Hackers Break into Security Cameras, Exposing Tesla, Jails, Hospitals
bloomberg.com> ever wondered what a mainenance backdoor root shell inside the Cloudflare or Telsa HQs would look like?
https://twitter.com/nyancrimew/status/1369390591700828170?s=...
Threadreaderapp: https://threadreaderapp.com/thread/1369373713121083395.html#...
Raw images: https://pbs.twimg.com/media/EwENVr4XIAQWMDp.jpg and https://pbs.twimg.com/media/EwENcRwWYAgxyAi.jpg
Like others pointed out, this is probably the root shell of the cameras and not any system. See the partition names and ramdisk, typical for cameras.
Was this all disclosed responsibly? All of that should have been worth millions in bug bounties, at least.
If they wanted to end "surveillance capitalism", helping the company that supply these systems secure them better would not help their goal.
Or maybe they can collect the millions, and publish the compromising material anyway? Although if they had given you money, they'd have your law-enforcement compatible personal information.
Edit: ah I thought he was^W^W they were being anonymous, his^W their twitter point to his^W their website...
Just use “they” without any of that nonsense. Show some basic respect to the hacker who popped root shells inside Cloudflare and Tesla networks, without leveraging it to enrich themselves in any way.
> The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet.
So you're telling me that the interface that grants you access to ALL of your customers' (including hospitals and schools) data and shells to the cameras doesn't even require 2FA? W...w-what?
Year ago I've published full disclosure on similar case with Chinese IP cameras, DVRs and NVRs: https://habr.com/en/post/486856/
Interesting thing is super-user account was discovered earlier, but vendor swept it under the rug few times, adding trivial obstacles on each occasion. My article describes latest case, breaking encrypted challenge based on hard-coded secret key and homegrown 3DES variant.
Why does an account with that capability even exist in the first place? And if it does exist, how does unexpected use of it not set off alarms?
Often it's more that it is hard to avoid having that account. And management don't see the point in making it so that they need to get two underlings working together to jump through hoops to trace through the whole stack and work out why the camera monitoring the Very Important Customer's executive liquor cabinet was offline when persons unknown emptied it.
For small companies often "devops" is one person, sometimes even one person who also does other stuff. I like to think I've made it difficult for that specific person to get complete control of any specific device that we've sold, but I'm also aware that it takes one bug in one of those devices to undo anything I can do on the server side. All they need to do is get the public IP from my system (which is needed right down to customer service level), knowledge of a bug and bingo... they have control. Especially if the bug is "customer chose an obvious password" .
Everyone underestimates how lazy people really are
As someone who spends a fair few weeks a year in hospital, the idea of internal hospital security cameras being connected to the internet at all is absolutely fucking horrifying. It's people at their most vulnerable, and FTA it says it was even cameras aimed at the beds, not just hallways and public areas.
The fact that ANY internet-connected camera system can be considered HIPAA compliant is ridiculous. Anyone who's had any exposure to the internet in the last 20 years has seen dozens of stories of cloud-connected cameras being exposed online... baby cameras, security cameras, etc. Combine that with the number of big hacks increasing, and the idea of any internet-connected camera being "secure/private" should basically be laughed at.
What will happen? Nothing. The hackers will be blamed, not the managers/executives who thought this was a good idea in the first place, or the multiple tiers of people who are responsible for security in these companies.
IANAL but HIPAA compliance comes from following certain policies and procedures (e.g. for encryption and account provisioning). These rules are necessary but not sufficient to guarantee security. As for cameras in hospitals, I have only seen these pointed at beds in specific scenarios (e.g. epilepsy monitoring) but obviously it is important to keep these video feeds secure.
Cloud enabled cameras that I don't fully control are concerning to me. My guess is we will be seeing more of these types of breaches in the future.
This is why you don't have cameras unless you've got a specific reason to.
However, nobody important in those companies is going to jail for a breach like this, so nothing will change.
This is neat, but the whole "End Surveillance Capitalism" seems like a pretty big stretch. I'm not sure it's reasonable to think that showing a bunch of security camera footage will do anything of the sort, regardless of how damning.
This is why you use Blue Iris and dedicate a NIC to isolate all your cameras from your LAN.
I prefer non-IP cameras so they can't be plugged into the internet. Yes, it's annoying to get a feed other than locally... but that is the whole point.
If you need nurses to remotely monitor patients that's fine, there's a monitor in the nurse station. If those "nurses" are on the other side of the world... then anyone, anywhere, can see those feeds and there's nothing you can do to stop it. We've all seen leaked video from "secure" military systems... how much more secure is your hospital IT system than that?
Back in the day I set up Zoneminder... pretty good. I was able to write a custom perl script to run a loud wave file in my house to tell me a zone was activated :)
> Verkada Inc.
I bet some people are catching flak for going with Verkada instead of Ubiquiti because Ubiquiti charges more.