Most CCTV Systems Come With Trivial Exploits 89
An anonymous reader writes "The use of CCTV cameras for physical surveillance of all kinds of environments has become so pervasive that most of us don't give the devices a second thought anymore. But, those individuals and organizations who actually use and control them should be aware that most of them come with default settings that make them vulnerable to outside attacks. According to Gotham Digital Science researcher Justin Cacak, standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and many other rebranded devices are not only shipped with remote access enabled by default, but also with preconfigured default accounts and passwords that are banal and easy to guess."
Are we surprised? (Score:2)
I mean, really? I guess when the designers think of Closed Circuit TV, they're thinking that extends to the management network too eh?
Re:Are we surprised? (Score:5, Insightful)
The professionals, with a legacy in CCTV-as-in-actual-closed-circuit-running-on-private-coax, probably have an attitude much as you describe. The classic CCTV systems were dumb as bricks(not that their designers necessarily were, making largely analog, reasonably high bandwidth systems actually work in practice isn't trivial); but that lack of sophistication served as a strong defense against anybody without a physical tap shoved right into the coax. You just don't develop a very strong culture of caring about remote exploits if your engineering history is almost entirely concerned with systems that are incapable of remote anything, whether you like it or not.
Then you have the upstarts(either new companies, or rebadged ODM crap sold by existing ones), who design CCTV systems on the premise that a CCTV camera is basically just an embedded linux board with a camera interface, and a record/playback system is basically just an x86 with some sort of h264 hardware and a lousy frontend. These assumptions are not false, and advances in silicon sensors and cheap embedded computers definitely mean that the price is right; but the standards of security excellence in low-cost embedded gear are absolutely fucking dire... These guys should know better, since their designs are 100% post-ubiquitous-networking in concept; but they just don't get paid enough, or enjoy long enough development cycles, to give a damn.
Re:Are we surprised? (Score:2)
Interesting perspective.
I guess that's why I've been installing IP cameras on physically separate networks for all these years.
Unnecessary (Score:1)
Interesting perspective.
I guess that's why I've been installing IP cameras on physically separate networks for all these years.
No need to physically separate any more. VLAN's, VRF's, MPLS & Remote Access with VPN's. Easy to maintain and scales nicely up to as many cameras, video-servers etc. you will ever need.
Re:Are we surprised? (Score:0)
Yep, nothing like having to install activex controls just to use a CCTV camera's web gui to change settings (not to record video or anything useful). Current "yum cha" IP cameras for example are pretty much excrement.
Er (Score:-1)
I for one welcome our new CCTV operative overlords
Re:Er (Score:2)
They're not new...
Re:Er (Score:2)
They're not new...
These days they're not even closed circuit.
so? (Score:5, Interesting)
preconfigured default accounts and passwords
Really? This is supposed to be an issue?
Most of the default user/pass settings are publicly available on manufacturers websites, documentation pamphlets, and 3rd party sites [routerpasswords.com] just for that purpose.
Buffer overflow or sql injection? Ok...
Default passwords are weak? So what?
Re:so? (Score:4, Insightful)
I wish I didn't knee-jerk my reply... Your point is exactly what I'm thinking.
Umm... Yea. I heard that corporate routers and switches come with really weak default protection! Your server will let anyone fire it up and login out of the box!
The horrors... This story is a non-story. If you go buy hardware for some purpose, make sure you configure it. If the story said most CCTV configurations have backdoors, or are easily exploitable even after prescribed lockdown, then we'd have something to work with.
Re:so? (Score:5, Interesting)
Actually, it's kind of sad that it's had to come to this, but most corporate routers and switches no longer have weak default protection. For example, new Cisco switches and routers now ship with a one time use password, so you have to create an account on them when configuring, or you'll never be able to log in again. This really shouldn't be necessary, but we live in a world where there are a lot of people implementing security who don't understand it. Even home routers now often force you to create your own password during setup and disable remote access by default. You could make a pretty convincing argument that the CCTV industry has fallen pretty far behind the times.
Minor side point, but there's a jewelry store below my apartment that uses wireless CCTV cameras... on a WEP protected network... with no logon required to view the stream. I feel bad when I do it, but it's hard not to look.
Re:so? (Score:3)
It isn't that they come configured that way it are never changed.
You can literally google model numbers and pull up camera feeds.
How much harder will it be to disable the cameras while you rob a place?
Re:so? (Score:2)
Re:so? (Score:0)
Except that Ethernet ports block DC, so the battery theory won't work so well. :)
Re:so? (Score:2)
Re:so? (Score:3)
On problem is all of those X10 cameras installed back in the day in God only knows where that have been long forgotten about. There is no security at all with some devices like this placed in illegal places like motel bathrooms and such.
But the corporate stuff at let's say Walmart, wouldn't have that problem if someone did access the data. What would they see exactly that is of any importance? I would be much more worried about identity theft through servers that have your life history on it like possibly Facebook's.
Security CCTV my not be run by the IT guy though and may be left to the security people, I dunno? Maybe someone could explain exactly what type of scenario could happen where this would be an actual problem as mentioned in the article?
Re:so? (Score:5, Interesting)
This is not only an issue on cameras, either. Access control systems, intrusion systems, fire systems, and building control systems all have the same issue. You asked for an example, and here's one that I used to convince our installers that we absolutely HAD to start paying attention to this.
Hospital X has a state-of-the-art security system installed, but default passwords on everything, running on the corporate backbone. Joe Psycho wants to steal his newborn baby from the maternity ward where his ex has just given birth. He can plug into an unattended network port, maybe in a conference room, exam room, or an unoccupied office somewhere on that floor, do a port scan and find everything running on Port 80, scan the ports that the two main infant abduction systems use, and any of the various ports that the major access control systems run on. He has now found every security camera on that subnet, the controller for the access control system, the PLC for the infant abduction system's annunciator, and the communication devices for that system's RFID monitors.
First he logs into the PLC and disables it. Next he can log into the IAS's comm devices and simply change their IP address and it drops offline. Unless the nursing staff just happens to be looking at that screen at that moment they won't know that everything is offline since the annunciator won't raise an alarm. Now to the access control system's ISC, changing the administrator password and the IP address, but not hitting Accept yet. Opening a tab in his browser he can access all of the cameras for that area, again changing the root/admin password and IP address. In a quick cascade of clicking OK he will take every camera and the access control system offline, and leave it in a state where each device has to be physically touched to reset back to the factory defaults. The guard staff will assume that this is probably a network issue, since it's a whole bunch of devices in the same area, and call IT, and by the time they figure out it's an actual attack the baby's in the next county.
Scary enough?
Re:so? (Score:0)
No. Not even remotely. I can't figure out I'd you're serious or trying to show off.
Problems with your argument.
Security though obscurity. We don't like it and it does fail. But you are using an extreme extreme.
Physical security and nurses in the ward.
The likely intelligence of a would-be kidnapper. not To mention the planning or knowledge level needed. For someone not INTIMATELY familiar With the network....
This IS a nightmare scenario. But the thing about nighrmares: they are dreams.
Re:so? (Score:2)
Nurses aren't security guards, and shouldn't be expected to serve as such. They're overworked as it is, and don't have time to examine the credentials of everyone on the floor. Even if they did the nurse who will stand up to someone armed with a knife or other weapon is very rare, in fact they're trained not to. If the system has been disabled there is nothing to stop the attacker from walking out with a kid under each arm, except perhaps other patients and their families.
Re:so? (Score:2)
Oh Lantronix, with firmware so fragile it seems like they had to sprinkle fairy dust on the flash chips just to make it not crumble under its own weight. Agreed.
Re:so? (Score:2)
Yes, and as I said before older security systems with a 4 digit pin code without authentication is still in wide use. Simple as heck for anyone to break. Also, cameras with now way to lock them down are everywhere.
Hospitals with all of the ER visits without insurance are strained too with much less security than let's say a WalMart which is wired up like a Vegas casino.
Re:so? (Score:4)
You are under a mistaken assumption that people who know their shit don't go apeshit. Reiser, anyone? So there you go. There's no security through obscurity in those systems. Nurses in the ward? Ha ha. If you look like you belong, you can do anything you please. Good old social engineering. Yeah, I know, nerds usually aren't born with it, but don't count on them never learning. Not if your kid's safety depends on it, yaknow.
Re:so? (Score:2)
No, it's not. I've made the exact same case--an exploit that is trivially discoverable is a big exploit.
I'm not saying people who aren't network administrator-turned developer or security guys would do it this way, but I am one, and there's a bunch of us out there. If I wanted to steal a baby, or do anything illegal in a place with computers, plugging into a network jack and running nmap would be the first thing I'd do. Run the scan with paranoid timings, fingerprint every service, pipe the software name + version number through google along with things like "exploit", "default password", "root", "escalation", etc. (5 minutes with sed + wget/curl), and unless your place has exceptional security or very few computers, I'm in. I have yet to see the network running without vulnerabilities, and I've seen what security audit companies miss (they miss practically everything).
Since people think security by obscurity is okay, they justify not fixing these problems. Since nobody fixes these problems, you can be nearly certain they'll exist in whatever you're trying to attack. The very ease of the attack guarantees that anyone in the know will go for it first. Unless there was an even easier way, I'd probably follow the exact path the GP posted.
Re:so? (Score:2)
The thing people seem to forget about security by obscurity is that we have computers.
Re:so? (Score:2)
Yep, that gives me some other scenarios, since of course they are not going to keep the corporate backbone separate from the cameras, so that convinces me too. I personally would want to keep that separate at least for a small business. In other words don't give all the power to one person as well as setting the passwords and of course even in a tiny business the boss is going to want to watch everything from the internet even if you have dvr's recording every single thing.
I guess most cameras are for theft prevention but OK it could be theft of more than what you might think like an employees user password while someone has hacked into the camera watching them. So whether connected or not, this could be serious.
Re:so? (Score:3)
Re:so? (Score:2)
Re:so? (Score:2)
What is wrong with just using wireless instead of dragging more cable? Of course you are talking to a small business person. I'm just wondering why an N-based wireless system couldn't be just as secure in a small place if configured properly or is this not yet possible? If jamming is an issue, I think there are products out there but I am not sure? I know the old ones are still around and not secure at all but it seems like they could be.
http://www.cisco.com/en/US/products/ps9948/index.html [cisco.com]
Just a dumb question I guess.
Re:so? (Score:1)
Also in the news (Score:4, Insightful)
Re:Also in the news (Score:0)
Re:Also in the news (Score:0)
I believe you're referring to the field of teledildonics...
Re:Also in the news (Score:2, Insightful)
Most routers/web tv boxes/digital photo frames/wifi dildos come with trivial exploits. People sell things configured to work "out of the box"
Not Wifi dildos...
What does CC mean? (Score:5, Insightful)
Re:What does CC mean? (Score:4, Interesting)
CCTV, like the rest of the electronic security biz, is going IP based in a big way now. Keep in mind most people involved with security are, pardon the expression, "hairy arsed" blue collar electrician types. They can do physical wiring ok, but do not have the aptitude for "IT" stuff, which they are positively phobic to.
As you can imagine, they can't even do the basics. Most of that stuff ends up on unfirewalled networks with the default passwords. They see it as 'if it works leave it alone', don't touch anything which might break it. If you're lucky it's a separate security network from the rest of the company, but not always.
I used to work for a company that made a particular PC-based security product (hence posting AC) and for pretty much every system we sold nobody bothered to change the default p/w. Our product was multi user, but they would only use the one default account (with the default p/w) which had engineer access rights for reconfiguring the entire system. The people who bought and installed our system just let the operators (who have no business changing settings) use that account.
Security is moving towards being more of an IT field now, but I wouldn't advise that the /. crowd look for a job there. They won't pay you an IT salary and the people you have to work with will drive you mad (ok, that last bit is true of IT in general!), which is why I no longer work there.
Re:What does CC mean? (Score:3)
Out of all the IP camera manufacturers only Axis seems to get the idea that a security camera should be at least minimally secure. They are the only ones that will force an installer to change the password at first login (although they do allow the "new" password to be the same as the original). Many of the other manufacturers only allow one user account (root or admin), some don't allow you to change the password on that account, and a couple don't even have passwords at all. More than one only allow a maximum 8 character lower case alpha-only password. There is one supposed IP "security" camera system that has one user, admin, and no password for the cameras, the recorder and the configuration tool. Amusingly enough they claim to be an "ENTERPRISE" system, and a national accounting firm has that atrocity installed in all their offices.
I'm pleased that my employer is the only one in the region that seems to actually understand that the days of the "hairy arsed" blue collar electrician types" is over. It means though that we can't compete on price with the likes of Convergint or Niscaya, but that's OK with me since it seems to attract a better quality of customer.
This again? (Score:3)
Re:This again? (Score:4, Informative)
http://pastebin.com/sSs79RTd [pastebin.com]
Hey look at that, I even made it easy for you...
Re:This again? (Score:1)
Re:This again? (Score:1)
Re:This again? (Score:3)
Re:This again? (Score:4, Insightful)
Re:This again? (Score:0)
Re:This again? (Score:1)
I disagree. It makes a good point. Your comment, however....
Re:This again? (Score:0)
Re:This again? (Score:0)
your response adds nothing to the discussion
You must be new here
Banal? (Score:1)
Re:Banal? (Score:0)
It's not that rare, I've used it and its other forms many times.
If you use wiktionary or any other online dictionary, it comes right up. Why would you look up the definition of a word in an encyclopedia?
Re:Banal? (Score:4, Interesting)
banal - with a small "b": lacking originality, freshness, or novelty
Using most generic search engines with "define:banal" with or without the colon shoulda pulled that up for you. I think I last used it in conversation a year or two ago. If you like banal, you should check out "jejune."
Re:Banal? (Score:0)
Most English speaking people. In England anyway it's a common enough word.
Re:Banal? (Score:2, Offtopic)
Out of curiosity, where are you? "Banal" is a common enough word in English.
I would also recommend that you look up words in Wiktionary instead of Wikipedia. Not even a small fraction of English words warrant a Wikipedia article, and if you limit your vocabulary to those words, it will be arrant uneath to converse you.
Re:Banal? (Score:2)
Out of curiosity, where are you?
I work in Toronto, live in the town of Ajax just east of there.
Re:Banal? (Score:2)
I just had to look up Ajax.
Apparently he is a Greek hero. Fancy pseudo-intellectual sprinkling Greek mythology into your conversations...
Re:Banal? (Score:2)
Out of curiosity, where are you?
I work in Toronto, live in the town of Ajax just east of there.
I used the word "banal" on numerous occasions (spoken and in email or documents) when I lived in Toronto, and the permanent residents seemed to understand it. Other people even used the word in my hearing, and used it correctly. Their vocabulary was not too bad for that side of the Atlantic. Of course, most of us lived in the Western and Northern suburbs rather than in Ajax...
Re:Banal? (Score:2)
Re:Banal? (Score:0)
It's not an uncommon word, and the Wikipedia redirect means nothing since Wikipedia is not a dictionary. There's also no Wikipedia entry for the words "uncommon" or "redirect", does that mean no one uses those words either?
Re:Banal? (Score:0)
Who uses this word?"
People who read.
Re:Banal? (Score:2)
>Who uses this word?
Plenty of people.
Look out for the anthropophage behind you.
--
BMO
Only a problem to dumb IT. (Score:4, Informative)
If your Security CCTV system is on the net or has the ports open to the net, then your IT guy is a moron and needs to be fired.
VPN in then connect to the Security cameras.. Yes it even works with the iPhone apps for the CCTV systems. Anything else is just proof of incompetence.
Re:Only a problem to dumb IT. (Score:0)
My company manufactures CCTV systems that are GNU/Linux based, with a focus on security. They are 100% web based, and work on any devices (including Android and iOS based phones and tablets) without any app. The web interface uses SSL. That's just as secure as a VPN.
Closing the doors to the world because you are using an inferior product or because your IT people is retarded is not a solution.
Re:Only a problem to dumb IT. (Score:3)
Closing the doors to the world because you are using an inferior product or because your IT people is retarded is not a solution.
It is a fact that disabling front-facing ports reduces attack surface. You ain't perfect, you could make a mistake. Clearly you knew what you were saying was nonsense, because you left your comment anonymously. I'd be afraid to have my name associated with that statement too, if I ever exercised any restraint on slashdot beyond not breaching NDAs.
Re:Only a problem to dumb IT. (Score:-1)
Clearly you knew what you were saying was nonsense, because you left your comment anonymously. I'd be afraid to have my name associated with that statement too
Ok then.... drinkypoo.
Well whaddya know, you might actually be Martin Espinoza as your email implies. I did seem to find your Facebook page easily with Google, and... oh my my my. You are quite a little Troll, aren't you? Guess who left his wall publicly visible. Not very wise of you Martin.
And you completely missed the point about vaccines. The answer to your little meme picture is "Because they are never 100% effective, dipshit, so your sick kid can still infect mine."
Re:Only a problem to dumb IT. (Score:1)
Guess who left his wall publicly visible. Not very wise of you Martin.
Actually, I post friends-only and then I go back through my activity log and publicize the things I intended to share. Guess what? I'm on Google+ too.
And you completely missed the point about vaccines. The answer to your little meme picture is "Because they are never 100% effective, dipshit, so your sick kid can still infect mine."
Indeed, many of them are pretty much utterly ineffective. I'm not anti-vaccine, I'm anti-not-asking-questions.
Re:Only a problem to dumb IT. (Score:3)
And a free software package, Zoneminder, is still 800% better than any product your company makes. Why? Because I can base it on a secure BSD or linux distro that will get updates for security holes on a regular basis. Your product, being china made will never have security releases to fix holes in the underlying Linux OS.
I have seen and dealt with the junk companies like yours make, Running incredibly old kernels and TCP stacks that have known exploits. The tip off that a CCTV recorder is junk? IT requires Active X to view the web view. That means its based on the old china OS image that has been floating around for well over 6 years now that is so full of holes it's not funny.
Re: Zoneminder (Score:2)
Pretty much spot on.
Also not that the china turnkey systems run Linux but do not allow you to view them on Linux.
However, why no audio support in Zoneminder?
Re: Zoneminder (Score:2)
There is audio support in zoneminder,. It is currently a early beta plug in. but very very few security installs use audio because of state wiretapping laws prohibit it so it was not a priority of the developers.
Re:Only a problem to dumb IT. (Score:0)
This.
However: If I had a nickle for every time I've been brought in to secure a network that a local "IT Person" had setup for the business they work at. The company just last week found it a relief that they didn't need a cable modem and separate internet account for EVERY COMPUTER AND DEVICE in a 6 person business.
Re:Only a problem to dumb IT. (Score:0)
If your Security CCTV system is on the net or has the ports open to the net, then your IT guy is a moron and needs to be fired.
If all the people who configured easily exploitable systems were to be fired, there would be a very large number of unemployed sys admins walking the streets.
The fact is that the majority of systems that I've been in contact with over the years have been poor quality in one way or another that made them exploitable. The common factor is generally not incompetence but inexperience, coupled with a lack of resources and motivation to put the problems right if/when they come to light.
Many systems aren't even set up by experts. If it's "easy to install out of the box", then the person doing the installation may not even be aware of the security implications of what he's doing, let alone know how to mitigate them.
Fixing things is expensive. You have to pay someone to spend time fixing the mistakes. If those mistakes are invisible to management, then it seems there's always a better use of that money and time. Even finding the problem in the first place takes time and money.
The only way to deal with these issues is to slap a very big financial/legal penalty on it: fine companies for not being secure, or even shut them down.
CCTV and other public facing platforms should be required to submit to a security audit, in much the same way that companies doing online credit card handling are.
Re:Only a problem to dumb IT. (Score:0)
You're half correct there: IT guys are not involved in installing physical security. Security people do that, and they know SFA about what they see as "IT stuff".
Re:Only a problem to dumb IT. (Score:0)
you wouldn't believe the people we (as installers) have to deal with. if the customer has to remember even their own chosen password, the system is too complicated.
so while i admit leaving things vulnerable is bad, what can you do for people that can't be bothered to deal with their own security basics?
so we tell them about the risks and let them decide if they want the remote access or not. usually they choose easy to use.
"give me convenience or give me death!"
Re:Only a problem to dumb IT. (Score:0)
Could not agree more!
I install physical security systems, customers want the systems to work by telepathy and have no interest in changing their procedures for security purposes.
However, the customer is always right and there is always a willing installer to screw things to the wall and disable/remove it in the software. Never any false alarms, their customers couldn't be happier.
Privacy Issues (Score:0)
You'd be amazed what some of these camera devices are setup to watch and capable of viewing, not to mention some of the associated PRIVACY issues... And most devices are not even capable of stopping brute force attacks
Re:Privacy Issues (Score:0)
Agree, privacy issue is huge here
Re:Privacy Issues (Score:0)
Gotham (Score:0)
Fortunately Batman is on the case.
Of course they do (Score:2)
How else could the IMF team snap a little doodad on the cable and magically get a high-def feed to the most sensitive parts of every building? Duh.
a lot of security installers are not IT techs (Score:2)
a lot of security installers are not IT techs
http://thedailywtf.com/Comments/Just-One-Port.aspx [thedailywtf.com]
CCCTV (Score:0)
In soviet Russia CCCTV watches you!
Micheal? (Score:0)
I feel like Micheal Weston from Burn Notice just told me this.
Just "Exploited" It Last Night (Score:5, Interesting)
I noticed this just last night.
I live in one of those large, over-priced "planned communities" with the town centre, the gym/tennis courts/water park area, etc. They offer free, open WiFi for people in the gym area, so I was checking some mail and decided to do a little network port scanning and saw a couple dozen systems, printers, routers and such on the network, which I thought was odd, as usually those kind of things aren't on the same network as all the free WiFi junk.
I'm just idly curious as to what is around, and came across some unusually named servers (ie: default out of the box) and was just connected via web and it brought up the entire security camera console.
Now there was no "exploiting" going on at all. I just connected to a publically accessible (and offerred) free WiFi point, and browsed a computer name using HTTP, and there I was looking at 4 streaming cameras through a web console, at the gym. Another server (just sitting on the network as well) had all the external cameras for the doors and walkways.
Now this wasn't just a monitoring console, but the full record/stop recording, pan, zoom, admin console. Sitting out completely available, for anyone to just ping and do whatever they wanted.
I've honestly never seen anything like it. There wasn't even a password or any security. Not even a "you shouldn't be here" pop up or anything.
Has anyone ever seen a situation like this? Where a security console wasn't at least locked down to a particular MAC address for monitoring or IP restricted or, God forbid, not on the same network as your customers to randomly browse to?
Re:Just "Exploited" It Last Night (Score:2)
After all those years (Score:0)
After years of Not believing movies where the CCTV was so easily manipulated, you are telling me I was ignoring a training course in burglary?
I just assumed that it was all fake -- after all Abbey on NCIS somehow can sequence DNA in less than 8 hrs, Probey can hack into the CIA, Pentagon, and NSA effortlessly in under 2 minutes, and they can match fingerprints in seconds. I tend to always ignore the miracles of technology in anything I watch. Especially since the algorithms I write never seem to be as effective, fast, or robust as those on tv
But the CCTV stuff -- that was actually all you need to do to fool the guard watching a screen -- eh.. who knew?
Prediction: netflix is going to be streaming movies that begin with the word "Ocean's ..." more in the near future ;-)
Re:After all those years (Score:2)
After years of Not believing movies where the CCTV was so easily manipulated, you are telling me I was ignoring a training course in burglary?
It's been this way for 10 years or more. Seriously, I forgot the first time I found a list of these. It's been this way ever since they put apache web servers on "CCTV" cameras and stuck them on the Internet. With PNP settings on your router turned on, you don't even have to open the port manually.
This is a non-story and is obvious to fucking everyone who has so much opened a quckstart guide to a CCTV camera.
--
BMO
Not Online? (Score:0)
We got a core i-3 machine that runs all of our CCTV equipment. It came pre-installed with vnc and some dns mapping software. Unfortunately for the company that sold it to us, there's no Ethernet near the box so it doesn't have an internet connection. Cant spy on us if it's not plugged in now can you? *trollface*
Exploits != Vulnerabilities (Score:1)
Re:Exploits != Vulnerabilities (Score:2)
My IP camera came with an undocument passwordless root login if you telnet to a particular port. Does that count as an exploit or a vulnerability?
Certainly someone must have pointed out it because it was removed in the firmware update.
Re:Exploits != Vulnerabilities (Score:1)
How else... (Score:2)
...are the heroes and villains in the movies supposed to keep an eye on each other?
Default Password List (Score:1)