Hacking Security Cameras

Clever:

If you've seen a Hollywood caper movie in the last 20 years you know the old video-camera-spoofing trick. That's where the criminal mastermind taps into a surveillance camera system and substitutes his own video stream, leaving hapless security guards watching an endless loop of absolutely-nothing-happening while the bank robber empties the vault.

Now white-hat hackers have demonstrated a technique that neatly replicates that old standby.

Amir Azam and Adrian Pastor, researchers at London-based security firm ProCheckUp, discovered that they can redirect what video file is played back by an AXIS 2100 surveillance camera, a common industrial security camera that boasts a web interface, allowing guards to monitor a building from anywhere in the world.

Posted on October 8, 2007 at 6:39 AM • 27 Comments

Comments

VoyeurOctober 8, 2007 7:00 AM

"Fredrik Nilsson, Axis's general manager in the U.S., stressed that the Axis 2100 was phased out three years ago and that newer cameras include more advanced security features, such as IP filtering that prevents outside access to cameras."

I hope the latest cameras have more security than IP filtering.

I suspect that lots of cameras have been hooked up on the net because the owner doesn't care whether somebody looks or not. Perhaps that will have to change now.

WooOctober 8, 2007 7:57 AM

So, reality finally catches up with fiction..
Considering the number of IP cameras hanging around on the web (googling for axis network camera turns up quite some hits after the first few sales pages) I wonder why it took so long.

Old BobOctober 8, 2007 8:55 AM

So maybe the solution is to program little robots to move around in view of the camera, according to a varying schedule that the camera watchers know.

DBHOctober 8, 2007 8:59 AM

How about a clock in front of each calendar? Maybe with date?

Or maybe a 'camera check' light that flashes when the guard pushes a button...

Of course, those might be spoofed too, but now getting more difficult, more hacking involved.

jananthaOctober 8, 2007 9:00 AM

IP filtering isn't enough.. you can easily spoof and get into the network.. A simple google keyword search can bring up a lot of AXIS cams that are online..

I think the main thing to point out is the term "Security Audit" which is normally included in the NSP. You got to audit the security implemented otherwise it won't be effective. In a audit you can find the holes and open threats for which solutions can be developed.

Probably the best way is to have IP filtering plus another mechanism to authenticate the remote user.. An authenticator?

As bruce says we need a changing part which is totally unique and random..

Adrian PastorOctober 8, 2007 9:15 AM

Just wanted to mention that IP filtering won't mitigate the attack completely as CSRF attacks actually make the *victim* do something that would benefit the attacker.

So if the admin can connect to the camera's IP all you do in your CSRF exploit is disable the IP filtering functionality :-)

jdegeOctober 8, 2007 9:35 AM

Why, exactly, would viewing the log file result in executing javascript that was written to the log file?

NyhmOctober 8, 2007 10:08 AM

This is an off-topic rant, but who else is sick of Web-based "software" products? No company should ever _boast_ that their product has a Web interface, especially when security is a prime factor.

The Web is great for many things (such as this blog!), but I'd rather have a real application to do anything serious. Then again, Web applications are automatically distributed and essentially platform independent. On second thought, please disregard this rant.

BobOctober 8, 2007 10:25 AM

@jdege
I imagine the log file is HTML, and the software writes to it without escaping tags.

jdegeOctober 8, 2007 11:26 AM

The problem isn't that the log file is HTML, or that the software is writing to the log file without escaping tags, but that the logfile viewer is executing arbitrary code. A logfile viewer should display the contents of the log file, period.

ChrisOctober 8, 2007 1:05 PM

For those that wish to implement IPVS cameras, they should be secured using IT security standard best-practices. IPSEC/SSL VPNs, VLANs, and strong authentication should be implemented in front of the IPVS solution just like almost any other remotely accessed resource.

I don't feel that it's an IPVS issue. It's more of a best-practices issue. ANY device (such as a web server, file server etc.) that one would consider attaching directly to the web is asking for trouble. An IPVS camera should not be treated any differently.

ChrisOctober 8, 2007 1:15 PM

An addendum to my above comment: Inherent security within the code itself is an issue across the board with most IPVS vendors. The primary security issue is that many of these cameras are posted wide open on networks without basic practices ever considered to secure it.

Hope this clears it up a bit.

AndrewOctober 8, 2007 1:47 PM

There's a reason why control rooms have the time and date showing above the screen in big letters . . . it's a time stamp for the covert camera.

Just saying.

ZytheranOctober 8, 2007 6:20 PM

Wait a sec..it's a digital camera!? How are these things meant to stand up in court? I would have thought there is at least a unique time stamped running cipher putting some sort of digital signature on the image just so you can actually prove *when* it was taken? And that the image came from a certain camera?
I would have thought establishing the validity of a video stream from a date/time point of view had long been sorted out in court when this stuff is used as evidence?

Matt from CTOctober 8, 2007 6:59 PM

@Zytheran

It's a corrollary of the 17 hour rule.

Most police agencies / corporate security do not have time to investigate relatively minor offenses or breaches for more then 16 hours (2 working days). If you can fustrate the investigators that long, they'll move on to something else -- and figure you'll trip up later and they'll pinch you on that offense and connect you back to unsolved cases.

Similiarly, Defense resources are not unlimited either and for minor stuff unless you have really deep pockets you're not going to be able to spend the money on experts to deeply challenge the integrity of the evidence. Yes, your attorney and his investigators should make sure ordinary care was exercised in the handling of the evidence...but their not going to be spending money to raise doubt whether a movie-worthy scenario like this could've possibly occured.

MartinOctober 9, 2007 1:27 AM

"If you've seen a Hollywood caper movie in the last 20 years..."

Actually the trick much older than that. I believe it was used in "The Italian Job", released in 1969. And I wouldn't be surprised if there were earlier examples.

Terry ClothOctober 9, 2007 12:17 PM

You don't need a hack to do this. There are a number of cases of wrong accusations because an ATM's video timestamp was wrong.

It's easy---the crime was at 10:03:22 (that's the time of the ATM transaction). Just look up that timestamp on the video tape and Hey, presto! Undeniable evidence that the wrong person did it. Except 10:03:22 wasn't when you thought it was.

This example shows a three-minute delta:

http://archives.neohapsis.com/archives/risks/2003/0029.html

That's the only one I can put my hands on at the (which?) minute, but there are others where the time was off an hour or more. The one above concerns a murder, but more frequently the crime is ATM fraud (surprise!).

MTSOctober 9, 2007 1:00 PM

This is quite interesting, but a malicious hacker would have to prepare a video file to use in place of the live feed. In order to make the pre-recorded video look like the live feed the general time of day (assuming it was an outdoor camera) in the video file would have to coincide with the actual time that the feed was being viewed.

Since this hack relies on the administrator checking the logs... I'd say that matching up the times would be pretty difficult.

Kee HinckleyOctober 10, 2007 9:51 AM

At least one generation of Axis cameras shipped with the "email-a-photo-every-n-minutes" turned off, but with a default email address set to my domain (somewhere.com). Needless to say, dozens of customers accidentally turned the feature on, but neglected to change the email address. No opportunities for me to change the feeds, but I did get to monitor the inside of at least one jewelry store. :-)

ChrisOctober 10, 2007 9:55 AM

Good point. It goes back to the proper use and setup of the IP video surveillance solution. IPVS cameras can record in several formats depending on the vendor and management software that is used. If the management software records to avi, mpeg, or other highly editable format it will likely only be admissible as circumstantial evidence if at all.

To address this IPVS management software vendors will record to a proprietary format that can only be viewed from their solution and cannot be edited.

In many scenarios the IT staff is assigned to install and configure the cameras. While they can certainly handle the network infrastructure they're not usually the right people to determine the configuration from a security perspective. Hence simple things like time synchronization get missed.

Any organization that wishes to have a surveillance solution installed should have a qualified and experienced consultant who understands IT and physical security as well as the business need.

windu8888October 12, 2007 10:37 PM

Yup i guess your right, i try and i always fail. May be security camera now have a better protection than 5 years ago. The most people find is how to hack the webcam in the chats rooms. May be u have a better idea.....
Thanks

handsomeDecember 17, 2010 6:00 PM

Hi friends,
I find the security cameras thousands IP adress, a little time spent on the Internet. but some of them are encrypted. For example 92.112.80.36 is there anybody can hack this security camera password? If someone can crack this password then i will give to him thousands camera IP adress. good deal? :))

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.