As a penetration tester hired to pierce the digital fortresses of Fortune 1000 casinos, banks and energy companies, Kevin Finisterre has hacked electronic cash boxes, geologic-survey equipment, and on more than one occasion, a client's heating, ventilation, and air-conditioning system. But one of his most unusual hacks came …
Not enough data - investigation required
There's not enough data to call this one. It could be a shitty, insecure piece of hardware. It could just as easily be incompetent IT workers failing to reconfigure a piece of hardware, or failing to configure it correctly. If the city purchased the product, presumably they had the same documentation the tester was able to find readily on the internet, so they were either aware of the default password and settings, or failed to fully read the documentation to learn of these things. My bet's on shared blame, fuck-ups abound.
"My bet's on shared blame, fuck-ups abound."
Absolutely. The Rocket system claimed port-forwarded addresses to the unsecured DVR. Which means they likely had VPN capability. They likely had static IPs, since they would have no need to port-forward if they didn't know the IP to connect to. The simple solution was to set up VPN to the station and eliminate the need for port-forwarding from the internet at large. At the very least, they should have only allowed connections from the police station's IP range (yes, spoofing is a possibility, but it's still more secure than what was set up).
Not changing a default password on the DVR is simply crap pre-testing and validation/configuration. FAIL for that.
I've seen this before
> It could just as easily be incompetent IT workers
I've seen this before and it's called Nephew-ware.
I agree with Nephew-ware. I hardly see how it is the vendor's problem if the user doesn't even bother to set a password.
Government is incompetent. We know this. They should not be handling anything important. Police officers are by and large "gym class all-stars" who weren't good enough for college sports, it is no surprise that neither they, nor their IT staff can handle configuring a router.
According to the article, the password was hard-coded into the software. You can blame "government" (whatever that is in this case, I don't see any difference between this and any other corporation) for buying equipment with unchangeable passwords, but the basic fault still lies with the company that made this.
My telco tried to sell me a wifi box as part of the DSL package. Guess why I didn't buy it? Same reason.
"penetration tester" or junior hacker?
It's rather a pity that his "report" looks more like a comic strip, and perhaps significant that it does admit that "The one we penetrated was actually a firmware beta version or pre-release in testing."
A problem perhaps more with the police department's IT staff management of their test environment, than with the installed equipment itself?
This is not a copy of the report given to the City authorities. It is clear that this is a piece of advertising material to be handed out at things like exhibitions and marketing events, written up in a populist style to attract attention. I've seen such things before, and it really does not indicate that the person carrying out the work is a junior anything.
The home page may tell a different picture, however. Looks like he might be a one-man-band (American equivalent of a single person service company - IT contractor) who can't be bothered to finish his company's home page on his Mac server.
It would be interesting to see what the US equivalent of Companies House lists about digitalmunitions
Sounds like another case of a designed-in back door
so that the video of a controversial incident could be "lost" (the loss naturally ascribed to a fault in the equipment) by the time anything came to trial.
Has already happened...
...Boston area I think.
So why the downvote?
Well thats the end of ...
Police Camera Action and Cops with Cameras.
What will Alistair Stewart do now?
If only we could turn of the siren when police cars regularly go past our house, siren full on, dead of night, AND NOT A DAMN THING ON THE ROAD!
He'll console himself with a Chinese takeaway...
...and let's hope he avoids any telegraph poles on his journey to collect it.
Annoyed of Tunbridge Wells
"If only we could turn of the siren when police cars regularly go past our house, siren full on, dead of night, AND NOT A DAMN THING ON THE ROAD!"
Speaking to our local police inspector two years ago at a community meeting and I asked him why three police cars went past in convoy all with sirens blaring. He told me it couldn't be from the local nick as we "don't have that many vehicles"
I'm a simple home user, but I port scan every piece of kit that gets connected to my home network.
If I find ports that are open that shouldn't be I either find out how to close them or (if possible) send the equipment back. On a couple of occasions I've even been told by the manufacturers support that they intent to close the port(s) in an upcoming firmware release.
It constantly surprises me how large organisations seem to be quite happy to connect anything to their network without any form of testing.
"..simple home user"
I suspect that the fact that you know how to port-scan all your devices, and bother to do it proves your statement is not completely correct.
A "simple" home user will get someone in to get everything working, and not understand enough to even know what a port scan is.
I would suspect that you fall into the "talented amateur who gives a damn" category. A fairly rare person.
Just an appliance
"It constantly surprises me how large organisations seem to be quite happy to connect anything to their network without any form of testing."
It doesn't surprise me any more but I am old and cynical. In a few places where I have worked, the choice of words used to describe a device would determine what procedures would be required to gain connectivity in the corporate network: call something a "system" and there would be procedures, forms, etc. Call something "a device" or "an appliance" and nobody cares...
True. I used to work in a company which had a large internal library. We couldn't buy "books", they had to be acquired on internal loan from the library (which was at the other end of the country). We could buy all the "manuals" we liked with just a simple purchase order, though...
Exactly why the devices built by Digital Equipment were called PDP's, Programmable Data Processors. Had there been the word 'Computer' in their name somehow, any attempted purchase would have triggered the beancounters to block it, because computers require large cooled halls, lots of power and lots of staff, not to mention vast piles of money for the actual purchase, and are therefore unacceptable to the balance sheet. A Programmable Data Processor on the other hand was something that could be placed in a lab, next to an assembly line or wherever, without costly infrastructure requirements, and, being comparatively cheap themselves as well, would way less often incur the Accountant's Anger.
"Large organisations" like the local PD?
A three men + dog police station is not really a large organisation. Especially as their daily task is stopping robbers and apprehending littering teenagers; IT management just creeps in.
You not having a life and spending your time off from WoW by portscanning and feelin' leet doesn't really hold much water.
"seeing this in large organisations" doesn't mean that the author equates your hypothetical 3 man + dog plod station as being "large". Just that it happens in any organisation, even those (and probably especially those) presumably large enough to have adequate staff for matters like these.
You really should get away from your Angry Birds to try and gain some reading comprehension before trying to pass off another commentard as a no-life.
Apart from that, even the police organisations have discovered the advantage of "economies of scale" a.k.a. "cheaper by the dozen". All those 3m+d stations have joined together to buy cars, radios, guns, tasers, gatso's, computer gear and donuts by the umpteen dozen instead of separately, which also means that the station next door is using by and large the same stuff as you. And that makes them a large(ish) organisation, with dedicated staff for deploying technical stuff.
When I'm bored I often port scan my local subnet on the other side of my net connect router. You come across quite a few interesting items, open routers, business webservers ( running IIS ) with ports wide open. However the oddest thing is the quite large number of people who seem to have connected printers directly to their internet connections! Very odd.
A Linux box?
They should have been running embedded Windows. Far more secure.
in this case it probably would have been as the native firewall ships locked down and needs to be opened for even native FTP services.
Sounds to me like the problem lies with the admin. The fact that they were using the default password screams that the admin was incompetent. With that kind of incompetence it doesn't really matter what OS you have.
...in the sense that it wouldn't have worked, it would have been more secure, yes. I doubt the FTP server was running by accident; it was running to be used for something, and in that case, having it running with the port closed would have been pretty bloody useless.
the device should never have been on the public internet in the first place if possible (it should have been configured to connect directly to an internal police department network). If that was not possible, it should at least have been on a police department VPN and the server should have been configured to run the server only on the VPN. If all else fails, it should at least not have had the password set at the manual default frickin' value.
Any general-purpose Linux distro is not going to be running an FTP server with this configuration by default, but that's kinda beside the point - this clearly wasn't a general-purpose Linux distro but some sort of embedded device. When you get into that territory, what's a sensible default configuration depends rather strongly on what your appliance is meant to do.
I see lots of places up and down the chain where there's potential fail here, but none of it has much to do with the great operating system debate.
"Sounds to me like the problem lies with the admin. The fact that they were using the default password screams that the admin was incompetent."
And I'm sure as a government employee he is part of the union, cannot be fired, and will continue to get raises year after year.
Sell the product, design it later
Collect revenue $$
Think about the security aspects later.
Now how many *other* PD's have this hardware this badly configured?
TBF We will have to see if they behave like a *responsible* company (issue advisory notices/upgrades) or play CMA and go "It's all in your mind. I can't year you. Lalalalalalalal"
But so far....
Tampering with the contents of the device - not so good, but being able to stream the feeds from anywhere - brilliant (although for the safety of the officers a delay should probably be introduced, something on the order of 10-30 minutes)
That way if you have an "encounter" where you think you might later need evidence (or just want to post it to failblog), just note the number of the patrol car, and phone a mate to record its feed for you
Kevin Finisterre is a star, I want to see a movie about him!
Someone's going to get their arse FIRED.
Don't they carry out Pen Testing? I have to arrange pen testing if I put up a flat web server in a pre-secured DMZ... They didn't pen test a new Police Video system that would be used for evidence?
Sigh - another one..
OK, here we go again.
A PEN test proves that a SPECIFIC person with SPECIFIC skills and SPECIFIC tools was able or unable to access a SPECIFIC network or set of devices with a SPECIFIC loadset/firmware and configuration. Any instance of the word "SPECIFIC" introduces a variable that can invalidate your PEN test result.
What you need first is a policy: what do I want to protect and why, then you go to secure design, and then you use a PEN test as a confirmation or double check. A PEN test should be an audit, a last stage confirmation, not the beginning of your approach.
You should be required to submit design/build docs before you are allowed anywhere near the DMZ, with a PEN test just to confirm you did as required..
This _was_ the Pen testing, from what I read...
Funny that as I've commissioned dozens of Pen tests, and you are correct that you have to specify what you want them to test.
In this case it would have been...
"We've installed this video system in this test police car using this technology, which is accessed using a 3g modem over this network - These are the IP addreses - Please attempt: Unauthorised access to data, Unauthorised Access to configuration, remote manipulation of data, DoS vulnerabilities, attempt to break encryption, brute force passwords, list open ports etc etc etc"
Any Decent Pen test company will carry out an entire glut of tests on their own too. You don't have to specify everything down to the most minute detail of what they should test, otherwise what the hell is the point of paying an external company to do it for you?
A Pen test should have been carried out on this setup in a test environment BEFORE being deployed into real police Cars...
No one suggested that the PEN test would be the first step, or that the normal project flow not be followed... what have you been drinking?
Also, this can't possibly have been the real Pen test, as information gathered by Pen Testers is confidential - he would have been in breach of his contract to release the information in such a manner. Either that of the Contract written up for him will have been like swiss cheese.
Yes, sure - let them roam wild..
I hope I never have to pay the bill for your liability insurance if you do not contain the test parameters..
I was responding to a post, not to the article. The article lacks detail - you indeed allude to some spectacular omissions like how it was possible that this data ended up on the Net. Anonymised or not, there is no excuse for that.
A major UK bank I worked at had some very good people (since made redundant) designing and building a customer facing environment in accordance with their quite rigorous security standards. One of the steps to getting it approved for use was a PEN test that was tasked to one of the organizations who are regarded as good at such things (if you think of the first name to spring to mind you've probably guessed who they are).
Halfway through the morning, a message got back to the admins from the PEN testers that went along the lines of "Could you please open up some of the firewalls and server ports to allow us to actually see some of the systems. We're having difficulty getting anything to respond to our probes".
You can guess what the answer to that was!
I did notice..
when I was dicking around with Kismet years ago (long enough ago that there weren't just dozens of networks on every block) that our local PD, every squad car had at least one device continually searching for a some fixed SSID (it had "PD" in it so that made it easy to spot.) I was rather curious how secure they were against a machine with HostAP, a DHCP server, and nmap.
Honestly, my guess was "not very", that it was probably designed with the assumption that the only network with that SSID would be it's home network.
By the time wifi came out, I was well past the age for youthful indescretions, so I have not tried to find out.
You Sunk my Battleship
Cruisers? Have you been watching a bit too much Sky? Just nipping off out in my SUV.
Did you miss the bit that says
"By Dan Goodin in San Francisco"?
I am impressed that Verizon's network can support live streaming from a PVR. Would be nice to get that kind of HSUPA bandwidth in London.
Funny, that's exactly what I first thought!
"allowing unauthorized people to view and alter video stored on cruisers could torpedo court cases that rely on the DVRs for evidence"
You mean that some people _are_ authorised to alter DVR evidence?
Another case of lazy app developers
How many times have I worked at companies (inc. some big ones where you'd think SECURE would be more than a vague "oh yeah" concept?!) who purchase 'off-the-shelf' apps, only to find come install time that it needs root, or sa, or full admin access, and uses hard-coded default passwords, or stores the system login credentials in an xml file, or some such crap?!!
Too many of these are developed as quickly as possible, as cheaply as possible, using green coders with seemingly little idea of even the basics of secure application design. Sadly it seems that many of these companies spend far more on their marketing departments flogging the stuff, than on the people who create it in the first place...
Not sure this is all bad
Letting anyone and everyone tamper with the evidence is certainly going to cause some problems.
But if anyone and everyone can simply tune into the video feeds, surely that's a good thing? Total surveillance of citizens is evil. Total surveillance of public officials entrusted with vast amounts of easily-abused power - and it takes little Googling to reveal an apparent unacceptably statistically high inclination to abuse it - cannot possibly be bad.
A police officer who knows that someone on the internet might be watching him RIGHT NOW is an awful lot more likely at at least to keep abuses technically legal. (Of course, you'd have to be able to monitor the inside of the car, too...)
Business as usual.
Can anyone point to an example of mixing 'pooters with the Peaked Cap Tendency not ending in either disaster or farce?
I, for one, can't wait until all squaddies everywhere are festooned with overpriced, gimcrack PDAs that handle all their battlefield 'needs'.
It could be the end of warfare - Both sides losing, instead of just the USA.
Those Police "admins" should be sacked.
Without any compensation. And dissallowed to work anywhere in IT ever.
No. Those people may yet be trainable. Yell at them loudly but keep them around to spread the word.
Sack the boss of the boss of these admins. Loudly and Publicly. That would work better to set the proper tone for the future.
Why settle for just pwning the camera
Why settle for just pwning the camera in the police cruiser when you could pwn the entire cruiser, as one miscreant did locally. He called in a report of a fight at a local bar. The police sent an officer, who skidded his cruiser to a stop out front of the bar and ran inside to subdue the fight. Upon entering the bar, he asked the bartender where the fight was. The bored bartender replied that there was no fight, heck, there weren't even any patrons in the bar. So, when the police officer left the bar, realizing that it was a false report, he discovered that his cruiser, which he'd left idling out front, with the door open, and with the lights going, was gone. They discovered it about 15 outside of town, out of gas, sitting on the side of the road with the lights still going, and no one anywhere close to it. I don't think they ever did solve that case.
P.S. I'll get my coat, because my ride is here, complete with the flashing lights and siren.
It's CSI becoming real....
If I was watching a Hollywood film from the 90's which featured a hypothetical scene where a hacker was streaming live video from a cop car dash camera to their desktop, I would of waved my fist and muttered something about bandwidth.
Now it's *actually* happening....
This time there isn't a big alert box popping up before the video starts streaming saying
"HACKING PATROL CAR ELECTRONIC BRAIN"
"STREAMING VIDEO FEED FROM CAR ..."
But then I wasn't there so maybe that did happen.
Having public IPs on 3G boxes/SIMs is not only much more vulnerable to internet-based entry hacks than private IPs reachable only via tunneling. If they're on anything other than an unlimited data plan, it would be fairly easy to run up their bill for bandwidth. Even if the device is firewalled properly and drops every inbound packet, the traffic is still being sent to it from the local tower and thus billed.
Nobody else understands that this is serious?
Imagine what would happen if bankrobbers would know exactly where all the police cars are?
This is serious shit and those assholes who made that possible should be punished. Too much incompetent assholes are getting jobs. And after those assholes people like me must rebuild and repair everything.
P.S. I have "hacked", yes. Know I face criminal charges, just because I WARNED about incompetence and possible industrial espionage. What a great world we live in. I should have copied data and sold to competing companies, not saying anything.