http://www.wired.com/politics/security/news/2007/10/camera_hack By Ryan Singel Wired.com 10.01.07 If you've seen a Hollywood caper movie in the last 20 years you know the old video-camera-spoofing trick. That's where the criminal mastermind taps into a surveillance camera system and substitutes his own video stream, leaving hapless security guards watching an endless loop of absolutely-nothing-happening while the bank robber empties the vault. Now white-hat hackers have demonstrated a technique that neatly replicates that old standby. Amir Azam and Adrian Pastor, researchers at London-based security firm ProCheckUp [1], discovered that they can redirect what video file is played back by an AXIS 2100 surveillance camera, a common industrial security camera that boasts a web interface, allowing guards to monitor a building from anywhere in the world. Internet voyeurs have already discovered how to use search engines to find and view [2] video of surveillance cameras that are ostensibly private, but this attack seems to be the first that actually lets an outsider control a camera's playback. This hack (.pdf) [3] works by combining a few vulnerabilities in how the camera's accompanying software accepts input -- a type of security hole known as cross site scripting, or XSS. In this case, the attacker first sends some malformed information -- which is actually JavaScript -- to the camera's web server, which then writes that information to the log files. When the camera's administrator checks the logs, the JavaScript executes, creating a new user account and e-mailing the attacker that the new account has been created. >From there the attacker can simply change the HTML on the camera viewing page to secretly point the playback screen to another video file -- one that can even be hosted on another web site. The snag in this scenario is getting the person who administers the camera to check the log files, but Azam and Pastor suggest that could be done by first targeting the camera with a flood of traffic to briefly impede its service. The camera's administrator would then likely check the logs to look for error codes, thus inadvertently triggering the exploit. The sophisticated switcheroo can be seen in this video [4], where an Axis 2100 camera's playback is replaced by a small spinning globe (you must watch closely to see the change). Web-enabled cameras, such as those sold by Axis, are increasingly popular for security applications since they can be accessed by the administrator from any internet connection, which distinguishes them from more traditional, analog cameras which operate on their own wires and have fewer features. The AXIS 2100 is an older model that is no longer supported by the maker. But Azam and Pastor say the vulnerability points to the kind of flaws that can show up on any device attached to a computer network, and that holes in older software may find their way into newer software since companies routinely reuse code. A spokesperson for Axis [5] was not immediately available for comment. [1] http://procheckup.com/ [2] http://www.mydigitallife.info/2006/11/27/hack-to-search-and-view-free-live-webcam-with-google-search/ [3] http://www.procheckup.com/Vulnerability_Axis_2100_research.pdf [4] http://www.youtube.com/watch?v=Hd3YzxQTQ1U [5] http://www.axis.com/ __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Mon Oct 01 2007 - 23:21:53 PDT