The IZON surveillance camera sold in Apple Stores and Best Buy outlets is filled with security holes that enable a hacker to easily commandeer the device, a security researcher said.
In this case, the cameras were reportedly hard-coded with a default username/password for the administrator account. According to the researcher, accessing the camera with these credentials allowed full access to view video and change settings. It’s bad enough when brute-force or unknown vulnerabilities are exploited on a camera, but a hard-coded default login?? If accurate, that’s inexcusable.
Read the full article here.
Details are sketchy, but the video below purports to show a hacker gaining root access to a WeMo WiFi-controlled switch. The module is part of a family of basic home control products that enable control, triggering, and scheduling of connected devices. Since most applications involve lighting control and other relatively mundane things, the severity of such a vulnerability is low – but in cases where sensitive or potentially dangerous equipment are connected (e.g. computers, amplifiers, space heaters, motors), the risks are much greater. In the demonstration, the hacker causes the WeMo to cycle power to a lamp very rapidly – fine for a traditional light bulb, but potentially damaging to other types of equipment.
A key feature of the WeMo devices is the ability to control them via the Internet using a mobile app, so if the vulnerability can be exploited remotely (as has been reported), the problem is that much worse.
No commentary needed for this one. A great summary of the most notorious and newsworthy data security events of the year…
CIO.com Worst Security Snafus of 2012
As mentioned in a previous post about importing cameras from China, there are some amazingly low-cost recording devices available today. How well do they perform and what can you expect if you decide to order one? In this post, I will share some background and information about one model I brought in to satisfy my own curiosity.
In need of a replacement for my aging GE StoreSafe DVR, I scoured several online resellers in search of a unit that had – at a minimum – D1 recording with H.264 compression, network viewing via a mobile app, and at least four analog inputs. Since the DVR would only be used for a simple home viewing system, my process and criteria were quite a bit different than those used for evaluating commercial products. After identifying several candidates, I settled on this one from AliExpress, due to the large number of positive reviews and the price:features ratio (based on published specs).
The price was an unbelievable $65USD, which included shipping! I placed my order on November 5th, and the unit arrived on December 14th – about average for orders like these.
You can view the most current information online, but here are the specs at the time I ordered:
And here are pictures of what I received:
The heatsink appears to be installed at an odd angle in relation to the chip. I don’t see any reason for it – so I’m calling this a manufacturing defect for now. Other than that, the board layout is nice and clean, with no signs of reworking that I can detect.
The DVR is supplied without a hard drive. I added a spare 320GB SATA drive I had sitting around, but the unit is spec’d to support up to 2TB. Here is a picture of the system with the drive installed:
So far, so good…
Next came the configuration and software installation. More on that in another post…
Following up on my post about industrial controller vulnerabilities, it is now being reported that such hacking has been seen “in the wild” – underscoring the importance of securing these systems as quickly as possible.
From the article: (emphasis added) “Hackers illegally accessed the Internet-connected controls of a New Jersey-based company’s internal heating and air-conditioning system by exploiting a backdoor in a widely used piece of software, according to a recently published memo issued by the FBI.
The backdoor was contained in older versions of the Niagara AX Framework, which is used to remotely control boiler, heating, fire detection, and surveillance systems for the Pentagon, the FBI, the US Attorney’s Office, and the Internal Revenue Service, among many others. The exploit gave hackers using multiple unauthorized US and international IP addresses access to a Graphical User Interface (GUI), which provided a floor plan layout of the office, with control fields and feedback for each office and shop area, according to the memo, which was issued in July. All areas of the office were clearly labeled with employee names or area names.”
The controller was reportedly connected to the internet without a firewall.
FBI Memo: Vulnerabilities in Tridium Niagara Framework Result in Unauthorized Access to a New Jersey Company’s Industrial Control System
It is without the slightest bit of surprise that I share information about a vulnerability discovered in a line of Samsung’s “Smart TVs” that could potentially allow an attacker to view video from a connected camera over the Internet. Additionally, social media credentials may be compromised, and files like pictures and other media residing on attached storage can be accessed or deleted.
The weakness was discovered by ReVuln, the same group that published information about zero-day holes in SCADA equipment just months ago. Here is a link to an article with more information.
With the proliferation of microphones and cameras in all types of consumer electronics, we have only begun to imagine the impact that vulnerabilities like this could have. From industrial espionage to invasions of privacy in the living room, there is no doubt that these devices will be attractive hacking targets for years to come…
As of today, Samsung does not have an update or patch available to address the issues.
I received an email from a reader of my post on IP camera vulnerabilities who reported that a popular brand of DVR was susceptible to a simple authentication bypass attack. He provided proof of concept code and information about the products affected – including an easy method of locating systems connected to the Internet. After reviewing the information, it does appear that sending a specially crafted request to the device via a browser bypasses the remote access login screen, and results in the DVR serving current images from all connected cameras.
I have inquired about whether the company involved is aware of the problem, and will update this post with specifics once I feel it is appropriate to do so.
UPDATE 12-28-2012: Inquiries to the company whose products appear to be affected, Rifatron, were not acknowledged, so I am posting the manufacturer name for the benefit of those who may have purchased these systems. Note that the units may have been sold under other brand names as well.
Without manufacturer assistance – or a large sample to test – I can not state which specific products/versions are affected. The safest course of action, if you have one of these DVRs exposed on the internet, would be to disconnect it (or move it behind a good firewall) until the manufacturer responds. The hack, which I have chosen not to post, involves a simple URL string, so even a novice can exploit it. Additionally, by searching for the existence of a specific path/file on Google or your favorite search engine, it is possible to identify and differentiate these devices – making it trivially simple to hone in on active units.