
Zero-Day Bug Allows Hackers to Access CCTV Surveillance Cameras - arayh
https://threatpost.com/zero-day-bug-allows-hackers-to-access-cctv-surveillance-cameras/137499/
======
ianlevesque
Calling the second one a bug is ridiculous. “If the file /tmp/moses/ exists on
the file system then an unauthenticated remote attacker can list all of the
non-admin users and change their passwords“. That functionality is way too
intentional.

~~~
bonestamp2
Not to mention the name "moses". Definitely intentional.

------
dralley
Ah, security cameras. Never-updated linux boxes, frequently with homegrown
http servers, often with secret hardcoded credentials in clear text laying
around in the firmware blob.

[https://www.youtube.com/watch?v=B8DjTcANBx0](https://www.youtube.com/watch?v=B8DjTcANBx0)

------
yongjik
Somewhat off-topic:

Recently I watched a news segment in Korea about CCTVs connected to the
internet without proper security: so many were wide open, and some could even
record sound and play it real-time, and their lists were plainly accessible on
some websites. The reporter said that the government had responded by
_blocking these websites from the Korean internet_ but people still found ways
to access them via VPN.

As if that's the crux of the problem.

The mind boggles.

~~~
jimmaswell
There is or was a subreddit for linking to such potentially unintentionally
accessible live feeds. One way to find them was to google certain
terms/directory structures/page names that the viewing pages contained.
Sometimes they even had panels that let you control the camera's direction.

~~~
uremog
That is also what shodan is about.

> Shodan is the world's first search engine for Internet-connected devices

------
pmlnr
Doesn't CCTV stand for close circuit television? It shouldn't be applied when
these are rather obviously not closed at all.

~~~
justtopost
Agreed, but it has become a holdover catch-all term roughly meaning
'permanantly affixed, security camera' no matter the actual tech. I suspect
many built for the purpose still use ccd detectors, but I lack domain
knowledge in this case.

------
classichasclass
My house security and automation systems are all behind a firewall and access
to them is proxied, including the video feed concentrator for the security
cameras. I've had folks call this overkill but I won't directly expose any
IoT-like thing to the Internet these days.

~~~
pmlnr
Unless you left upnp enabled, in which case all precations are useless.

~~~
Piskvorrr
Tell me, Mr. Anderson: what good is UPnP, if the firewall blocks it?

------
moftz
“It’s unfortunate, but each camera will need to be updated manually by users,”

So most people aren't going to bother unless they get an alarming email from
the manufacturer (assuming they even have a list of customer email addresses).
Although these appear to be DVR systems for commercial use so it's more likely
that a business would have a service contract with someone to manage these
things. The service vendor would probably be more inclined to patch the thing
than the business owner would.

------
teddyh
Any Internet-connected device is, in fact, a server, and must be seen and
managed as one. This means strict control of installed services and, first and
foremost, regular _updates_ of all its software components (including
firmware). If you acquire and install such a server which either can’t be
updated or one which you know, realistically, won’t get any updates six months
after installation, that’s asking to lose.

~~~
SpaceManiac
In my experience, keeping software and firmware aggressively up to date is far
more likely to randomly break functionality and workflow and require my time
and effort to fix than doing nothing and crossing my fingers I'm not subject
to a zero-day. I can't even imagine how annoying this would be for someone
without technical know-how. I think manufacturers who seem desperate to trick
users into installing updates could go a long way by reducing the associated
dread.

~~~
teddyh
If you don’t update, you _will_ be subject to an exploit, and you and your
devices will then possibly be unwitting members of (possibly multiple)
botnets.

Not updating for X days just increases the risk from only zero-day exploits to
the risks of X-or-less-days exploits.

------
exikyut
I look at mainstream security devices.

I look at cheap camera modules and Linux boards.

I look some more at the mainstream security devices.

I look again at the cheap cameras and Linux boards.

Sadly, security cameras are among the most hackable targets on the Internet,
because You™ haven't released that competitive solution you've been thinking
about that prioritizes security over unnecessary bells and whistles. When you
do, you'll corner that vocal fraction of the community you've always been
wanting to meet.

It doesn't have to be a bureaucratic, incoherent, legacy-burdened headache
built from clipboard-remixed vendor samples. Linux, no blobs, a couple
lightweight services; and you're done. Remote access in the palm of your hand?
Too easy. Anything is possible when you design without agendas.

\--

Your plaintext passwords (which were also using in two other places - argh)
just leaked from a vendor's stolen cloud database.

A HTTP URL hack that dumps the root password into the browser window surfaced
seven months ago.

------
janci
Having a CCTV on public IPs is calling for trouble.

------
m-p-3
Seriously folks... put all those cameras behind firewalls, and only grant
access to them over a VPN.

~~~
xoa
It’s not a bad idea to stick them on their own VLAN as well, with access
exclusively to the NVR and/or specific management devices. Their only purpose
is to feed video back to specific systems, why let anything else touch them at
all?

~~~
bonestamp2
Agreed, all my IoT stuff has its own separate network with its own access
point.

~~~
xoa
If you've got more mid-range network gear you might consider setting up a
simple RADIUS system and switching to 802.1x auth (with just a basic guest
portal or something for visitors) and per-port VLAN control as necessary.
Makes it very convenient to segment out and isolate IoT, video, and VoIP into
their own independent segments, best practice not just for security but
performance and functionality as well. While it takes a bit more setting up
it's also interesting and adds safety and versatility over time, plus you
don't need any extra gear or cable. Worth a bit of consideration anyway if you
have time and/or enjoy that sort of thing, along with a decent local VPN
setup. The latter should also become even better over the next few years as
WireGuard support spreads.

------
fixermark
As opposed to all other days, where simple misconfiguration allows hackers to
access CCTV surveillance cameras.

(obligatory [https://www.shodan.io/](https://www.shodan.io/) link ;) )

------
qrbLPHiKpiux
They were all open via Shodan years ago.

------
mavhc
Is there anyone selling CCTV cameras with good software?

~~~
Rjevski
Ubquiti Unifi is one.

------
kakarot
Come on, who hasn't penetrated a poorly-guarded CCTV system in their time?
That's like hacker 101

