Perhaps you’ve seen the videos late at night: through a rain swept windshield, a grainy camera image shows a state patrol officer on a lonely road approaching a stopped vehicle, its license plate obscured. The sound is muted, but shouting ensues, and then the driver first attacks the law officer then is on the ground. In a court of law, these videos provide a much needed third-party view of the incident, assuming the chain of custody is well documented. Now all that may be in question because the integrity of the image maybe compromised from a remote connection.
New research this week from Kevin Finisterre of DigitalMunition demonstrates that common Digital Video Recorders (DVR) installed in police cruisers, municipal buses, school buses, and even taxis are open for compromise by anyone with the means to observe the video and audio streams. Finisterre, who was performing a penetration test into municipal resources in an unnamed city, said he gained the ability to see and hear what was happening live inside and outside a police vehicle “because the FTP service had a default password that is located in the user manual.”
And the signals weren’t encrypted. “We were able to use a standard ftp client and download a normal .AVI file. No special codecs were needed it simply played in Quicktime,” Finisterre wrote.
Like any responsible researcher, Finisterre attempted to contact the vendor, however, the same product is sold under a variety of names including: Safety Vision, Eagleye, Fleet Management Inc, School Bus Safety, Costar, Police Video Cameras, American Bus Video, Mobile Video Systems, Vehicle Video Cameras, School Bus Camera and Digital Bus Camera. He suspects that one vendor is ultimately responsible, but Finisterre said he could not confirm that. This left him with only the public disclosure option.
Unfortunately, access to private audio and video streams is becoming common, especially when the system uses unprotected IP addresses.
In my book, When Gadgets Betray Us, I talk about Video over IP systems. Jason Ostrom, director of Sipera Viper Lab, has connected remotely to building surveillance systems. And Adrian Pastor, of GNUCitizen, has done similar research on street-corner surveillance systems in the UK. Together these two researchers demonstrate how a criminal might mask with a static video his or her approach to a building, and their subsequent activities once inside. To anyone monitoring the situation, say a security company or government agency, the street corner and the building would appear to be quiet.
Ostrom has also demonstrated a way to eavesdrop on Voice over IP from the lobby of a corporate campus Here an attacker would need to gain access to a physical phone jack on the network, say the lobby telephone. Using a program that Ostrom developed, VoIP Hopper, an attacker can then emulate a phone handset’s MAC address, leading the VoIP network to think it sees a phone when in reality it is a laptop. Thus, the attacker’s laptop (sitting in the lobby, no less) can engage in Man-in-the-Middle attack, recording voice packets from specific extensions for later reconstruction–unless the VoIP is locked down.
These attacks are not that surprising when you consider they all start with unprotected access. The DVR manufacturer probably wanted to prevent technical support phone calls and e-mail so they printed the FTP password within the manual. Video and Voice over IP systems are designed to integrate with a verity of different systems. From the vendor’s—and the attacker’s—perspective these are easy business decisions: fewer tech support calls. Unfortunately, these decisions may also compromise public safety.
Not all cities have the budget to perform penetration testing, so perhaps systems designed and marketed to protect municipal law enforcement vehicles, buses, and even street corners should be regulated—either by the industry or by the government—to meet certain minimum-security standards. This is one area where “letting the market decide” is not a wise policy.