Police surveillance cameras and equipment easy to hack into
May 4, 2011
As an Internet security penetration tester hired to legally hack into the digital fortresses of Fortune 1000 casinos, banks and energy companies, Kevin Finisterre has hacked electronic cash boxes, geologic-survey equipment and a few utility stations.
But one of his most unusual hacking attempts came during a recent assignment, testing the security of a US-based municipal police department. After scanning several IP addresses used by the city, he soon discovered they connected directly into a Linux device carried in police cruisers.
Using little more than FTP and telnet commands, he then tapped into a digital video recorder used to record and stream audio and video captured from gear mounted on the police cruiser's dashboard.
He was shocked by the resulting live feed that eventually appeared on his computer screen. “There was a police officer in his vehicle heading somewhere in traffic in the middle of the day,” said Finisterre, who is principal of security consultancy Digital Munition. “He was clearly trying to respond to an incident or go where he was told to go, in a hurry, and I was able to see this in real time.”
The account underscores the overlooked risks that come with technology designed to give authorities minute-by-minute situational awareness about the emergencies to which their officers are responding to on any given day.
And while real-time audio and video feeds from cars often provide police senior officials with crucial and relevant information about what's happening during traffic inquiries, the devices often make that intelligence available to anyone with a standard Internet connection-- and that's where all the issues begin. Should'nt that information be kept confidential at all times?
In Finisterre's observations, he was able not only to tap the live feeds coming from the two separate cameras mounted on the police cruiser, but also to control the hard drive of the DVR. Using default passwords that were hardcoded into the DVR's FTP server and disclosed in support manuals, he was able to upload, download, and even delete files that stored months' worth of video and audio feeds.
The ability for civilians to secretly spy on police officers responding to emergency and 911 calls could have serious consequences for their own safety and the safety of the public at large. Worse, allowing unauthorized people to view and alter video stored on cruisers could also seriously compromise court cases that rely on the DVRs for legal evidence during a crime, bank robbery or drug trafficking.
“We had very adequately proved the point that we could access the hard drive on the DVR unit and clearly see through the eyes of the camera and hear through the microphones in the car, which was more than enough to let them know that there are things we need to look at on their end to get this stuff cleaned up,” Finisterre said.
The police cruiser that Finisterre was successful in penetrating from a city he declined to name was equipped with a real-time communications appliance known as the Rocket and provided by Georgia-based Utility Inc. The police department was using the appliance to connect laptops, DVRs and other mobile devices carried in vehicles, to the city's computer systems.
But while no one knew from the city, the Rocket was making those internal resources available over public IP addresses that anyone could tap into.
Indeed, when Finisterre first came upon those IP addresses, he had no idea what was behind them. An Nmap scan revealed the devices were running what appeared to be an outdated version of Linux that left open ports used for several services, including FTP and Telnet utilities.
He added that IT and system admins had no idea the Rocket, which used mobile connections provided by Verizon Wireless, exposed their internal assets to the world at large.
“If you're making use of a cell phone connection to provide services for what you consider to be a closed operation, you need to make sure you're on a closed network,” Finisterre said. “I don't know that everybody is aware that your services are wide open when you're making use of this Verizon service.”
Making a bad situation even worse was the cruisers' use of the MDVR.3xx protocol which is marketed by a variety of websites, including Safetyvision.com, Americanbusvideo.com and Eagleeyetech.com.
A support manual for the device, which Finisterre found through a Google search, told him the password for the DVR's FTP server was “pass.” Even more surprising, there appeared to be a bug in the device's telnet server that allowed him to log into that service with no password at all!
Finisterre said he contacted someone on Utility's support team and told him that the Rocket was exposing the DVR and possibly other devices. The support-team member told Finisterre such exposure was impossible, so the penetration tester said he abandoned all future attempts to bring the insecurity to the company's attention.
Utility CEO and cofounder Robert McKeeman issued the following statement "What the paper refers to is not a security breach of the Rocket. Our appliance, like any router whether manufactured by Cisco, Juniper Networks or any other, will do port forwarding if configured to do so. In contrast to what the paper says, our client has total control over the Rocket configuration. There is no internal bridging between the cellular and LAN interfaces."
He added "The ports listed were likely port forwarded to an unsecured DVR. While we agree the DVR should have been better secured, this does not represent a security vulnerability in the Rocket."
Finisterre disagreed with all of that. With the DVR marketed by seven or eight websites, all with different names, Finisterre said he never found the right person to contact about the login bypass vulnerabilities in the DVR device, further compounding the security issues.
A representative at Safetyvision.com added that company officials are now looking closely into the report, but didn't have an immediate comment for now. "We will update this article if the company provides comment after publication," one official said.
In Finisterre's mind, the whole exercise was proof that neither company is doing enough to help police departments in safely locking down their surveillance devices.
“And if you look at the exact wording on Utility's website, or even the DVR website, there's a big disconnect between marketing and what the user actually got,” said Finisterre who pointed to promises such as those from the companies praising the security of the devices.
"I'm pretty sure my ability as a random user to telnet into your DVR solution and use a default password-- or worse-- no password at all, and potentially delete or remove legal and court evidence is certainly a very big issue in and by itself, and one that needs to be addressed urgently."
Source: Kevin Finisterre.
You can link to the Internet Security web site as much as you like.