Comments on: Hacking Video Surveillance Networks

By: pdp

pdp — Thu, 20 Nov 2008 18:56:27 +0000

yep, updated the post to outline the correct location of the scripts.

By: axis.hat0r

axis.hat0r — Mon, 15 Sep 2008 23:57:45 +0000

very inspiring text, thank you. would be also very great to have a glimpse over the python scripts, anyone still got them?

By: pdp

pdp — Thu, 05 Jun 2008 10:18:08 +0000

interesting… :) never say impossible! most of the hacks happen because of human mistakes.

By: Vasile Bujor

Vasile Bujor — Wed, 04 Jun 2008 13:32:13 +0000

Hi,

I am the IT Manager at a division of BMCO Romania - not Barton Marlow Company - . This article it is interesting, congruatulations. I am a surveillance solutions integrator and I use wireless cameras only for amateur use, and budget limited where the costs of mounting cameras exceed budget. For professional installation I only use FTP and patch cord FTP, and one ideea of using shielded cord is that no startreck technology can be used to interferate with the system and hack it. The only way is to phisically cut the wire or the exterior shield and connect. BUT to have acces at this technology it is expensive and the only way to succed is that the instalaltion could be made by some moron that has no knowledge of cable routing.

By: srcasm

srcasm — Mon, 18 Feb 2008 00:44:20 +0000

@marchiner,
You are absolutely right. It’s a scary thought but deauths and broadcast deauths are available to anyone to use. One of the only ways of protecting from is it to contain your radio signals but this seems like a far-fetched idea for most people/companies. Maybe one day we’ll have a system that is a bit more secure.

By: Holes in Embedded Devices: Authentication bypass (pt 2) | GNUCITIZEN

Holes in Embedded Devices: Authentication bypass (pt 2) | GNUCITIZEN — Fri, 15 Feb 2008 17:18:35 +0000

[...] http://www.gnucitizen.org/blog.....-networks/ [...]

By: marchiner

marchiner — Wed, 06 Feb 2008 19:48:45 +0000

Hi citizens…

Since i saw i IP based cam using wireless i started to think about deathentication atacks and please correct if i am wrong but.. its something extremaly easy to be made in wireless word… if you spoof the target MAC andress and got signal force to send the correct packages.
So… theres any kind of protection against this deauthentication? And what about Broadcast Deauthentication pckts?
If i am right.. and i hope so that iÂ´m wrong.. its easy to confuse any Ip cam video system based on wireless.

Nice post pdp… keep going! :D

By: pdp

pdp — Tue, 05 Feb 2008 09:31:44 +0000

well the easiest way is to try to spot the camera model and check it on the Web. Also observing any network-type infrastructure around it could also lead to the conclusion that it is IP-based. On the other hand, if you have access to the network but you are not sure whether there are some IP-based cameras, simply query for mDNS and UPnP.

By: hackathology

hackathology — Tue, 05 Feb 2008 08:53:54 +0000

pdp, this is a very good post. I would like to know how can i be sure if a video cam network is using the IP network when in the first place i don’t even have access to the network. I can see the video cam, but there is no way i can guess if it is using the IP network

By: Jason Macpherson

Jason Macpherson — Sat, 02 Feb 2008 04:53:12 +0000

Yep Axis cameras run linux alright. These things are very Geek/Hacker friendly. You can even enable telnet by editing “/etc/inittab “. and uncommenting the following line: “tnet:35:once:/usr/sbin/telnetd”

By: pang

pang — Fri, 01 Feb 2008 15:23:51 +0000

I believe AXIS cameras has support for 802.1x and even if they didn’t I would configure the switch to notice if the camera was unplugged.

AXIS cameras can also be configured to larm if the picture is changed a lot like if you would spraypaint it or something.

By: Ix

Ix — Thu, 31 Jan 2008 19:56:03 +0000

Interesting post. This looks like it’s almost easier than it is in movieland, which is amusing considering their idea of hacking a Gibson (yeah, that’s a reference to the “Hackers” movie for all it’s horrible hacking portrayal). Heh, anyways it was interesting to see proof that this is more than do-able in the real world. I know a few family friends have had these types of things set up to watch their small family business while they were on a vacation but one has to wonder if any of the more technical employees set up something like this and held parties in the break room.

By: pdp

pdp — Thu, 31 Jan 2008 09:44:06 +0000

I guess the 802.1x authentication based mechanism makes a lot more sense, since the port on the switch will be marked as unauthorized, and therefore will be blocked, unless you send the right EIP credentials. However, as far as I am aware, 802.1x is vulnerable to man in the middle attacks (MITM). Please correct me if I am wrong. On another note, if the attacker has a physical access to a camera they might be able to read the creds from the device. But definitely, it is a lot better then what AXIS currently has.

The truth is that, like everything else, you have to find the golden balance between security and accessibility and layer the security models in a way that they make sense for the setup you have.

By: agent0x0

agent0x0 — Wed, 30 Jan 2008 20:26:25 +0000

Very good post pdp. Do you know if using another camera that supports something like 802.1x authentication might help mitigate this risk perhaps? I think I read somewhere that Cisco IP cameras support this and can be configured more secure then your AXIS types (Cisco will cost you $$$ though..).

By: pdp

pdp — Wed, 30 Jan 2008 17:19:38 +0000

Hugo, that was very constructive comment. Thank you. How can u trust in crypto when most of the infrastructure we relay on is not encrypted at all? On another note, if you don’t understand the consequences of abusing either DNS or DHCP, then you should better get informed.

By: Hugo

Hugo — Wed, 30 Jan 2008 17:09:51 +0000

Well, pdp, do you trust what your eyes are showing you? Maybe I put static picture in front of your head. Stop this “omfg there is no one to trust” bullshit. I don’t trust in your dhcp or dns shitty, I trust in crypto. And so should everyone do.

By: pdp

pdp — Wed, 30 Jan 2008 15:03:47 +0000

pang, yes AXIS is linux based. In fact, if you have the credentials (often obtained by bruteforce), you can FTP in and look at the file structure.

By: pang

pang — Wed, 30 Jan 2008 13:26:25 +0000

Don’t you mean Ocean’s Eleven? We got lots of AXIS cameras in the subway here in Sweden. Really nice cameras. I think they run some kind of linux. You can get telnet running on them anyway. They got a nice API via the web also. Now that I think about it I think AXIS headquarters are located here in Sweden.