So this is how on those cop shows they can hack in to any camera anywhere.
Not so private eye: Got an Axis network cam? You'll need to patch it, unless you like hackers
Researchers have detailed a string of vulnerabilities that, when exploited in combination, would allow for hundreds of models of internet-linked surveillance cameras to be remotely hijacked. Security biz VDOO said today it privately alerted cam-maker Axis Communications to the seven bugs it found in its gizmos, leading to the …
COMMENTS
-
Tuesday 19th June 2018 12:16 GMT Anonymous Coward
Attack Vector
"To perform the attack, a hacker would first run an exploit for CVE-2018-10661, an authorization bypass that allows the attacker to access /bin/ssid, which runs as root, via unauthenticated HTTP requests."
Being a CCTV installer (Thankfully not one that uses Axis, although I believe their kit is far from the low-level stuff lika Dahua and whatnot) - I can't envisage one of our cameras' interfaces ever being exposed to the internet for someone to perform this attack. I'm *NOT* saying this means it's acceptable to have such a vulnerability, but the chances of a camera sitting on an open port-80 even without any known exploits is asking for serious trouble!
-
Tuesday 19th June 2018 13:14 GMT GarethWright.com
Re: Attack Vector
I won't say where (though it's trivial to establish with a little Google foo), but a large number of Axis cams were installed in a new build and linked to the B.M.S.
The cameras were all added to CCTV module which was compiled with hard coded credentials...which of course were default. To make matters worse the the BMS company (Massive "professional" outfit) installed the cameras and BMS on the same VLAN as the standard traffic. Anyone on the WiFi or plugging into an ethernet port (oh btw they fitted active ones in the loos) can simply load up the Axis camera management tools and discover and access every camera on the network without needing any CVEs at all.
So yeah....plenty of places with Attack Vectors, some places are worse and have them on the internet
https://www.shodan.io/search?query=AXIS
-
-
Wednesday 20th June 2018 07:54 GMT Adam JC
Re: Attack Vector
Genuine question, what possible need would you have to expose an IP camera to the internet other than in standalone configuration? I also install CCTV and the IP cameras themselves are usually on an entirely different VLAN & Subnet, with zero outbound access to anything via ACL other than a few manufacturer IP's for firmware updates. (And certainly not accessible in-bound via the internet!) The NVR would be the only device exposed directly to the internet.
-
-
-
Tuesday 19th June 2018 12:26 GMT Robert Helpmann??
Security...
... I don't think that word means what you think it means.
Another story about an IoT security device that isn't secure. Good to get the word out. What about those IoT devices that have been verified to be secure? At this point, they would be newsworthy if only for the novelty. What does Google have to say on the matter? A search of "verified secure iot devices" yields 4 ads followed by a page full of academic proposals for methods to secure the world of IoT and various companies trying to sell the same. From what I can see, these devices should be considered inherently insecure and managed as such.
IoT: Insecure at any time
-
Tuesday 19th June 2018 13:52 GMT GnuTzu
Creepy Voyeurs are Getting In
From NPR: S.C. Mom Says Baby Monitor Was Hacked; Experts Say Many Devices Are Vulnerable
https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable
I should say: "be careful what you do around these things", but the consumers that are being preyed upon aren't listening.
-
Tuesday 19th June 2018 22:43 GMT MasterofDisaster
Automated patch management
Have to give some credit to Axis that was not pointed out in the article - they are one of the leaders (along with Viakoo) for developing automated ways of updating firmware on cameras. The reality of surveillance cameras is they have been "set it and forget it" for a long time, and the idea of updating firmware is genuinely new to the industry. Without an automated firmware update mechanism camera vendors may as well not bother; it's unrealistic to have the facilities guy on a ladder with a USB updating the hundreds/thousands of cameras across a large enterprise.