back to article Conficker is back – and it's infecting police body cams

A US IT security company says it found copies of the Conficker malware infecting police body cameras. Florida-based iPower reports that body cameras it received from supplier Martel Electronics were loaded with 2009's baddest botware. Researchers Jarrett Pavao and Charles Auchinleck found that when plugged into a PC, the …

  1. LaeMing Silver badge
    FAIL

    Your equipment is supplied by the lowest bidder.

    Will they never learn? No, the act of learning requires a level of sentience above what what the bulk of humanity have evolved at this point in time.

    1. Ole Juul Silver badge

      Re: Your equipment is supplied by the lowest bidder.

      I agree that it's probably better to always choose the second lowest, just to keep it honest. But I suspect the problem is lack of completeness in the specification. They probably forgot to specify that the cameras not have malware on them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Your equipment is supplied by the lowest bidder.

        They probably forgot to specify that the cameras not have malware on them.

        By your reasoning, it would be acceptable to package a USB mass storage stick with a USBKiller board built-in and sell it to in response to a tender for mass USB storage devices because the tender document forgot to include the sentence: "Must not cause damage to USB host"

        No, I think the people purchasing these cameras have a reasonable expectation that the devices are not carriers of malware out-of-the-box.

        They put trust in the supplier to provide fit-for-purpose equipment: the equipment in this case has been found to cause damage to the software on the computers they are plugged into making the machine they are plugged into, unfit for purpose. Such damage means the cameras may not safely be used and therefore makes them unfit for purpose.

        Australian Consumer Law is very clear about this, pretty sure the US and UK have equivalents.

        1. Fraggle850

          Re: Your equipment is supplied by the lowest bidder.

          I think the OP omitted the <sarcasm> tag.

        2. Anonymous Coward
          Anonymous Coward

          Re: Your equipment is supplied by the lowest bidder.

          "pretty sure the US and UK have equivalents."

          There's something about goods being "fit for purpose" and "of merchantable quality" (or similar) in UK consumer law.

          NB *consumer* law.

          Business to business transactions are not included. Businesses making purchases are expected to have more sense than consumers in general (or to pay someone who has more sense).

          1. Andrew Taylor 1

            Re: Your equipment is supplied by the lowest bidder.

            Hmmmmmmm, not a Talk Talk customer then

            1. This post has been deleted by its author

        3. Primus Secundus Tertius Silver badge

          Re: Your equipment is supplied by the lowest bidder.

          @Stuart Longland

          You are correct thet UK consumer law requires sold goods to be fit for purpose. But that does not necessarily cover purchass between businesses.

          So you end up with contract clauses like: "The equipment shall be fit for purpose, including but not limited to being free from viruses...". It is impossible to explicitly mention everything.

        4. I. Aproveofitspendingonspecificprojects

          Re: Your equipment is supplied by the lowest bidder.

          What sort of specs do the ones supplied to the cops that like to shoot negroes have?

          1. Fatman Silver badge
            Joke

            Re: Your equipment is supplied by the lowest bidder.

            <quote>What sort of specs do the ones supplied to the cops that like to shoot negroes have?</quote>

            <sarcasm mode="devious"> <racist overtones="on">It has a 'light/dark' sensor. </racist overtones> </sarcasm>

          2. Tom 13

            Re: Your equipment is supplied by the lowest bidder.

            The same one #BlackLivesMatters types who want to shoot white cops do, just with inversed parameters.

        5. Charles Manning

          Australian Consumer Law??

          WTF has that to do with police purchases? Consumer law only applies to purchases for private use.

          The real fail here has been in the BOFHs who did not screen and check products before hooking them up to the corporate network....

          Or maybe by your logic BOFHs should just sit back with their feet on their desks and wave the consumer law in the bosses face when the system gets a virus or something breaks.

          Not my fault the system is infected: the computer company should have supplied computers with no malware on them.

          Not my fault the backup is useless: the tape company should have supplied good tape.

        6. PNGuinn
          FAIL

          Re: Your equipment is supplied by the lowest bidder. @ Stuart.

          The operative word is "trust".

          I'm sorry - you just can't. It's a real pain in the a**e / a** but that's digital life today.

      2. Mephistro Silver badge
        Angel

        Re: Your equipment is supplied by the lowest bidder. (@Ole Juul)

        They should also remember to specify that the device shouldn't burst in flames spontaneously, leak high radiation levels or cause contact poisoning.

        1. Ole Juul Silver badge

          Re: Your equipment is supplied by the lowest bidder. (@Ole Juul)

          I honestly don't think those are likely possibilities do you? Besides, you do know I was kidding. Right?

          1. Mephistro Silver badge
            Happy

            Re: Your equipment is supplied by the lowest bidder. (@Ole Juul)

            you do know I was kidding. Right?

            Of course, and I was kidding too.

            I honestly don't think those are likely possibilities...

            And this year's Optimism Nobel prize goes to Mr. Ole Juul!!!

            ;-)

    2. Charles Manning

      Re: Your equipment is supplied by the lowest bidder.

      Sorry, no. It's not just the lowest bidder. Blaming external factors is just the lazy way out.

      Equipment can get infected somewhere along the manufacturing process, be that PCs from Dell, cameras, printers, ....

      Any BOFH worth anything would be highly sceptical of new equipment. Don't trust anything. Even when a new type of equipment has been checked, do an audit on devices new and old once in a while.

      For infected cameras to get deployed requires that far more than just the manufacturer has failed in their job.

      1. Anonymous Coward
        Anonymous Coward

        Re: Your equipment is supplied by the lowest bidder.

        Sorry, no. It's not just the lowest bidder.

        I agree - it is much more of a systemic issue.Lots of the higher bidders will be cutting the same costs but just taking more profit out of the contract.

        The problem (If you want to see it as one) is that the obligation to maximise shareholder profit will always ensure as many corners get cut as they can get away with. Lots of people even see this as the right thing to do and call it "efficiency."

        Where it creates an issue is where the customer is unable to use market forces in retaliation (such as when the supplier has an effective monopoly or the customer doesnt have the ability to detect problems).

        If they really cared, the police forces who had bought these crappy cameras would be terminating contracts and suing the suppliers for delivery of defective goods. Other forces would also join in and drop all their contracts and with a bit of luck they would go out of business because an exec decided that doing things properly was "too expensive."

        However, in practicality, what tends to happen is the customer (in this case the police) use their own funds (in this case public funds) to fix the problem so the supplier can continue to drive nice profits.

        1. DavCrav Silver badge

          Re: Your equipment is supplied by the lowest bidder.

          "The problem (If you want to see it as one) is that the obligation to maximise shareholder profit will always ensure as many corners get cut as they can get away with. Lots of people even see this as the right thing to do and call it "efficiency.""

          Can we please stop repeating this myth. There is no obligation to maximize profit, and even if there were, not cutting corners would be justifiable as profit exists in short and long terms. There might be a desire to maximize short-term profit, either on the management or shareholders' parts, but there is no such obligation.

          1. allthecoolshortnamesweretaken Silver badge

            @ DavCrav

            "There is no obligation to maximize profit, ..."

            [citation needed]

            1. Warm Braw Silver badge

              Re: @ DavCrav

              Citation.

              1. Mark 85 Silver badge

                Re: @ DavCrav

                That is all fine and well.. but for a board to say "we don't have to maximize shareholder profits" will not work as that board would be replaced quickly. And if you have on the "activist investors" scum sucking bottom feeders as a stockholder, that board is in deeper shit.

                1. druck Silver badge

                  Re: @ Mark85

                  A business can maximise shareholder value by either:-

                  a) cutting every corner, producing a crap product, look for a new sucker to buy each time

                  or

                  b) spending slightly more on the product, getting steady stream of repeat business from satisfied customers

                  While there are plenty of (a)s, there are quite a few (b)s too.

              2. Gene Cash Silver badge

                Re: @ DavCrav

                Your "citation" simply says I must log in. Not much of an argument.

                1. Mephistro Silver badge

                  Re: @ DavCrav

                  It let me read the article without asking for anything. Perhaps you have accessed recently other articles in the NYT and reached some limit.

              3. Tom 13

                Re: @ DavCrav

                Partisan progtards at the New York Slimes are NOT a citation.

            2. DavCrav Silver badge

              Re: @ DavCrav

              "@ DavCrav

              "There is no obligation to maximize profit, ..."

              [citation needed]"

              Traditionally, the onus to provide evidence falls on the person claiming existence, not absence, as it would be difficult for me to prove the lack of a law, except for quoting all law and saying look through it and you will see. Although someone else has helpfully provided a link.

          2. Anonymous Coward
            Anonymous Coward

            Re: Your equipment is supplied by the lowest bidder.

            There is no obligation to maximize profit, and even if there were, not cutting corners would be justifiable as profit exists in short and long terms. There might be a desire to maximize short-term profit, either on the management or shareholders' parts, but there is no such obligation.

            This is just pointless semantics.

            There may well be no legal obligation to maximise profits which can be defended in court as justification for action, but any company with publicly traded shares which says they are going to increase costs and reduce shareholder dividends will suffer.

            The management responsible to the shareholders will feel an obligation even where one does not exist in law.

            The shareholders, if they see profits dwindling away, will pretty soon take measures to change the management.

            The overall effect is that as long as cutting corners gives MORE profits to the shareholders, and the repercussions are felt elsewhere (i.e. the public bail them out, pay to fix it or whatever), then the shareholders and management will be happy. Until the shareholders feel the pain of cutting corners, it wont ever be a problem for the management.

            Arguing that the obligation is not written in corporate law seems a bit pointless.

            1. DavCrav Silver badge

              Re: Your equipment is supplied by the lowest bidder.

              "This is just pointless semantics."

              I think the question of whether a particular behaviour is unlawful or not is far from pointless semantics, and anyone in the dock would agree with me.

        2. I. Aproveofitspendingonspecificprojects

          Re: Your equipment is supplied by the lowest bidder.

          > If they really cared, the police forces who had bought these crappy cameras would

          give them to the firemen

          FTFY. BNFT.

    3. Voland's right hand Silver badge
      Mushroom

      Re: Your equipment is supplied by the lowest bidder.

      Close but no cigar. Realtime Embedditis. Your equipment is built by an embedded engineer. Being lowest bidder has nothing to do with it.

      1. OS is used with base build. No updates

      2. No means to update it without breaking everything

      3. Security means "PASSword" as password - no measures in terms of network security or threat mitigation.

      4. You cannot add any extra protection as an afterthought because the app built by the person suffering from Realtime Embedditis takes on the CPU in single handed combat and owns it. It is proudly realtime though.

      This is the type of people who build SCADA, smart metering and industrial automation today. These will be the people who will build the brave new world of connected everything and IOT tomorrow.

      As you could have guessed I have worked with this type of individuals more than once. Every fecking time I wanted to embed the keyboard in their skull. They never learn. This is just one more example of that.

      1. tojb
        Angel

        Re: don't blame the camera OS for serving up an MSC

        Sounds like its a windows-based worm, nothing to do with the camera firmware: when you plug the device in it serves up a mass-storage-class to allow transfer of files, that is the only reasonable thing to do. If the computer you plugged it into (at some point in the setup or testing process, presumably) is infected and chooses to save an infected file, then the device becomes a passive carrier of the worm.

        It is even possible that the cameras became infected at the same time as their OS and app were installed: how can you blame the firmware in this case?

    4. Suburban Inmate

      Infected development gear?

      Just takes one developer to grab one shady warez or 3rd party hosted copy of the dev suite and...

  2. Fraggle850

    Jolly good, welcome to the future

    Assuming that the current hype that is IoT becomes a thing we can expect much more of this. This seems a bit old school but once there are enough poorly secured home and personal 'smart' devices out there they will be targeted.

    1. allthecoolshortnamesweretaken Silver badge

      Re: Jolly good, welcome to the future

      Yep, can't wait for the IoT to spread. Life will be sooo much simpler and safer, won't it? Won't it? Yeah, right.

      On an unrelated note: "El Reg similarly tried to contact Martel, and though we were unable to get comment we can confirm the company's on-hold music to be relatively pleasant and inoffensive."

      This is the sort of thing why I'm reading El Reg.

      1. PNGuinn
        Joke

        This is the sort of thing why I'm reading El Reg

        So noone got infected with a earworm then?

        Enquiring minds etc, etc ...

    2. Lusty Silver badge

      Re: Jolly good, welcome to the future

      "Assuming that the current hype that is IoT becomes a thing"

      IoT is already a thing and is already in widespread use. What's new is that marketing has made people like you partially aware of it. IoT is all around you in sensors on the Tube, automated electronic bus stop signs, smart thermostats, smart meters, cameras, pro sport recording/monitoring devices and many, many more. It's certainly set to grow as skills improve and more people are aware of the technology but it's most definitely already a thing.

      1. Fraggle850

        @Lusty Re: Jolly good, welcome to the future

        > What's new is that marketing has made people like you partially aware of it. IoT is all around you in sensors on the Tube, automated electronic bus stop signs, smart thermostats, smart meters, cameras, pro sport recording/monitoring devices and many, many more.

        I am fully aware of the myriad connected systems already in existence but thank you for the lecture. I am also aware of the fact that some of these have already been compromised. The point I intended to make was that the hype-driven push to get significantly more of these systems out and into ever more parts of our lives will provide ever wider and richer attack-vectors. This will attract more attention from professional miscreants looking to make money and will raise the level of malware innovation because a market will emerge.

        My apologies if my original post led you to assume that I'm a numpty.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Lusty Jolly good, welcome to the future

          It won't be richer attack vectors, it'll be the army of "professional developers" employed to create new IoT solutions who'll use sample code rather than understanding. These will lead to the same old attack vectors like SQL injection where obvious security holes are copied and pasted to ever increasing numbers of devices. Unfortunately the people who know how to do this stuff securely are too few in number as is always the case in IT.

          1. Fraggle850

            Re: @Lusty Jolly good, welcome to the future

            > '...lead to the same old attack vectors like SQL injection where obvious security holes are copied and pasted...'

            Indubitably so but I suspect they'll also open up new ones too

            > 'Unfortunately the people who know how to do this stuff securely are too few in number'

            Well said and too true, and I suspect under resourced in the majority of organisations.

            I'd also hazard a guess that many of these things will have on-board resources pared down to the minimum to keep costs down, making any overheads imposed by decent security a non-starter (imagine going to the bean counters and saying 'We need to double the cost of the boards to allow for extra processing for encyption' for example).

            1. Mephistro Silver badge
              Trollface

              Re: @Lusty Jolly good, welcome to the future

              "imagine going to the bean counters and saying 'We need to double the cost of the boards to allow for extra processing for encryption'

              Don't EVER "go" to the bean counters - or the managers - with something like this!. Send them an email, and keep a copy. They'll probably fire you all the same, but you could then take revenge or even make some bucks by blackmailing them afterwards. ;-)

    3. ecofeco Silver badge

      Re: Jolly good, welcome to the future

      Some of us have been saying this for years. Welcome aboard!

      Combine this with the cloud and it is not going to end well.

      1. Fraggle850

        Re: Jolly good, welcome to the future

        Indeed, have had vague concerns since the first reports of state-sponsored SCADA hacks a few years back but now this stuff is being pushed into the consumer mainstream to the extent that early adopters feel the need to have a connected iKettle (really? Why?) I suspect this will become an increasingly entertaining field to watch (assuming that you haven't filled your life with random IoT tat, in which case replace 'entertaining' with 'scary').

        Given the push for connected vehicles and recent issues with hacks accessing some critical vehicle systems over an unsecured canbus I think we're in for quite a ride (excuse the pun).

    4. Tom 13

      Re: Jolly good, welcome to the future

      Back in the dark ages before the Internet, I was a tech writer at a company that was attempting to develop a smart house for consumer distribution (they eventually went bust because back then $500K houses were even less common than they are today, and at $15K just for a fully populated control box it probably wasn't making the upgrade list on anything cheaper than that). There are real problems trying to build a system that responds in real-time and remains price point competitive. IIRC our controller was going to use Intel 186 chips and had a specialized tiny os. The folks writing the design specifications manufacturers would be expected to use were writing for 4-bit and 8-bit processers with the expectation that in some instance no more than 4K or RAM would be available. At the time our PCs were running Windows 3.1.11 on I believe DOS 5.0. As the DTP specialist and CAD backup guy I had the pleasure of working on a 386 with maxed out RAM and dual monitor display (one was paper white for CAD). While I expect the names of the common components will have changed, I don't expect the disparity of capabilities between the PC and the embedded components have.

      So I have a fair bit of sympathy for the engineers working on the embedded controllers. The people for whom I have no sympathy are snake oil salesman promoting them as the wave of the future.

  3. TRT Silver badge

    " we can confirm the company's on-hold music to be relatively pleasant and inoffensive."

    Their telecommunication equipment was infected with Ear Worm malware.

  4. Anonymous Coward
    Anonymous Coward

    Plausable deniability

    "We don't have that video, it got wiped when we removed the computer virus." a police department spokes droid ....

    Has that excuse been used yet or is it there for 'the big one'?

    1. Destroy All Monsters Silver badge
      Pint

      Re: Plausable deniability

      One yet but it's only a matter of time.

    2. allthecoolshortnamesweretaken Silver badge

      Re: Plausable deniability

      Or better yet: unplug the camera...

      http://boingboing.net/2015/11/13/cop-who-unplugged-his-cam-befo.html

      1. Mephistro Silver badge

        Re: Plausable deniability

        Holy mother of God! Another proof that been a cop in the USA is like having a license to kill anybody you don't like!

  5. Anonymous Coward
    Anonymous Coward

    Still better than adware

    Cops would be inundated with special offers for guns, personal protection, announcements from the police union and ambulance-chasing lawyers.

  6. Anonymous Coward
    Anonymous Coward

    Might cause video evidence to be excluded from prosecutions

    Defense attorneys can use this to exclude such video evidence. Judges likely to agree.

    Such a decision wouldn't make much sense from a technical point of view, but legal minds could easily decide to impose a minimum level of IT security standards on the evidence chain. Viruses in the body cam clearly fails to meet any such standard, so toss the video out of court.

    This news item could have major implications.

    Small careless, non-certified manufactures may be squeezed by bigger corporations that can deal with telephone book sized specifications, and certifications to endless standards.

    How long until some well-funded agency actually does manufacture video evidence to frame up their selected target? It's so "unlikely" that it would work every single time.

    1. PNGuinn
      Black Helicopters

      How long until some well-funded agency ...

      Had you anyone in particular in mind?

  7. Suburban Inmate
    Boffin

    Just like the Elephone P8000

    I foresee quite a wave of this sort of thing as budget chinese makers encroach on the big brands.

    My Elephone P8000 came with a custom launcher that b0rked it within 24 hours, but 48 hours later I'd managed to coax a reboot out of it and did a factory restore, replacing the launcher immediately. Fingers crossed the update I'm about to install won't restore the nasty.

    More info here.

    1. Fraggle850

      Re: Just like the Elephone P8000

      An interesting insight and the link to the support forum made good reading: I assume the guy with no shift or punctuation keys on his keyboard is a company shill given his defensive proclamation: 'where are you getting your information from most of the virus protectors give false readings and so does other virus protectors for pc'?

      Particularly ridiculous given that one of the complainers gave explicit evidence of skulduggery! (Hey, was that you? Well done! Give 'em hell!)

      Perhaps the company needs a marketing tagline: 'The Elephone never forgets (to call home and get the latest malware)'

      1. Suburban Inmate

        Re: Just like the Elephone P8000

        Well it wasn't me on the elephone forums but following the post I installed an update, still got Nova launcher on there after (quick fix, was rated good on a search, no time to play with a selection) and it seems its still there and stable after the update. Except I'm not sure the update actually applied, looking at the version number now its rebooted. Too tired and want to get drunk so I'm leaving that for now.

        tl;dr Get a wileyfox Storm, save the hassles!

        1. Fraggle850
          Pint

          Re: Just like the Elephone P8000

          Yeah, for a tenner extra for the cheaper of the two Wiley Fox phones. Or maybe just whack Cyanogen on the Elephone? Enjoy your drinkings, beer o'clock hereabouts too, chin chin, what what.

        2. dc_m

          Re: Just like the Elephone P8000

          I did exactly that when the usb fell out of my elephone P8.

          The Wileyfox has so much better build quality!

          1. Suburban Inmate
            Mushroom

            Re: Just like the Elephone P8000

            Aaaand the screen just died to a few grey/white dancing horizontal lines. Thankfully GearWorst have a UK warehouse so I'll get a refund or revenge, their call.

            Yes, Wilefox Storm on order from Clove, stock expected this week.

  8. Stevie Silver badge

    Bah!

    It should be against federal law to supply equipment pre-loaded with viruses, worms and trojans.

    It should incur double penalties to do so to the armed forces, police, fire services or EMTs.

  9. GarethJ
    Joke

    Doh!

    Damn my Dyslexia, I first read Martel as Mattel, and thought "Are they buying toy Cameras", in the light of what's happened, perhaps it's not too far from the truth.

  10. BarryRGreene

    Source of "Up to Date" Conficker Data

    Here is one public source of Conficker data:

    http://www.shadowserver.org/wiki/pmwiki.php/Stats/Conficker

    In includes the volume of invected machines.

  11. Tom 13

    Re: the company's on-hold music to be relatively pleasant and inoffensive.

    Nothing rankles me more than relatively pleasant and inoffensive hold music. There's nothing that's a surer sign there are devil spawn waiting for me on the other end.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019