Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most CCTV Systems Come With Trivial Exploits

Posted by timothy on from the peek-a-boo dept.

An anonymous reader writes "The use of CCTV cameras for physical surveillance of all kinds of environments has become so pervasive that most of us don't give the devices a second thought anymore. But, those individuals and organizations who actually use and control them should be aware that most of them come with default settings that make them vulnerable to outside attacks. According to Gotham Digital Science researcher Justin Cacak, standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and many other rebranded devices are not only shipped with remote access enabled by default, but also with preconfigured default accounts and passwords that are banal and easy to guess."

23 of 89 comments (clear)

  1. so? by gandhi_2 · · Score: 4, Interesting

    preconfigured default accounts and passwords

    Really? This is supposed to be an issue?

    Most of the default user/pass settings are publicly available on manufacturers websites, documentation pamphlets, and 3rd party sites just for that purpose.

    Buffer overflow or sql injection? Ok...
    Default passwords are weak? So what?

    --
    THL phish sticks
    1. Re:so? by lorenlal · · Score: 3, Insightful

      I wish I didn't knee-jerk my reply... Your point is exactly what I'm thinking.

      Umm... Yea. I heard that corporate routers and switches come with really weak default protection! Your server will let anyone fire it up and login out of the box!

      The horrors... This story is a non-story. If you go buy hardware for some purpose, make sure you configure it. If the story said most CCTV configurations have backdoors, or are easily exploitable even after prescribed lockdown, then we'd have something to work with.

    2. Re:so? by Anonymous Coward · · Score: 5, Interesting

      Actually, it's kind of sad that it's had to come to this, but most corporate routers and switches no longer have weak default protection. For example, new Cisco switches and routers now ship with a one time use password, so you have to create an account on them when configuring, or you'll never be able to log in again. This really shouldn't be necessary, but we live in a world where there are a lot of people implementing security who don't understand it. Even home routers now often force you to create your own password during setup and disable remote access by default. You could make a pretty convincing argument that the CCTV industry has fallen pretty far behind the times.

      Minor side point, but there's a jewelry store below my apartment that uses wireless CCTV cameras... on a WEP protected network... with no logon required to view the stream. I feel bad when I do it, but it's hard not to look.

    3. Re:so? by EvilBudMan · · Score: 2

      On problem is all of those X10 cameras installed back in the day in God only knows where that have been long forgotten about. There is no security at all with some devices like this placed in illegal places like motel bathrooms and such.

      But the corporate stuff at let's say Walmart, wouldn't have that problem if someone did access the data. What would they see exactly that is of any importance? I would be much more worried about identity theft through servers that have your life history on it like possibly Facebook's.

      Security CCTV my not be run by the IT guy though and may be left to the security people, I dunno? Maybe someone could explain exactly what type of scenario could happen where this would be an actual problem as mentioned in the article?

    4. Re:so? by peragrin · · Score: 2

      It isn't that they come configured that way it are never changed.

      You can literally google model numbers and pull up camera feeds.

      How much harder will it be to disable the cameras while you rob a place?

      --
      i thought once I was found, but it was only a dream.
    5. Re:so? by cusco · · Score: 4, Interesting

      I do this for a living, and have been screaming about this to anyone who would listen ever since I got into the physical security field six years ago. I've convinced my company that ALL default passwords on ALL security devices have to be changed if at all possible (on some, like Trango wireless relays, they cant be changed). We are the only company in the Pacific Northwest that does this consistently. I know this for a fact, since I often have to work on systems installed by our competitors.

      This is not only an issue on cameras, either. Access control systems, intrusion systems, fire systems, and building control systems all have the same issue. You asked for an example, and here's one that I used to convince our installers that we absolutely HAD to start paying attention to this.

      Hospital X has a state-of-the-art security system installed, but default passwords on everything, running on the corporate backbone. Joe Psycho wants to steal his newborn baby from the maternity ward where his ex has just given birth. He can plug into an unattended network port, maybe in a conference room, exam room, or an unoccupied office somewhere on that floor, do a port scan and find everything running on Port 80, scan the ports that the two main infant abduction systems use, and any of the various ports that the major access control systems run on. He has now found every security camera on that subnet, the controller for the access control system, the PLC for the infant abduction system's annunciator, and the communication devices for that system's RFID monitors.

      First he logs into the PLC and disables it. Next he can log into the IAS's comm devices and simply change their IP address and it drops offline. Unless the nursing staff just happens to be looking at that screen at that moment they won't know that everything is offline since the annunciator won't raise an alarm. Now to the access control system's ISC, changing the administrator password and the IP address, but not hitting Accept yet. Opening a tab in his browser he can access all of the cameras for that area, again changing the root/admin password and IP address. In a quick cascade of clicking OK he will take every camera and the access control system offline, and leave it in a state where each device has to be physically touched to reset back to the factory defaults. The guard staff will assume that this is probably a network issue, since it's a whole bunch of devices in the same area, and call IT, and by the time they figure out it's an actual attack the baby's in the next county.

      Scary enough?

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    6. Re:so? by tibit · · Score: 3

      You are under a mistaken assumption that people who know their shit don't go apeshit. Reiser, anyone? So there you go. There's no security through obscurity in those systems. Nurses in the ward? Ha ha. If you look like you belong, you can do anything you please. Good old social engineering. Yeah, I know, nerds usually aren't born with it, but don't count on them never learning. Not if your kid's safety depends on it, yaknow.

      --
      A successful API design takes a mixture of software design and pedagogy.
    7. Re:so? by cusco · · Score: 2

      Prevention? No, security video is for forensics. When a simple grocery store might have 20-50 cameras no human being is going to be able to watch any appreciable percentage of them. I forget the exact numbers, but a single human being can actually pay attention to something like 12 cameras for 15 minutes before their brain turns to mush and they need a 5 minute break. Even in a grocery store the security video is more for insurance purposes than anything else, catching the slip/fall con artists, the workers comp scammers, and the like.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  2. Also in the news by Chrisq · · Score: 3, Insightful

    Most routers/web tv boxes/digital photo frames/wifi dildos come with trivial exploits. People sell things configured to work "out of the box", allowing you to configure them securely if needed. If they didn't they would get a lot of returns and support calls from people who didn't read the manual.

    1. Re:Also in the news by RawsonDR · · Score: 2, Insightful

      Most routers/web tv boxes/digital photo frames/wifi dildos come with trivial exploits. People sell things configured to work "out of the box"

      Not Wifi dildos...

  3. What does CC mean? by Infiniti2000 · · Score: 4, Insightful

    Are they taking the CC out of CCTV? What am I not understanding about this term? I guess it may have evolved to not be closed circuit any more, but then it should be called something else. Regardless, a "default" with gaping vulnerabilities should not surprise anyone.

    1. Re:What does CC mean? by Anonymous Coward · · Score: 4, Interesting

      CCTV, like the rest of the electronic security biz, is going IP based in a big way now. Keep in mind most people involved with security are, pardon the expression, "hairy arsed" blue collar electrician types. They can do physical wiring ok, but do not have the aptitude for "IT" stuff, which they are positively phobic to.

      As you can imagine, they can't even do the basics. Most of that stuff ends up on unfirewalled networks with the default passwords. They see it as 'if it works leave it alone', don't touch anything which might break it. If you're lucky it's a separate security network from the rest of the company, but not always.

      I used to work for a company that made a particular PC-based security product (hence posting AC) and for pretty much every system we sold nobody bothered to change the default p/w. Our product was multi user, but they would only use the one default account (with the default p/w) which had engineer access rights for reconfiguring the entire system. The people who bought and installed our system just let the operators (who have no business changing settings) use that account.

      Security is moving towards being more of an IT field now, but I wouldn't advise that the /. crowd look for a job there. They won't pay you an IT salary and the people you have to work with will drive you mad (ok, that last bit is true of IT in general!), which is why I no longer work there.

    2. Re:What does CC mean? by cusco · · Score: 2

      I came to the physical security field after ten years of server/desktop administration, and can completely confirm what the AC just posted. Our company makes a point of changing default logins for all devices, **IF** we can get the customer to agree. It's distressing to see how many of them will take that password and changed it BACK to the factory default.

      Out of all the IP camera manufacturers only Axis seems to get the idea that a security camera should be at least minimally secure. They are the only ones that will force an installer to change the password at first login (although they do allow the "new" password to be the same as the original). Many of the other manufacturers only allow one user account (root or admin), some don't allow you to change the password on that account, and a couple don't even have passwords at all. More than one only allow a maximum 8 character lower case alpha-only password. There is one supposed IP "security" camera system that has one user, admin, and no password for the cameras, the recorder and the configuration tool. Amusingly enough they claim to be an "ENTERPRISE" system, and a national accounting firm has that atrocity installed in all their offices.

      I'm pleased that my employer is the only one in the region that seems to actually understand that the days of the "hairy arsed" blue collar electrician types" is over. It means though that we can't compete on price with the likes of Convergint or Niscaya, but that's OK with me since it seems to attract a better quality of customer.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  4. This again? by Dunbal · · Score: 2

    Did someone else just learn how to google for CCTV feeds? Best one I ever found was at a dog shelter or animal hospital. Cute little doggies 24/7, and none of the smell. Of course I have more fun with my own dog, but it was a good find.

    --
    Seven puppies were harmed during the making of this post.
    1. Re:This again? by metalgamer84 · · Score: 3, Informative

      Just wait till someone stumbles onto the many webpages hosting hundreds of Trendnet CCTV IP addresses.

      http://pastebin.com/sSs79RTd

      Hey look at that, I even made it easy for you...

    2. Re:This again? by YouWantFriesWithThat · · Score: 2

      i once found a harbor in some asian city, wooden fishing skiffs intermingled with heavy cargo ships. they were using an off-the-shelf camera to monitor traffic from a bridge, no passwords, and pan/tilt/zoom were enabled. i moved the camera over to watch people on the bridge, and the actual operator kept moving it back. he/she must have thought the thing was possessed.

    3. Re:This again? by Baloroth · · Score: 3, Insightful

      Or he knew what was going on because it happened all the time and didn't give a shit because he wasn't paid to care (quite likely).

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  5. Only a problem to dumb IT. by Lumpy · · Score: 3, Informative

    If your Security CCTV system is on the net or has the ports open to the net, then your IT guy is a moron and needs to be fired.

    VPN in then connect to the Security cameras.. Yes it even works with the iPhone apps for the CCTV systems. Anything else is just proof of incompetence.

    --
    Do not look at laser with remaining good eye.
    1. Re:Only a problem to dumb IT. by drinkypoo · · Score: 2

      Closing the doors to the world because you are using an inferior product or because your IT people is retarded is not a solution.

      It is a fact that disabling front-facing ports reduces attack surface. You ain't perfect, you could make a mistake. Clearly you knew what you were saying was nonsense, because you left your comment anonymously. I'd be afraid to have my name associated with that statement too, if I ever exercised any restraint on slashdot beyond not breaching NDAs.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Only a problem to dumb IT. by Lumpy · · Score: 2

      And a free software package, Zoneminder, is still 800% better than any product your company makes. Why? Because I can base it on a secure BSD or linux distro that will get updates for security holes on a regular basis. Your product, being china made will never have security releases to fix holes in the underlying Linux OS.

      I have seen and dealt with the junk companies like yours make, Running incredibly old kernels and TCP stacks that have known exploits. The tip off that a CCTV recorder is junk? IT requires Active X to view the web view. That means its based on the old china OS image that has been floating around for well over 6 years now that is so full of holes it's not funny.

      --
      Do not look at laser with remaining good eye.
  6. Re:Banal? by kermidge · · Score: 3, Interesting

    banal - with a small "b": lacking originality, freshness, or novelty

    Using most generic search engines with "define:banal" with or without the colon shoulda pulled that up for you. I think I last used it in conversation a year or two ago. If you like banal, you should check out "jejune."

  7. Re:Are we surprised? by fuzzyfuzzyfungus · · Score: 4, Insightful

    I suspect that there are (at least) two distinct schools of utter fail:

    The professionals, with a legacy in CCTV-as-in-actual-closed-circuit-running-on-private-coax, probably have an attitude much as you describe. The classic CCTV systems were dumb as bricks(not that their designers necessarily were, making largely analog, reasonably high bandwidth systems actually work in practice isn't trivial); but that lack of sophistication served as a strong defense against anybody without a physical tap shoved right into the coax. You just don't develop a very strong culture of caring about remote exploits if your engineering history is almost entirely concerned with systems that are incapable of remote anything, whether you like it or not.

    Then you have the upstarts(either new companies, or rebadged ODM crap sold by existing ones), who design CCTV systems on the premise that a CCTV camera is basically just an embedded linux board with a camera interface, and a record/playback system is basically just an x86 with some sort of h264 hardware and a lousy frontend. These assumptions are not false, and advances in silicon sensors and cheap embedded computers definitely mean that the price is right; but the standards of security excellence in low-cost embedded gear are absolutely fucking dire... These guys should know better, since their designs are 100% post-ubiquitous-networking in concept; but they just don't get paid enough, or enjoy long enough development cycles, to give a damn.

  8. Just "Exploited" It Last Night by clam666 · · Score: 5, Interesting

    I noticed this just last night.

    I live in one of those large, over-priced "planned communities" with the town centre, the gym/tennis courts/water park area, etc. They offer free, open WiFi for people in the gym area, so I was checking some mail and decided to do a little network port scanning and saw a couple dozen systems, printers, routers and such on the network, which I thought was odd, as usually those kind of things aren't on the same network as all the free WiFi junk.

    I'm just idly curious as to what is around, and came across some unusually named servers (ie: default out of the box) and was just connected via web and it brought up the entire security camera console.

    Now there was no "exploiting" going on at all. I just connected to a publically accessible (and offerred) free WiFi point, and browsed a computer name using HTTP, and there I was looking at 4 streaming cameras through a web console, at the gym. Another server (just sitting on the network as well) had all the external cameras for the doors and walkways.

    Now this wasn't just a monitoring console, but the full record/stop recording, pan, zoom, admin console. Sitting out completely available, for anyone to just ping and do whatever they wanted.

    I've honestly never seen anything like it. There wasn't even a password or any security. Not even a "you shouldn't be here" pop up or anything.

    Has anyone ever seen a situation like this? Where a security console wasn't at least locked down to a particular MAC address for monitoring or IP restricted or, God forbid, not on the same network as your customers to randomly browse to?

    --
    I'm a satanic clam.