Black Hat 2013 - Exploiting Network Surveillance Cameras Like a Hollywood Hacker

Makes D-Link joke.
*laughs*
*nervously realize I also have D-Link products*

FarazMazhar

The speakers should always repeat the questions asked.

DeeWeext

Some of these are so blatant, you have to wonder if they're on purpose. Oops, the one script we forgot to password-protect happens to have a trivial root command injection exploit...

renakunisaki

is that podium comically large or is he comically small

killslay

I barely know how to script, but I actually understood a good amount of that. This guy is great :D

freedfighter

Very good presentation. The presenter is also very good with public speaking, and knew this subject very well. Also was experienced with good audience eye contact, and body language. As a former instructor/trainer myself, public speaking is not for everyone. Interesting subject, I didn't understand a lot about the coding and software values, but nonetheless it was fun/scarey to listen to what can be done. Job well done.  

aeonlong

Every single time that I worry that technology is moving too fast for us security types, there's a million dollar company to prove me wrong. Every, single, goddamn time. I love it.

katrinal

He failed to guard his corona now there’s an outbreak.

pgibsonorg

Simplicity is key: Want to be safe? Just get a camera physically connected to a hard drive. Almost 10x cheaper and definitely more secure.

YaBoiiiNikki

Six years later, and this shit is still happening... CVE-2019-15498

thefudderation

For anybody wondering whether or not the byte code is x86, it is ARM. (now things make sense lol)

HtSpeaks

This is why I drop all traffic to and from my IP cameras at my edge firewall. If I want to view them remotely I will VPN into my network. It's old school but I don't trust any hardware running embedded Linux on my network. To many companies have no idea what they are doing code wise and these cameras are essentially computers to be abused.

hgbugalou

Moral of the story: don't put your surveillance system on the Internet. And if that is impossible for you, put it behind a firewall that has been beefed up to eliminate such exploits (I'm not sure this is even realistically possible, but I'm just suggesting a possible way to deal with insecure devices of which we have no shortage).

paulx

This guy hacks into security cameras for fun. It looks simple, but it took some brain power to figure out. Although some of these exploits are patched by now, hardly anybody updates their firmware, and someone could conceivably download new firmware and find more of these exploits in a debugger, without even having to buy the camera.

themanyone

13:28 Well, they use "high security" as one of their marketing points. Additionally, their main business focus is networking infrastructure hardware. So this networked camera insecurity fiasco is pretty relevant and pretty embarrassing for them even when "they are not a camera company".

mandisaplaylist

Isn't this the same guy that developed Reaver, the tool built into Kali Linux/Parrot Sec used for recovering WPS PIN Registrars?

aqueouscomputing

This is great! Scary but great. Ive read about several companies doing half assed jobs doing these kinds of things. This man just showed how easy it is (for the people with the technical skill).

JasonSpiffy

I used to work for a CCTV software company and the vast majority of cameras had default passwords still in use (I still have a list, and a map of all the camera clones)
We always stood be the "we don't have a default/backdoor password" when people called us after getting locked out.

DeannaEarley

Even though this was miles above my nerd level, it was still interesting to watch.

mitchblackmore

Why in the world would someone possibly do Javascript Authentication?
They write firmware for camera's but they don't know how to write PHP?

Dorngela