Talk revealing p0wnable surveillance cams pulled after legal threat Swiss researcher Gianni Gnesa says the most popular network surveillance cameras currently sold on Amazon contain easy remote exploitable vulnerabilities that allow hackers to gain admin access and quietly peer through lenses. The consultant for Zurich-based Ptrace Security found holes in pricey IP cameras sold on the shopping …
How does one determine "the most popular network surveillance cameras currently sold on Amazon"? The only vaguely appropriate looking sorting option that site offers seems to be "average customer review" which doesn't sound quite right and throws-up a mess of brands.
Couldn't Vulture South perform a spot of journalistic diligence and make an educated guess? Clearly peddling *any* shoddy product while using menaces to suppress *the* *truth* would be unacceptable. When that product is *trusted* to provide "security" that perpetrator's actions are wilfully fraudulent, negligent and reckless.
I think Ms Streisand *needs* to *know* the identity of the blackmailer ;)
That's a problem though: It sounded like *all* the shit on Amazon is defective but only one of the racketeers has put the frighteners on the boff... how do we know which self-serving avaricious scum is the blackmailer?
"An unnamed vendor caught up in the research hit Gnesa with a legal threat after he prepared to present his work at the Hack in the Box conference in Singapore next week.
The hacker then canceled his talk."
Publish the results on pastebin, or somewhere like that. If the vendors want to respond with a public rebuttal then they are free to do so.
There are a couple of reason not to be scared of legal action like this.
Firstly accepted practice is to inform the vendor, give them reasonable time to fix the vulnerability and then disclose, just so long as you give the vendor sufficient notice I doubt that a court would side with the vendor. Secondly the publicity of the case would alert customers to their having bought dodgy kit, triggering legal action from customers against the vendor, even possibly a class action.
In this case I think the researcher should have responded, "sure and be damned".
It's all very well for US to pontificate here but of course it's a TOTALLY different thing when it's YOUR entire future being THREATENED.
Something needs to be done about this.
It sounds like most of the companies were professional, or at least co-operative, in their responses. Just one choosing pseudo-legal threats to frighten the researcher out of disclosing the truth about their crap.. and after he'd given the fuckers THREE MONTHS forewarning to get their shit together!
"Gnesa pulled his talk despite the fact that he’d privately disclosed to the three affected vendors of IP-enabled surveillance cameras three months before the talk. Two of the vendors acknowledged Gnesa’s bug reports (one said they were working on a fix, and the other said they had no idea what to do with the information Gnesa had provided), while the third has yet to do so, he said.Once Gnesa shared with the vendors that he was planning to do a talk at HITB Singapore about the vulnerabilities, the tone of the conversation changed, Gnesa said."
@AC
It's all very well for US to pontificate here but of course it's a TOTALLY different thing when it's YOUR entire future being THREATENED.
Yes, quite. Its very easy for even small companies to file suit on enough grounds and run up such large legal bills doing so, that should they win just one point of their case, you're financial future may be ruined. They know that too, which is why they trade on it.
They'll continue behaving appallingly until the InfoSec community realises that they may have to forego the career/revenue enhancing aspects of publishing their research in their own name. Anonymous submissions to pastebin et al would keep the dogs of law in their kennels as they'd have nobodies shoes on which to piss.
@LL
True ..but I'm not sure that's really a solution. Surrendering any prospect of any recompense for your hard work does not sound like a career which would attract the brightest and best minds. It's pretty much what they're trying to achieve with these threats. We mustn't give in to the terrorists. Yet we can't expect anyone to stick their neck out and see if it gets blown off... even though we all probably think it probably wouldn't. It's a tricky problem - as I'm sure they're well aware.
I wonder if some sort of boffin escrow might work: Submit copies of your research into it as you work - before you're blackmailed. Then, if some shyster starts sending you threatening opinions thinly veiled as "law" you dutifully forward copies on to the other holders of the information, who promptly publish the lot. It could even offer some sort of canary/dead-man's-handle mechanism for the truly paranoid/heroic.
Obviously it would have to be located in a country that isn't pwned by the RIAA. Perhaps someone like Kaspersky might do it?
Just realised I'm probably not the first to think of that escrowy thing :-(
It very neatly explains why they're suddenly so desperately puffing about perverting the Wassenaar arrangement from being an arms control treaty to criminalising information about defective products... still, perhaps few countries outside the US would be so daft, so that threat might never amount to more than a sick Yank pipe-dream... and until then... ?
It's all very well for US to pontificate here but of course it's a TOTALLY different thing when it's YOUR entire future being THREATENED.
This is one of the few cases where legislation would help. Any company with a few £100k to spend can hush any criticism of their products by white hat hackers without even having to risk the money, simply because an average individual can't hope match them financially (and emotionally) in the game of poker that is played in the courts.
The law needs to be crystal clear so this chilling is impossible. I don't hold up much hope in the UK or the US because their governments are owned by big business, but maybe there is some country somewhere where this might happen and any results can be published there. Tonga, Malta? What are they like?
" Any company with a few £100k to spend can hush any criticism of their products by white hat hackers without even having to risk the money, simply because an average individual can't hope match them financially (and emotionally) in the game of poker that is played in the courts."
Here's the thing though. In most countries when you file suit the whole thing becomes public. So as soon as a company sues it becomes public knowledge that not only is their kit dodgy, but that they have no intention of doing anything about it and sales go through the floor.
Surely no-one puts a device directly onto the internet?
Put everything behind a firewall, open only the ports that *need* to be opened.
In the case of these cams - I think that I have a few of them, but they are secure behind my firewall and allow *no* ports to the outside world. I can access them via a .aspx page that in turn collates snapshots from the private network and turns that into a stream.
Yes, if someone gets access to my private network then all bets are off - but that is pretty much the case with everything.
The problem is that while you and many others would be happy with that set up, there are people who would want to access their new security toy over the internet - so for those people the ports that need to be opened are the very ones that will leave them vulnerable.
"Security toys" should be illegal or at the very least clearly identified as "toys" but instead the manufacturers are blackmailing people while they wait for the politicians to make identifying them as toys illegal.
It's INSANE
Everyone shouldn't be forced to spend their time learning how to spend their time decompiling "security updates" to see if they're really programs to dump all their most private data to the NSA, and fuzzing all the available "security" devices to determine which of them are misrepresented toys. I'd like my doctor to have a little time for doctoring... etc... Shouldn't experts be doing what they're good at and sharing their knowledge without being threatened with fines and imprisonment?
Still, the Wassenaar perversion hasn't happened yet and I'm starting to think it's nothing more than another frightener which will never really happen. Either way, there's no reason to let the threat of monsters in the future influence us now.
Sorry for the ranting. This is really fucked up and really bothering me.
The "WiFi?" comment was intended to be shorthand for: "How does one securely 'just put it behind a firewall' if it's a WiFi insecurity camera with hard-coded root credentials and/or "backdoor" - without knowing how that "backdoor" might work because all the honest people who tried to warn you about it rather than quietly prey on you have been terrorised into silence?"
If you do put it behind a firewall, be very careful to set it up correctly. If you have nPnP enabled the cameras will use that to open up multiple ports through the firewall. They need to be placed on a network segment that is completely locked down to an extent most cheap home routers (and all ISP provided ones), are incapable of.
I can access them via a .aspx page that in turn collates snapshots from the private network and turns that into a stream.
The problem is that someone who buys one as a baby monitor or whatever wants a camera, and not all the other things that seem to be needed - Windows 2012 server, new firewall, degree in Computer Science etc. They just want a camera and it doesn't seem unreasonable that it should do what it says on the tin.
Thanks to the threatening actions of one, I now consider all makers to be suspect and will not be buying any security camera at all until you guys come forward with objectively-assessed proof that your equipment is secure.
Given that one of them doesn't even know what to do, I won't hold my breath.
"Yeah, that is the scary part."
I disagree. I think admitting you don't know what to do upon discovering that something you've been selling for god knows how long to god knows whom is is unfit for purpose is understandable refreshingly candid. It's the one answering "fuck off or we'll burn down your house and eat your babies" (or whatever equivalent it was) that I find troubling. Assuming that those two responses weren't both from the same outfit...
I assume simply naming the accuser does not allow the accuser to take any legal action against him. Even if they did, it would not be libel since he has evidence of the insecurities and he would win. A side effect of this is that the public may (depending on the case) be able to see the evidence of the court case or they can decide not to take it to court and keep the exploits unknown.
By just naming the company, their clients would already start taking precautions about the hardware or checking it themselves.
- SA
>I'm also assuming that it must be legal to reveal that someone is taking legal action against you, right?
Not necessarily. The courts can impose an injunction to stop it entering the public domain. Anyway this is probably a threatogram from their attack lawyers, threatening to sue for punitive damages if the presentation goes ahead, rather than a court summons. I guess the alternative is to give a glowing talk about the products of the manufacturers who haven't written a snotty letter and let the audience work out who's missing.
Dear vendors:
In spite of being repeatedly told, you still don't seem to grasp the concept, so I'll repeat it for you.
SECURITY BY OBSCURITY DOES NOT EFFING WORK!
Maybe you can shut up some security researcher with legal threats, but if he uncovered holes in your product, you can be assured that it's a safe bet that black-hats have found the same flaw and are probably exploiting it right now. Even if they're not, just knowing that some cameras might have certain flaws is enough to encourage them to begin their own research programme to find them, and as they're operating outside the law anyway I don't think they're going to care about any cease and desist letters your lawyers might want to send out.
If you're selling a broken product then it's your duty to fix it, or withdraw it from sale if you can't. Sticking your fingers in your ears and going LA LA LA I'M NOT LISTENING accomplishes precisely dick.
And quite frankly, it's alarming that your first instinct is to not fix your product but threaten legal action against someone for pointing out it's broken.
Get your act together. As for me, I intend to not buy any network connected camera from any manufacturer because you clearly can't be trusted to have your customers' best interests at heart.
"Sticking your fingers in your ears and going LA LA LA I'M NOT LISTENING accomplishes CRIMINAL CULPABILITY."
TFTFY
Not that they'll hear us though - they've had their fingers in their ears going LA LA LA I'M NOT LISTENING ever since some researcher chap told them their "security" products are defective THREE MONTHS AGO
There really aren't very many cameras sold on Amazon. Most of them are the same handful of cameras rebranded over and and over. Even companies that you'd expect to actually make cameras are sticking their label on something else.
This turned out to be extremely frustrating when I was looking for a security camera. Those few cameras have completely garbage firmware running under a patchwork of open source Linux software that somebody likely found on a sketchy FTP site 10 years ago. I'd open the box of a brand new camera and realize it was the same as the old camera. Default login won't stay off, pages not checking authentication, and much easier to crash than to keep running. I eventually started asking companies to send me sample videos so I could compare headers.
I'm guessing that TRENDnet was the vendor that said they have no idea what to do. Their TV-IP310PI is a defective Hikvision camera that they can't support. Other models may be similar.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
