[ISN] Sneaky White Hats Pull Surveillance Cam Switcheroo

From: InfoSec News (alerts@private)
Date: Mon Oct 01 2007 - 23:00:10 PDT


http://www.wired.com/politics/security/news/2007/10/camera_hack

By Ryan Singel
Wired.com  
10.01.07

If you've seen a Hollywood caper movie in the last 20 years you know the 
old video-camera-spoofing trick. That's where the criminal mastermind 
taps into a surveillance camera system and substitutes his own video 
stream, leaving hapless security guards watching an endless loop of 
absolutely-nothing-happening while the bank robber empties the vault.

Now white-hat hackers have demonstrated a technique that neatly 
replicates that old standby.

Amir Azam and Adrian Pastor, researchers at London-based security firm 
ProCheckUp [1], discovered that they can redirect what video file is 
played back by an AXIS 2100 surveillance camera, a common industrial 
security camera that boasts a web interface, allowing guards to monitor 
a building from anywhere in the world.

Internet voyeurs have already discovered how to use search engines to 
find and view [2] video of surveillance cameras that are ostensibly 
private, but this attack seems to be the first that actually lets an 
outsider control a camera's playback.

This hack (.pdf) [3] works by combining a few vulnerabilities in how the 
camera's accompanying software accepts input -- a type of security hole 
known as cross site scripting, or XSS.

In this case, the attacker first sends some malformed information -- 
which is actually JavaScript -- to the camera's web server, which then 
writes that information to the log files. When the camera's 
administrator checks the logs, the JavaScript executes, creating a new 
user account and e-mailing the attacker that the new account has been 
created.

>From there the attacker can simply change the HTML on the camera viewing 
page to secretly point the playback screen to another video file -- one 
that can even be hosted on another web site.

The snag in this scenario is getting the person who administers the 
camera to check the log files, but Azam and Pastor suggest that could be 
done by first targeting the camera with a flood of traffic to briefly 
impede its service. The camera's administrator would then likely check 
the logs to look for error codes, thus inadvertently triggering the 
exploit.

The sophisticated switcheroo can be seen in this video [4], where an 
Axis 2100 camera's playback is replaced by a small spinning globe (you 
must watch closely to see the change).

Web-enabled cameras, such as those sold by Axis, are increasingly 
popular for security applications since they can be accessed by the 
administrator from any internet connection, which distinguishes them 
from more traditional, analog cameras which operate on their own wires 
and have fewer features.

The AXIS 2100 is an older model that is no longer supported by the 
maker. But Azam and Pastor say the vulnerability points to the kind of 
flaws that can show up on any device attached to a computer network, and 
that holes in older software may find their way into newer software 
since companies routinely reuse code.

A spokesperson for Axis [5] was not immediately available for comment.

[1] http://procheckup.com/
[2] http://www.mydigitallife.info/2006/11/27/hack-to-search-and-view-free-live-webcam-with-google-search/
[3] http://www.procheckup.com/Vulnerability_Axis_2100_research.pdf
[4] http://www.youtube.com/watch?v=Hd3YzxQTQ1U
[5] http://www.axis.com/


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Mon Oct 01 2007 - 23:21:53 PDT