A row has broken out between a supplier of secure CCTV products and a whistle blower who discovered a vulnerability with the company's products that allowed world+dog to view static images from any camera connected to its servers. The flaw affects The LookC 4x4 server and Pro IX server, some of which are installed in primary and …
"Stephens could not be reached for comment in response to LookC's threats at the time of going to press on Friday afternoon (19 September)."
Probably best all round whenever Golightly loses the plot and turns heavy.
Turn off your LookC camera or be liable for it's flaws
Turn off your LookC camera, because they apparently have a security hole in them and you are exposing yourself to legal liability by using it now that you've been told they have the vulnerability.
You don't know if they're secure now, or if LookC are just threatening researchers to conceal the insecurities. All you know is they *had* or *have* a security hole and tried to cover it up with threats and false accusations made to the police.
Their statement to the police is clearly false, publishing info on a vulnerability on a website clearly does NOT show criminal intent. Ergo if they lie to the police, they can lie to you.
Also since they don't let you know what that security hole is, you have no way of testing to see if it's been closed yourself. You can neither trust their word, nor test it yourself.
So I'd turn off your LookC camera and avoid buying LookC products until their products can stand up to independent public security testing.
Where's the news angle?
Security researcher reports serious flaw to company
Company ignores it
Researcher publicises the flaw
Company finally takes action - they try to have the researcher arrested
This is about as unusual as the government losing personal data., or politicians lying.
The companies lack of security
can only be the result of criminal intent. The CEO MUST be a paedo and wanted "plausible deniability" for his perversions if caught.
After all, why would someone put cameras in all the private places of a school if not to view the antics of innocent children at play?!?
How can 3 days be enough time for something like this to be acted upon?
I'm not surprised they are a bit hostile about it.
Kill the messenger
Kill the messenger - it's the only language they understand.
looks as if the person had a brain
If you find something rotten in your company, you can 'go through channels' and lose your job, be sidelined, be fobbed off and strangely find yourself redundant in six months,or be bought off.
If you want something to change, to have to put it out there in enough places that the sun will shine on it.
Not 'criminal intent' but serious intent.
I'll see your criminal intent...
...and raise you criminal negligence via breach of contract, whereby the CCTV company are vicariously liable for peados logging on to their networks and watching kiddies due to a failure to perform duty of care.
Ok, we're embarrassed
And more so since you have now pointed out to the public that we're a bunch of wankers and our kit is rubbish. Now we're gonna have to sue you into silence.
Paris, because she takes the good publicity with the bad.
4 days to expect them to isolate, patch, test, and distribute?
I strongly believe that in the cases where exploits are in the wild, or vendors refuse to cooperate, that public disclosure of vulnerabilities is in the best interests of users. There's no evidence of either of these here. It's very possible that the company wouldn't have given a toss without public disclosure, but we'll never know, will we? This guy has given this company enough rope to hang HIM by, all for want of a bit of patience and probably the desire for kudos. Posting an exploit is a lot sexier than pointing to a patch and saying "I found that issue"
Think of the children
People who think that bugs should be exposed are yoghurt drinking hippie tree hugging leftie liberal wankers. Security by obscurity is the way forward. If these cameras are in schools then hacking them should result in being neutered. He's a paedophile! Hang him etc
Stephens could not be reached for comment in response to LookC's threats at the time of going to press on Friday afternoon (19 September).
Hmm, cant be reached. Is that a black heli...
How is this a hack? The cameras, if not configured with security details, publish themselves on the public internet, saying "Cooo-ee boys! Look at me!" This guy merely said "Hey - here's how you can find them with a simply Google search."
It's like, say I had this car, and the..... Oh buggerit - no bad analogies needed - it's just simply not a hack.
Naughty to give public instructions on how to exploit insecurity
The informer shouldn't have made the precise "hack" public. It's one thing to warn people about an insecurity but it's a different matter when you tell people how to take advantage of it.
If the CCTV company had failed to act quickly then perhaps upping the ante by posting screenshots (with mosaic fuzz where necessary) of the hack in action would be justified to cause the panic and bad PR necessary to get it fixed.
"There's no evidence of either of these here."
Maybe they didn't respond, or told him to piss off, or said the new version is not affected so people should upgrade (I've received that one)... we don't know.
Google has the flaw disclosure cached:
PS: he apparently REALLY tried to tell them
The post explains it.
Here is the (short) part about the flaw (that's criminally obvious security hole, too):
"The vulnerability is so simple, I bet LookC kicked themselves when they found out they missed something as obvious as this.
Find a LookC server. This can accomplished very easily by typing in either of the following into Google.com “LookC 4x4” or “LookC Pro IX”.
In this example, we will use a made up server with the IP address of 123.456.789.10
Using your web browser navigate to this address.
Simply by adding the following after the last slash, we can open a backdoor and view a static image of the requested camera. Note the two queries in the URL.. "&card" and "&camera". As it would suggest, "&card" is which card in the server we are accessing, and "&camera" is the CCTV camera we are accessing. There are 4 cameras to each card, so once we have reached camera 4 we would change the card value to “2” and the camera value back to “1”.. This would display the 5th camera on the server.
The URL should read,
If you hit Refresh on your browser you can easily produce an almost streaming image of the CCTV Camera."
I seem to remember that you can find tens of similar "google hacks" where they belong, but in that case the cams are marketted as secure (!).
Thanks to google cache and a quick web search I can confirm that this "exploit" is so easy as to be labeled stupid. I really couldn't call this an exploit or hack as you simply have to put the correct URL into your browser and you have images. There is no security whatsoever, as far as I could tell.
where is the ROFLMAO icon.
I found this...
-4 days to expect them to...
He has no duty to them, if he didn't report it to them, so what, their tough luck for releasing a buggy product. Even if it's -4 days, or NEVER.
They do have a duty to make their products secure, perhaps they would consider that, rather than silence researchers?
If they don't make crap products then people will not discover they are crap. The fix here is for LookC to make less crap products.
Man I love Google and it's cache. And to think, if they hadn't kicked up a fuss I would never know about it! Is that a black helicopter on the CCTV????
Oh no! No More Pirate CCTV Images?!?!?
So that's how El Reg gets their hands on all that wonderful CCTV footage of major stories. Is this the end of the quality insider reporting on such important issues? And I was really hoping to see some of that famous cctv footage of pirates today on International Talk Like a Pirate day, with Optimus Prime making an appearnace of course.
Please, Please, Please dedicate your top Hacker-Reporter-Boffins to finding us a new source for these quality images.
So another reason why CCTV is bad
Seems CCTV needs pulling out of schools. If anybody puts a CCTV camera thats filming a school on the public networks, they should be taken out back and shot.
I personally never liked the fact that I am watched without my consent almost everywhere these days. CCTV in public should require a licence!!
I don't get it!
Following the instructions:
Find a LookC server. This can accomplished very easily by typing in either of the following into Google.com “LookC 4x4” or “LookC Pro IX”
produces barely a handfull of LookC servers, so the problem is hardly widespread!!
There will be a nice audit trail - e.g. telephone bills showing he phoned the company, emails being sent, a late lamentable reply. etc.
However, the threat of a company with finance to hire the best lawyers against one individual is enough to make the individual want to back off and go into hiding.
I personally would have emailed the Information Commissioner via this form:
Now, if he didn't respond to this risk to children within a week then I'd be forced to do exactly what this chap has done and include my correspondence in the posting.
I wonder if anyone has told the Information Commissioner that many educational institutions are in breach because of a lack of due-diligence on their part ?
The (cheaper) LookC 4x1 is wide open too. Same URL construction. Same lack of security. Same sort of boring images (useful for a break-in or a robbery though).
1. If there's an (e.g.) anti-war demonstration nearby, CCTV cameras seem to stop working by themselves for some reason ...
2. He should have told Carol "Ocean Finance" Vorderman first anyway.
Its called the Streisand Effect
Unbelievable - the supplier appears oblivious to similar recent disclosures (xref transport system payment cards) and how not to respond:
Let alone how to stop digging when in a hole:
The internet gets what the internet wants...
I wondered what LookC had to say themselves, in the name of impartiality...
Not seeing anything on this <surely> critical update I thought I'd try News and Support. Nope nothing there...
Then I tried myLookC link... ha ha ha (For impartiality I tried it on Chrome, Firefox, and Exploder)
Nothing much I can add to that, a security firm who doesn't know their security...
Paris, cos she possibly has better security from CCTV.
Now that's a name some security "professionals" should know better.
AC, Of course Stephens had a duty -- not to LookC, perhaps, but to their customers. It's not a duty born of law or contract, but of ethics. He was right to disclose the fact that there was a flaw, and he was right to disclose the existence of that flaw to both LookC and the general public. Where he failed is in publishing not just the flaw, but (a) how to exploit the flaw, and (b) further information on how to use Google to find flawed systems to exploit. If you wish, you may be able to justify (a) as giving customers the info needed to test their systems, but (b) does nothing but ensure that anyone can exploit any of the flawed systems. It doesn't help fix the problem in any way, and releasing that information without giving LookC or its customers time to respond to the discovery of the flaw, he did nothing but make the problem worse.
Shame its Saturday though.
Not wanting to sound too much like a Daily Mail reader with a up tw@t-o-tron set to kill but....
what the fuck are schools doing connecting their CCTV system to the internet. Just a small detail I know, but how did anyone with even a minimum of intelligence not see a slight flaw in that plan?
Whatever next? Banks trusting estate agents to sell mortgages....oh yeah right the whole crunch thing.....mines the one with a pair of wire snips in the pocket.
I recall another incident a couple years back, where certain consumer webcams put themselves on the web and could be found with a google search.
Security flaw found in whistle blowing
It would appear that if you publish without covering your tracks they can attempt to sue you :)
Hmm, what could work well is linking into a dark net, there is no law about reporting on something and hey aren't we all journalists now.
If I were him I would have wrote a quick letter to the Daily Mail explaining cctv cameras in schools were wide open to public viewing. Bingo, front page news and no nasty comeback.
it's a serious crime that
criminal intent meaning....................looking at the CCTV images and killing them with your death ray vision from 5000 miles away (through a monitor too. Impressive.) ?
Who cares if they supposedly 'exploited' it by giving the information out. Why should that be a crime? Oh, we must sweep this under the rug and try to stop this kind of information getting out. Umm.. why??? The last time I heard, it was not illegal to refuse to cover someone else's ass.
The problem should've been fixed or MAYBE...you know.. not insecure in the first place.
Pls, have a look at http://www.wiretrip.net/rfp/policy.html
Have a look at: http://www.wiretrip.net/rfp/policy.html
As you can see, the vendor has 5 days to reply the first email (5 days is a reasonable time to avoid problems with holidays, time zone and so on...). Even if I don't like the vendor's reply, this is not ethical full disclosure indeed.
Its a problem with the vendor?
Maybe. Its a dumb to put backdoors in like this, but.... if you put a video camera on the internet instead of behind a firewall, its a little like leaving the keys in your car and the doors wide open. Sure its illegal to steal it, but who would be surprised if it went?
If its sophisticated enough to have a built in webserver, doesn't it have ip address connection filters to protect it at the network layer?
Skull icon - he's rolled his eyes back so far they fell out.
The implications are obvious to me...
Here is a company in the security business that prefers to threaten the person that told the world about a hole in their product that threatens the security of their customers instead of fixing the problem and keeping their customers save. "It's OK. If they don't know about it then it doesn't matter."
I'm not sure which is more frightening from a security company; That they might think it's OK for a flaw to exist as long as the customer doesn't find out or that they might be living in fairyland and believe that there aren't people on the net that would exploit it. The other possibility is that their understanding of computer security is so poor they've made such a mess and made this exploitable code so essential to their software that they can't fix it without having to throw the whole thing away and start again.
Continued selling a product that they new had a flaw of this severity *strike 1*
Didn't fix it as a matter or urgency *strike 2*
Tried to muzzle the messenger to stop customers finding out *strike 3*
Clearly not a company I could ever trust. They've been added to my mental Rolodex of companies that will never find their way through the door at any of my customers if I have anything to do with it.
I beg to differ. By publishing the details, the company was forced to fix its buggy product.
A software company who, no doubt, hides behind a EULA that states something to the effect of "we are not liable if this software screws up your PC or your life".
Even companies like Microsoft can take an age to fix security bugs if they are not under pressure.
re: Naughty to give public instructions on how to exploit insecurity
Even naughtier is to put cameras in schools without putting some form of security in place. This "hack" is no such thing, any more than I can "hack" your computer by sitting next to you and watching what you type...
This exploit should have been absolutely impossible. It should never have been IN the product. Releasing this information on how there IS NO SECURITY is the only thing that can be done.
Google camera surfing is ooooold news.
There's loads of cameras out there with this "vulnerability" and quite a few owners who know about it.
Kinda hard to miss when some of the cameras are controllable via the web. This was news in 2005 :(
Points for anyone that can find a link to the German(?) guy that offers you cake when you play with the camera.
sufficient time to respond
For those who have been complaining that 3--4 days isn't enough to close the hole, let me put on my imagination cap and help you (and LookC) find a quick solution. 1) The leak was shown to be via a URL. 2) Either the URL was to a static page, in which case 3a) you lock down that directory and all is well, or it was to a dynamic script, in which case 3b) you remove that script from the web site. Since the primary function of the web side of the system seems to be to provide a live feed rather than static (albeit "live") snapshots. Notwithstanding the suggestion of hitting refresh repeatedly to get a "live feed" this "feature" seems to be surplus to requirements and shutting it down should hardly cause any knock-on effects to the core functionality of the system. Of course, all of this assumes a certain degree of care in designing and coding the system in the first place. Oh, right... Sorry, I just seem to have shot my argument in the foot there...
Some interesting links...
Seems like a bar. This is the front of house.
This is the kitchen.
Just had fun watching the two watiresses having fun...
Behind the bar...
"Stephens said he informed LookC about the flaw on 9 September and went public with the vulnerability on 12 September, via a security advisory on his website"
"A problem concerning the live image acquisition by unauthorised internet users was reported to us on 12 September 2008"
a) Stephens lied about when he informed LookC,
b) LookC lied about when Stephens informed them, or
c) LookC didn't care, ignored the email and hoped Stephens would leave it at that.
And as for:
"The person who highlighted the vulnerability to us also saw fit to publicise the means of hacking the LookC servers on the internet and then to log on to other blogs to point other internet users and hackers to the article. We can only guess at the motivation behind this action but have not ruled out criminal intent"
Assuming (a) above is not true, did LookC immediately check their servers, and warn their customers? Not so far as I know. So Stephens did it for them. Now admins can implement some form of temporary fix to protect themselves (most likely for legal reasons), while LookC play the blame game and try to have Stephens arrested.
Thing is, especialy with such a simple "hack", if an honest person has found an exploit and reporsted it, it is likesly that a DISHONEST person has already discovered it and started using it to their advantage. So Stephens has done you a favour guys, stop bitching and fix your damned product!!