Avtech devices multiple vulnerabilities
Updates to the original advisory
SEARCH-LAB published the following advisory about Avtech devices multiple vulnerabilities on 11th October 2016.
Following the publication of the advisory several actions have been made to remediate the case:
- 2016.10.14: AVTECH made contact with SEARCH-LAB and asked for suggestions how to mitigate the found vulnerabilities
- 2016.10.28: AVTECH and SEARCH-LAB signed a Non-Disclosure Agreement to clarify the conditions of further information disclosure
- 2016.10.28: SEARCH-LAB removed the proof-of-concept video in order to make it harder for adversaries to exploit the published vulnerabilities
- 2016.01.09: AVTECH released several firmware updates for the affected devices
- 2017.01.25: AVTECH asked SEARCH-LAB to double-check whether the fixes duly solved the reported issues
- 2017.03.03: SEARCH-LAB sent a detailed report to AVTECH
- 2017.03.21: Publication of this update. AVTECH and SEARCH-LAB are working together to improve the security of AVTECH devices.
- Every Avtech device (IP camera, NVR, DVR) and firmware version.  contains the list of confirmed firmware versions, which are affected.
- Product page: http://www.avtech.com.tw/
“AVTECH, founded in 1996, is one of the world’s leading CCTV manufacturers. With stably increasing revenue and practical business running philosophy, AVTECH has been ranked as the largest public-listed company among the Taiwan surveillance industry. AVTECH makes every effort on the innovation of technology, product and implementation. Based on years of research and industry experience, AVTECH has obtained a leading position on mobile platform support and provides a full range of surveillance products.”
- 2015.10.19: First attempt to contact with Avtech, but we did not receive any response
- 2016.05.24: Second attempt to contact Avtech without any response
- 2016.05.27: Third attempt to contact Avtech by sending e-mail to public Avtech e-mail addresses. We did not receive any response.
- 2016.09.10: Forth attempt to contact Avtech without any response
- 2016.10.11: Full disclosure
Please consult AVTech homepage for firmware updates meanwhile you should take the following steps to protect your device:
- Change the default admin password
- Operate your devices behind a firewall
These vulnerabilities were discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu)