope

Penetration tests were conducted on network cameras in the X.XY.YY format from June 12, 2023, to August 4, 2023, by six vulnerability researchers. Further tests on cameras in the XX.XY.YY format were performed from September 18, 2023, to October 27, 2023, by five vulnerability researchers. Hanwha Vision network cameras utilize different software platforms depending on the version type, but cameras of the same type are guaranteed to operate consistently.

Target Network Camera #1

Version types: X.XY.YY
Targeting firmware: 2.XY.YY

Target Network Camera #2

Version types: XX.XY.YY
Targeting firmware: 23.XY.YY

The testing covered the camera's system and services, network, and security functions. This included:

Device System: OS, firmware, and root file system.
Device Built-In Service: http/s, rtp/rtsp, onvif, ntp, upnp, and running environment.
Security Features: secure boot, secure update, digital signature, authentication, secure communication, and secure storage of sensitive information.

Testing Methods

Testing was performed using STEALIEN's standard black box security assessment methodology and techniques, including:

System and Firmware Test: firmware forgery, memory corruption, memory leak, denial of service, reverse engineering of firmware.
Network Test: packet replay, sniffing, spoofing, and forgery.
Web Application Test: file download/upload, XSS/CSRF, directory listing/traversal, SQL injection, parameter injection.
Security Features Test: authentication bypass/forgery, privilege escalation, secure boot/update, cipher key cracking, decrypting cipher text, inferring hashed plain text.
Others: hardware debug port access, known open-source vulnerability attacks.

Summary of Findings

Target Network Camera #1 (X.XY.YY format, firmware 2.XY.YY)

User input validation and memory protection techniques are well-applied, effectively responding to memory-based attacks. Attack codes are filtered by data validation logic, neutralizing many attack techniques. Security functions like encryption are appropriately implemented in firmware, communication, authentication, and video transmission/reception. A misconfiguration in the boot stage allowed acquisition of a UART shell.

Vulnerability Category	CRITICAL	HIGH	MEDIUM	LOW
Insecure Authentication and Access Control
Insecure Network Interface
Insecure Privilege Management			1
Insufficient Privacy Protection
Insecure Data Transfer and Storage
Insecure Default Settings
Lack of Physical Hardening			1
Weak Guessable, or Hardcoded Passwords
Use of a Broken or Risky Cryptographic Algorithm
Exposure of sensitive information

Target Network Camera #2 (XX.XY.YY format, firmware 23.XY.YY)

Firmware file protection, including digital signature, secure boot, and firmware encryption, is excellent. Hardware debug physical ports are access-controlled. Input value validations are generally well-implemented, protecting against memory-based attacks like Buffer Overflow. However, some web UI input sections had incorrect validation logic, and access to the hardware debug physical port was not fully controlled at the time of the firmware update.

Vulnerability Category	MEDIUM	LOW
Insecure Authentication and Access Control
Insecure Network Interface	1
Insecure Privilege Management	2
Insufficient Privacy Protection
Insecure Data Transfer and Storage
Insecure Default Settings
Lack of Physical Hardening	1
Weak Guessable, or Hardcoded Passwords
Use of a Broken or Risky Cryptographic Algorithm
Exposure of sensitive information		1

Mitigation

Hanwha Vision has addressed all identified vulnerabilities by updating the firmware for network cameras. Cameras in the X.XY.YY format received firmware updates in October 2023, and cameras in the XX.XY.YY format received updates in November 2023. These firmware updates are available for download from the Hanwha Vision homepage. It is recommended to always use the latest available firmware version for your camera.

The model names of the enhanced cameras are listed below:

Model List	Model List	Model List	Model List
PNO-A9311R	TNO-L4040T	XNV-8030R	XNP-6400R
PNM-C7083RVD	TNO-L4050T	XNV-8040R	XNP-6400
PNM-C12083RVD	TNS-9050IBC	KND-5080RN	XNP-9300RW
PNM-C9022RV	TNV-C8011RW	XND-8080R	XNP-8300RW
PNM-7002VD	XNV-9083RZ	XND-8080RV	XNP-6400RW
PNM-8082VT	XNV-8083RZ	XND-8080RW	TNV-C7013RC
PNM-9000QB	XNV-8083Z	XNV-8080R	XNP-C6403
PNM-9002VQ	XNV-6083RZ	XNV-8080RS	XNP-C6403R
PNM-9022V	XNV-6083Z	XNV-8080RSA	XNP-C6403RW
PNM-9031RV	XNB-6002	XNV-8080RW	XNP-C8253
PNM-9084QZ	KNB-2000	XNV-9083R	XNP-C8253R
PNM-9084RQZ	XNB-6000	XNV-8093R	XNP-C8303RW
PNM-9085RQZ	KNO-2080RN	XNV-8083R	XNP-C9253
PNM-9084QZ1	XNO-6080R	XND-9083RV	XNP-C9253R
PNM-9084RQZ1	XNO-6080RA	XND-8093RV	XNP-C9303RW
PNM-9085RQZ1	XNO-6080RS	XND-8083RV	XNO-6123R
PNM-9322VQP	KNB-5000N	XNO-9083R	XNV-6123R
PND-A9081RV	KNO-5080RN	XNO-8083R	XNB-8002
PND-A9081RF	XNB-8000	XNB-9003	XNB-9002
PNO-A9081R	XNO-8080R	XNB-8003	XND-8082RF
PNV-A9081R	XNO-8080RW	XND-C6083RV	XND-8082RV
QNV-6012RG	XND-6080	XND-C7083RV	XND-9082RF
TNO-7180RLP	XND-K6080N	XNV-C6083R	XND-9082RV
XNB-6001	KND-2080RN	XNV-C7083R	XNO-8082R
XNP-9300RWG	XND-6080R	XNO-C6083R	XNO-9082R
XNP-8300RWG	XND-6080RW	XNO-C7083R	XNV-8082R
XNP-6400RWG	XND-6080RV	XNV-C6083	XNV-9082R
QNV-C9083R	XND-6080V	XND-C8083RV	PNO-A9311RLP
QNO-C9083R	XNV-6080	XND-C9083RV	QNE-C8013RL
QNV-C8083R	XNV-6080R	XNV-C8083R	QNE-C9013RL
QNO-C8083R	XNV-6080RW	XNV-C9083R	QNV-C8011RMG
QNV-C9011R	XNV-6080RS	XNO-C8083R	TNM-C3620TDR
QNV-C8011R	XNV-6080RSA	XNO-C9083R	TNM-C3622TDR
QNV-C8012	XND-6083RV	XNF-9010RV	TNM-C4940TDR
KNO-5020RG	XNV-6083R	XNF-9010RVM	TNM-C4942TDR
XNV-8020RG	XNO-6083R	XNF-9010RS	TNO-C3010TRA
PNM-C16013RVQ	XNB-6003	XNF-9013RV	TNO-C3012TRA
PNV-A6081RE	KND-5020RN	KNO-5020RN	TNV-C7013RCG
XNO-8080RG	XND-8020R	XNO-8020R	XNP-C9303RWG
PNM-7082RVD	XND-8020RW	XNO-8030R	XNP-C9310R
PNM-12082RVD	XND-8030R	XNO-8040R	XNP-L6322RG
TNF-9010	XND-8040R	XNP-9250R	PNM-C16083RVQ
TNO-L4030TR	XNV-8020R	XNP-8250R	PNM-C32083RVQ
TNO-L4040TR	XNV-8020RMN	XNP-9250	PNM-C34404RQPZ
TNO-L4030T	XNV-8020RMP	XNP-8250	PNM-C32084RQZ
QNO-C6083R	QNV-C6083R	PNB-A9001LP

	CB Test Certificate for Hanwha Vision AI IR Vandal Dome Camera (XNV-A9084R) Official CB Test Certificate issued under the IECEE CB Scheme for Hanwha Vision's 8MP AI IR Vandal Dome Camera (XNV-A9084R) and related product variants, confirming conformity with ETSI-EN-303-645:2020.
	Hanwha Vision Network Camera User Manual Comprehensive user manual for Hanwha Vision Network Cameras, detailing installation, setup, network configuration, and troubleshooting for Vandal Dome, Indoor Dome, Bullet, and Box camera models.
	Hanwha Vision NDAA Compliant Product List - 4K Cameras & Up Explore the Hanwha Vision NDAA Compliant Product List, featuring a comprehensive range of 4K cameras and advanced surveillance solutions. This catalog details high-resolution cameras, NVRs, and accessories designed to meet stringent security and compliance requirements.
	Hanwha Vision 2025 2H Product Portfolio: Advanced Video Surveillance Solutions Explore the comprehensive 2025 2H Product Portfolio from Hanwha Vision, featuring cutting-edge AI cameras, PTZ, thermal, and fisheye solutions, alongside NVRs and access control systems for advanced video security.
	Hanwha Vision Network Camera User Manual: XNP-C9303RW, XNP-C8303RW, XNP-C6403RW This user manual provides comprehensive guidance for Hanwha Vision network cameras, including installation, network setup, web viewer access, and troubleshooting for models XNP-C9303RW, XNP-C8303RW, and XNP-C6403RW.
	Hanwha Vision SBP-156WMW Wall & Pole Mount Installation Guide This document provides installation instructions for the Hanwha Vision SBP-156WMW Wall & Pole Mount, a versatile accessory for WN7 Wiper IR PTZ cameras. It details product features, package contents, essential installation precautions, and step-by-step guides for mounting on walls and round pillars. Includes product specifications and overview.
	Hanwha Vision AI Cameras, NVRs, and Video Security Solutions Product Portfolio Comprehensive product catalog from Hanwha Vision, detailing AI cameras, Network Video Recorders (NVRs), and video security peripherals. Features include advanced analytics, cybersecurity, and detailed technical specifications for various models.
	AI Video Surveillance Solutions for Luxury Retailers \| Hanwha Vision Discover how Hanwha Vision's AI-powered video surveillance solutions enhance security, operational efficiency, and customer experience for luxury retailers, addressing threats and providing key business insights.