Forgot your password?
typodupeerror
Privacy Security IT Your Rights Online

Most CCTV Systems Come With Trivial Exploits 89

Posted by timothy
from the peek-a-boo dept.
An anonymous reader writes "The use of CCTV cameras for physical surveillance of all kinds of environments has become so pervasive that most of us don't give the devices a second thought anymore. But, those individuals and organizations who actually use and control them should be aware that most of them come with default settings that make them vulnerable to outside attacks. According to Gotham Digital Science researcher Justin Cacak, standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and many other rebranded devices are not only shipped with remote access enabled by default, but also with preconfigured default accounts and passwords that are banal and easy to guess."
This discussion has been archived. No new comments can be posted.

Most CCTV Systems Come With Trivial Exploits

Comments Filter:
  • I mean, really? I guess when the designers think of Closed Circuit TV, they're thinking that extends to the management network too eh?

    • by fuzzyfuzzyfungus (1223518) on Thursday May 17, 2012 @10:10AM (#40027423) Journal
      I suspect that there are (at least) two distinct schools of utter fail:

      The professionals, with a legacy in CCTV-as-in-actual-closed-circuit-running-on-private-coax, probably have an attitude much as you describe. The classic CCTV systems were dumb as bricks(not that their designers necessarily were, making largely analog, reasonably high bandwidth systems actually work in practice isn't trivial); but that lack of sophistication served as a strong defense against anybody without a physical tap shoved right into the coax. You just don't develop a very strong culture of caring about remote exploits if your engineering history is almost entirely concerned with systems that are incapable of remote anything, whether you like it or not.

      Then you have the upstarts(either new companies, or rebadged ODM crap sold by existing ones), who design CCTV systems on the premise that a CCTV camera is basically just an embedded linux board with a camera interface, and a record/playback system is basically just an x86 with some sort of h264 hardware and a lousy frontend. These assumptions are not false, and advances in silicon sensors and cheap embedded computers definitely mean that the price is right; but the standards of security excellence in low-cost embedded gear are absolutely fucking dire... These guys should know better, since their designs are 100% post-ubiquitous-networking in concept; but they just don't get paid enough, or enjoy long enough development cycles, to give a damn.
      • by adolf (21054)

        Interesting perspective.

        I guess that's why I've been installing IP cameras on physically separate networks for all these years.

        • by Anonymous Coward

          Interesting perspective.

          I guess that's why I've been installing IP cameras on physically separate networks for all these years.

          No need to physically separate any more. VLAN's, VRF's, MPLS & Remote Access with VPN's. Easy to maintain and scales nicely up to as many cameras, video-servers etc. you will ever need.

  • so? (Score:5, Interesting)

    by gandhi_2 (1108023) on Thursday May 17, 2012 @09:31AM (#40027121) Homepage

    preconfigured default accounts and passwords

    Really? This is supposed to be an issue?

    Most of the default user/pass settings are publicly available on manufacturers websites, documentation pamphlets, and 3rd party sites [routerpasswords.com] just for that purpose.

    Buffer overflow or sql injection? Ok...
    Default passwords are weak? So what?

    • Re:so? (Score:4, Insightful)

      by lorenlal (164133) on Thursday May 17, 2012 @09:36AM (#40027159)

      I wish I didn't knee-jerk my reply... Your point is exactly what I'm thinking.

      Umm... Yea. I heard that corporate routers and switches come with really weak default protection! Your server will let anyone fire it up and login out of the box!

      The horrors... This story is a non-story. If you go buy hardware for some purpose, make sure you configure it. If the story said most CCTV configurations have backdoors, or are easily exploitable even after prescribed lockdown, then we'd have something to work with.

      • Re:so? (Score:5, Interesting)

        by Anonymous Coward on Thursday May 17, 2012 @09:52AM (#40027265)

        Actually, it's kind of sad that it's had to come to this, but most corporate routers and switches no longer have weak default protection. For example, new Cisco switches and routers now ship with a one time use password, so you have to create an account on them when configuring, or you'll never be able to log in again. This really shouldn't be necessary, but we live in a world where there are a lot of people implementing security who don't understand it. Even home routers now often force you to create your own password during setup and disable remote access by default. You could make a pretty convincing argument that the CCTV industry has fallen pretty far behind the times.

        Minor side point, but there's a jewelry store below my apartment that uses wireless CCTV cameras... on a WEP protected network... with no logon required to view the stream. I feel bad when I do it, but it's hard not to look.

      • by peragrin (659227)

        It isn't that they come configured that way it are never changed.

        You can literally google model numbers and pull up camera feeds.

        How much harder will it be to disable the cameras while you rob a place?

        • Just hit the first one in the lense with a paintball gun (or slingshot for the hardcore guys), then take a 10-pack of AA's in series and hook that to the ethernet port connected to the back, that ought to take care of the rest of them (or at the VERY least the switch they all connect to.
    • On problem is all of those X10 cameras installed back in the day in God only knows where that have been long forgotten about. There is no security at all with some devices like this placed in illegal places like motel bathrooms and such.

      But the corporate stuff at let's say Walmart, wouldn't have that problem if someone did access the data. What would they see exactly that is of any importance? I would be much more worried about identity theft through servers that have your life history on it like possibly F

      • Re:so? (Score:5, Interesting)

        by cusco (717999) <brian.bixby@gmai l . c om> on Thursday May 17, 2012 @11:37AM (#40028409)
        I do this for a living, and have been screaming about this to anyone who would listen ever since I got into the physical security field six years ago. I've convinced my company that ALL default passwords on ALL security devices have to be changed if at all possible (on some, like Trango wireless relays, they cant be changed). We are the only company in the Pacific Northwest that does this consistently. I know this for a fact, since I often have to work on systems installed by our competitors.

        This is not only an issue on cameras, either. Access control systems, intrusion systems, fire systems, and building control systems all have the same issue. You asked for an example, and here's one that I used to convince our installers that we absolutely HAD to start paying attention to this.

        Hospital X has a state-of-the-art security system installed, but default passwords on everything, running on the corporate backbone. Joe Psycho wants to steal his newborn baby from the maternity ward where his ex has just given birth. He can plug into an unattended network port, maybe in a conference room, exam room, or an unoccupied office somewhere on that floor, do a port scan and find everything running on Port 80, scan the ports that the two main infant abduction systems use, and any of the various ports that the major access control systems run on. He has now found every security camera on that subnet, the controller for the access control system, the PLC for the infant abduction system's annunciator, and the communication devices for that system's RFID monitors.

        First he logs into the PLC and disables it. Next he can log into the IAS's comm devices and simply change their IP address and it drops offline. Unless the nursing staff just happens to be looking at that screen at that moment they won't know that everything is offline since the annunciator won't raise an alarm. Now to the access control system's ISC, changing the administrator password and the IP address, but not hitting Accept yet. Opening a tab in his browser he can access all of the cameras for that area, again changing the root/admin password and IP address. In a quick cascade of clicking OK he will take every camera and the access control system offline, and leave it in a state where each device has to be physically touched to reset back to the factory defaults. The guard staff will assume that this is probably a network issue, since it's a whole bunch of devices in the same area, and call IT, and by the time they figure out it's an actual attack the baby's in the next county.

        Scary enough?
        • Yep, that gives me some other scenarios, since of course they are not going to keep the corporate backbone separate from the cameras, so that convinces me too. I personally would want to keep that separate at least for a small business. In other words don't give all the power to one person as well as setting the passwords and of course even in a tiny business the boss is going to want to watch everything from the internet even if you have dvr's recording every single thing.

          I guess most cameras are for theft

          • by cusco (717999)
            Prevention? No, security video is for forensics. When a simple grocery store might have 20-50 cameras no human being is going to be able to watch any appreciable percentage of them. I forget the exact numbers, but a single human being can actually pay attention to something like 12 cameras for 15 minutes before their brain turns to mush and they need a 5 minute break. Even in a grocery store the security video is more for insurance purposes than anything else, catching the slip/fall con artists, the wor
          • by cusco (717999)
            Oh, and no, it's not normally a seperate network unless it's a really large installation. At best the cameras might be on their own VLAN, but that's to segregate the traffic rather than as a security measure. It's too damn expensive to pull CAT6/fiber and install and configure a switch just for the three cameras that you might have in one area. Even when it is a seperate network the switches are almost never configured securely, with every open port unlocked and available for anyone to plug into and snif
            • What is wrong with just using wireless instead of dragging more cable? Of course you are talking to a small business person. I'm just wondering why an N-based wireless system couldn't be just as secure in a small place if configured properly or is this not yet possible? If jamming is an issue, I think there are products out there but I am not sure? I know the old ones are still around and not secure at all but it seems like they could be.

              http://www.cisco.com/en/US/products/ps9948/index.html [cisco.com]

              Just a dumb quest

        • While I agree changing the passwords is the first step in deployment, but (as to your example) why would you install your security devices on the same network as the rest of the building? A little network isolation goes a long way, restrict access to that network to your security personnel. Running an entire hospital on a flat network topology would seem to me to be fairly retarded on the part of whoever is engineering your deployments.
  • Also in the news (Score:4, Insightful)

    by Chrisq (894406) on Thursday May 17, 2012 @09:34AM (#40027137)
    Most routers/web tv boxes/digital photo frames/wifi dildos come with trivial exploits. People sell things configured to work "out of the box", allowing you to configure them securely if needed. If they didn't they would get a lot of returns and support calls from people who didn't read the manual.
    • Re: (Score:2, Insightful)

      by RawsonDR (1029682)

      Most routers/web tv boxes/digital photo frames/wifi dildos come with trivial exploits. People sell things configured to work "out of the box"

      Not Wifi dildos...

  • What does CC mean? (Score:5, Insightful)

    by Infiniti2000 (1720222) on Thursday May 17, 2012 @09:37AM (#40027163)
    Are they taking the CC out of CCTV? What am I not understanding about this term? I guess it may have evolved to not be closed circuit any more, but then it should be called something else. Regardless, a "default" with gaping vulnerabilities should not surprise anyone.
    • by Anonymous Coward on Thursday May 17, 2012 @10:01AM (#40027351)

      CCTV, like the rest of the electronic security biz, is going IP based in a big way now. Keep in mind most people involved with security are, pardon the expression, "hairy arsed" blue collar electrician types. They can do physical wiring ok, but do not have the aptitude for "IT" stuff, which they are positively phobic to.

      As you can imagine, they can't even do the basics. Most of that stuff ends up on unfirewalled networks with the default passwords. They see it as 'if it works leave it alone', don't touch anything which might break it. If you're lucky it's a separate security network from the rest of the company, but not always.

      I used to work for a company that made a particular PC-based security product (hence posting AC) and for pretty much every system we sold nobody bothered to change the default p/w. Our product was multi user, but they would only use the one default account (with the default p/w) which had engineer access rights for reconfiguring the entire system. The people who bought and installed our system just let the operators (who have no business changing settings) use that account.

      Security is moving towards being more of an IT field now, but I wouldn't advise that the /. crowd look for a job there. They won't pay you an IT salary and the people you have to work with will drive you mad (ok, that last bit is true of IT in general!), which is why I no longer work there.

      • by cusco (717999)
        I came to the physical security field after ten years of server/desktop administration, and can completely confirm what the AC just posted. Our company makes a point of changing default logins for all devices, **IF** we can get the customer to agree. It's distressing to see how many of them will take that password and changed it BACK to the factory default.

        Out of all the IP camera manufacturers only Axis seems to get the idea that a security camera should be at least minimally secure. They are the o
  • by Dunbal (464142) * on Thursday May 17, 2012 @09:37AM (#40027171)
    Did someone else just learn how to google for CCTV feeds? Best one I ever found was at a dog shelter or animal hospital. Cute little doggies 24/7, and none of the smell. Of course I have more fun with my own dog, but it was a good find.
  • Who uses this word? I had to look it up and even Wikipedia re-directs it: http://en.wikipedia.org/wiki/Banal [wikipedia.org] - Goes to the page on "Predictability" with the note "(Redirected from Banal)"
    • Re:Banal? (Score:4, Interesting)

      by kermidge (2221646) on Thursday May 17, 2012 @09:53AM (#40027279) Journal

      banal - with a small "b": lacking originality, freshness, or novelty

      Using most generic search engines with "define:banal" with or without the colon shoulda pulled that up for you. I think I last used it in conversation a year or two ago. If you like banal, you should check out "jejune."

    • Re: (Score:2, Offtopic)

      by arth1 (260657)

      Out of curiosity, where are you? "Banal" is a common enough word in English.
      I would also recommend that you look up words in Wiktionary instead of Wikipedia. Not even a small fraction of English words warrant a Wikipedia article, and if you limit your vocabulary to those words, it will be arrant uneath to converse you.

      • by alphax45 (675119)

        Out of curiosity, where are you?

        I work in Toronto, live in the town of Ajax just east of there.

        • by hoggoth (414195)

          I just had to look up Ajax.
          Apparently he is a Greek hero. Fancy pseudo-intellectual sprinkling Greek mythology into your conversations...

        • Out of curiosity, where are you?

          I work in Toronto, live in the town of Ajax just east of there.

          I used the word "banal" on numerous occasions (spoken and in email or documents) when I lived in Toronto, and the permanent residents seemed to understand it. Other people even used the word in my hearing, and used it correctly. Their vocabulary was not too bad for that side of the Atlantic. Of course, most of us lived in the Western and Northern suburbs rather than in Ajax...

        • Hi fellow GTA-ian. I live out by the zoo: Meadowvale and Sheppard area.
    • by bmo (77928)

      >Who uses this word?

      Plenty of people.

      Look out for the anthropophage behind you.

      --
      BMO

  • by Lumpy (12016) on Thursday May 17, 2012 @09:41AM (#40027199) Homepage

    If your Security CCTV system is on the net or has the ports open to the net, then your IT guy is a moron and needs to be fired.

    VPN in then connect to the Security cameras.. Yes it even works with the iPhone apps for the CCTV systems. Anything else is just proof of incompetence.

  • How else could the IMF team snap a little doodad on the cable and magically get a high-def feed to the most sensitive parts of every building? Duh.

  • a lot of security installers are not IT techs
    http://thedailywtf.com/Comments/Just-One-Port.aspx [thedailywtf.com]

  • by clam666 (1178429) on Thursday May 17, 2012 @10:47AM (#40027823)

    I noticed this just last night.

    I live in one of those large, over-priced "planned communities" with the town centre, the gym/tennis courts/water park area, etc. They offer free, open WiFi for people in the gym area, so I was checking some mail and decided to do a little network port scanning and saw a couple dozen systems, printers, routers and such on the network, which I thought was odd, as usually those kind of things aren't on the same network as all the free WiFi junk.

    I'm just idly curious as to what is around, and came across some unusually named servers (ie: default out of the box) and was just connected via web and it brought up the entire security camera console.

    Now there was no "exploiting" going on at all. I just connected to a publically accessible (and offerred) free WiFi point, and browsed a computer name using HTTP, and there I was looking at 4 streaming cameras through a web console, at the gym. Another server (just sitting on the network as well) had all the external cameras for the doors and walkways.

    Now this wasn't just a monitoring console, but the full record/stop recording, pan, zoom, admin console. Sitting out completely available, for anyone to just ping and do whatever they wanted.

    I've honestly never seen anything like it. There wasn't even a password or any security. Not even a "you shouldn't be here" pop up or anything.

    Has anyone ever seen a situation like this? Where a security console wasn't at least locked down to a particular MAC address for monitoring or IP restricted or, God forbid, not on the same network as your customers to randomly browse to?

    • by cusco (717999)
      I may well be able to guess what the manufacturer's name is, we were forced to install one of those abortions at a customer site. We complained every step of the way, but they said that this was their nationwide corporate standard. It's very likely that the property managment company your community uses installs the exact same system the exact same way at every site they manage. Property management companies tend to be really cheap (the majority, not all of course). They probably have some underpaid kid
  • These systems come with vulnerabilities, not exploits. Exploits are the things you throw at a vulnerability to make the device bend to the your will.
    • by 0123456 (636235)

      My IP camera came with an undocument passwordless root login if you telnet to a particular port. Does that count as an exploit or a vulnerability?

      Certainly someone must have pointed out it because it was removed in the firmware update.

      • That's still a vulnerability. In that case, the exploit is merely your keyboard where you log in to that paswordless root account through that particular port. The exploit is the way that you leverage an existing vulnerability (the vulnerability, in your case, being the manufacturer-provided backdoor).
  • ...are the heroes and villains in the movies supposed to keep an eye on each other?

  • Yes,you are right! Many ip cameras [ipcamerasupplier.com] all have default passwords.If consumers didn't change the passwords,that's very dangerous! Here is a default password list [ipcamerasupplier.com] of some kinds of ip cameras.

We don't know one millionth of one percent about anything.

Working...