With the camera in place, he launched an exploit that tweaked the administrator's view to show the bottle, safe and sound while he "stole" the bottle. "What can I do to the camera itself? I can modify the video stream, the classic Hollywood hack." He finished up with a real-world demonstration, setting up a camera to protect a bottle of beer on the speaker's table. "But let's take a step back," Heffner continued. "Not a bad position! I have root-level control of a Linux-based machine inside your network." "I'm in your network, I can see you, and I'm root," he said. Heffner pointed out that most security cameras are connected to the office network. And because firmware so rarely gets updated, vulnerabilities from several years ago are still subject to exploit. He pointed out that there's a huge re-use of code between a company's own models and also between companies, so these vulnerabilities cover a lot of cameras. In the end, Heffner gained access at the root level to every camera. "The problem with secret hard-coded passwords and secret backdoors," said Heffner, "is that they don't stay secret." "It just runs anything you give it, and it will send you a response." In several cases he found administrator login credentials hard-coded in the firmware. "I dubbed this the Ron Burgundy exploit," quipped Heffner. Without going into the gory low-level details, in every case he found a way to run arbitrary commands remotely. Heffner evaluated cameras from D-Link, Linksys, Cisco, IQInvision, and 3SVision. That resulted in some interesting calls from my former employer." Heffner clarified that all of the research going into this presentation was performed for his current employer, not the NSA. "Some claimed that this presentation is based on work I did for the NSA. "The news stories talked a lot about the fact that I used to work for a three-letter agency," said Heffner. Presenter Craig Heffner is a Vulnerability Researcher with Tactical Network Solutions, but he's had other jobs. Hey, weren't they supposed to give you better security? A hacker could well get full access to the network through your cameras. In truth, if you've got security cameras in your office or business, this hack is the least of your worries. A Black Hat conference presentation demonstrated how incredibly simple that hack can be on a modern Internet-connected security camera. The crime team needs to get through an area that's covered by security cameras, so they hack into the security system to make the camera show an empty hallway. It's a standard scene in most heist movies. How to Set Up Two-Factor Authentication.How to Record the Screen on Your Windows PC or Mac.How to Convert YouTube Videos to MP3 Files.How to Save Money on Your Cell Phone Bill.How to Free Up Space on Your iPhone or iPad.How to Block Robotexts and Spam Messages.“If not taken care of, the weak state of IoT security increases the number of vulnerabilities and attack vectors which could soon massively affect users’ privacy and personal life,” the report warned. “Paired with the fact that the bug affects the authentication mechanism and the massive pool of affected devices, we can only imagine the impact a harvested botnet of devices might have,” the report’s authors said. The report said that the proof of concept attack confirms once again that most Internet of Things devices are trivial to exploit because of improper quality assurance at the firmware level. “A bug in the authentication mechanism allows a remote attacker to completely take control and run commands on the vulnerable devices and turn them into a zombie army ready to trigger the next Mirai or to become tools of mass surveillance in users’ homes,” said Bogdan Botezatu, senior e-threat analyst at BitDefender. Read more: Cyber-savvy consumers support IoT security by design Vulnerable cameras indicative of fragile IoT security We estimate that the real number of unique devices is around 175,000,” the report said. “These are not necessarily the same devices, as some have only one service forwarded. The company said that it had found between 100,000 and 140,000 devices when searching for the HTTP web server, and a similar number when searching for the RTSP server (both vulnerable). This type of vulnerabilities is also present on the gateway which controls the sensors and alarms. Researchers said that the two cameras, the iDoorbell model and NIP-22 model, contain several buffer overflow vulnerabilities that could allow, under certain conditions, remote code execution on the device. Nearly 200,000 security cameras connected to the internet sport a security vulnerability that can allow hackers to control them remotely.Īccording to a report published by IT security company BitDefender, two flaws have been discovered in two cameras in Chinese manufacturer Shenzhen Neo Electronics’ NeoCoolCam range.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |