Search the Community
Showing results for tags 'Exploit'.
-
Time To Revolt Against The 'default'?...
Joe Harris posted a blog entry in Electronic Security & Technology
Ghost in the machine... With around three quarters of remotely accessible CCTV systems allowing intruders free access to invade privacy and compromise entire corporate computer networks, is it time to say 'enough is enough' to manufacturers and insist upon firmware changes to improve security control? This is not isolated to consumer level CCTV platforms only. Many 'professional' DVRs & NVRs are installed with default administrator accounts unchanged or additional accounts created and system owners given control over the default account (which they then fail to change). This means that anyone who is able to connect to the unit remotely can simply enter the default username & password (which can be found within seconds through a simple google search in almost all cases) and then have access to the system as completely as if they were standing in front of the unit. To compound matters further CCTV systems are rarely secured to only allow specific IP addresses to connect to them and at the same time they broadcast their presence through banner information given out to any device that queries the unit (This means it is easy to find such devices in the wild). In ~80% of installations the default passwords remain in place for the first three months. This drops to an average of ~70% after three months as some systems are made more secure by their removal. This still leaves vast numbers of units out there which can be listed by country / ISP / city, or date of installation and more which are openly accessible to any IP address. Some examples: AVTech - Over 420,000 units exposed - (14,000 in Great Britain / 12,000 in America) Hikvision - Over 710,000 units broadcasting - (10,000 in Great Britain / 16,000 in America) Dedicated Micros - Over 18,000 units detected - (8,000 in Great Britain / 7,000 in America) You might be thinking, so what, it's just CCTV - what's the worst that can happen? It should be remembered at all times that modern DVRs are in effect computers in most cases. Usually based on linux these machines are carrying out a specific task but can be put to use for other non DVR activity with ease. Each compromised DVR is in effect an open computer allowing anyone and everyone access to a corporate network potentially. If security of the DVR is poor then it is possible that network security within a corporation is equally lax. Last year a CCTV module was added to a tool called Metasploit, widely used in the blackhat community this tool allows users to attack a DVR, testing default access and brute forcing passwords. The fact that CCTV systems are often the weakest point of entry on a network is not lost on attackers and those who seek to maliciously access systems. Whose fault is it really?... It can sometimes be difficult to pin down exactly where the fault lies as there is a blurring of responsibilities in some contractual agreements. A professional installer may fit a DVR and put in place a secure username and password combination for remote management or viewing by a remote RVRC or ARC. They may also advise the system owner to put in place ACL (Access control lists) so that only authorised IP addresses are allowed to connect to the device as well as giving advice on blocking netbios responses and port forwarding. However, if a user insists on being able to access the device remotely and chooses to keep the simple to remember default account and not to implement such measures then the machine can remain vulnerable. Often the company responsible for installing, maintaining or monitoring the system does not have control over the network used by the device for transmission. Even if the password is changed there exist a large number of exploits on known DVRs and in many cases these and similar exploits can be applied to other DVRs as the programming code is sometimes not as secure as it ought to be. The CCTV hardware sector has been under intense price pressure in recent years and with a downward spiralling price index it has been common to see a reduction in the number of developers and code writers employed by some companies which could potentially increase the risk of security holes remaining in a product. In the event that a breach receives widespread mainstream media coverage it does not just reflect badly upon an end user themselves as the security industry on the whole would receive bad press even if not at fault. How do we fix it?... In part this may require some contract review to ensure that clear definitions are in place by all businesses as to the responsibility that both they and the client hold. Clear understanding must be given as to the potential risks and good practise should be recommended in securing the unit. Perhaps a move towards mobile broadband and IPv6 will mean that we can take back control of securing the communication channel? We must however tackle the issue of default user accounts existing in the first place. There is no need to have such accounts any more. Even if such accounts could be made unique to each device it would be an improvement, but in an ideal world the units would prompt for a unique username and password combination on first powering up with an option to default the unit only by an physical action on the unit itself in some secure manner. Dedicated Micros units for example come configured with up to five seperate default accounts of which three have admin level access and allow full control over a unit. Are your engineering teams ensuring that all of these accounts are removed? I recently asked the technical support staff at several DVR manufacturers why they still use default accounts despite the huge risks involved when they are regularly left in place? I was repeatedly advised that it made their job much easier when providing remote support to users and engineers. Newer Axis cameras feature the technique of forcing a password change on first access and it is much more secure as a result. We should be hammering the doors of manufacturers to ask them to indtroduce this approach in their new firmware revisions (no hardware change should be required in most cases). We should also be encouraging the standards to push towards a more robust approach to handling default accounts. Manufacturers often boast of how much value is protected by their devices (it's a safe boast that does not reveal how many units they sold) - It is this same value that is potentially at risk. The next time you are presented with new CCTV equipment or a new manufacturer, ensure that you ask them how they ensure that their products remain secure as it is your reputation at stake. Action to be taken: Installers Check contractual agreements Ensure engineers trained in best practise Audit existing installations Verify guidance given to end users Ensure firmware is updated regularly Manufacturers Remove generic default accounts Deploy an effective mechanism for security Check existing exploits to ensure none affect your units Keep up to date with new exploits Notify your clients when you discover older firmware is at risk Maintain a 'risk register' of some kind for trade members to be aware of potential risks End Users Protect their own networks by blocking Netbios Allow access only to specific IP addresses Change / Remove default accounts!! Use secure passwords (6 Characters or more / Alphanumeric / Mixed case) Ensure that internal communications to and from the device are restricted -
Leave Security To The Experts?...
Joe Harris posted a blog entry in Electronic Security & Technology
Security Flaw Some of you may be aware that last year there was some exposure given to a vulnerability in Trendnet camera firmware allowing access to their consumer webcam devices despite password protection being enabled. They claimed to have released a patch within a month to solve the issue and to have contacted every customer to advise them to update their devices. This is (despite the assurances of Trendnet) still a common issue, to help highlight it a real time map was produced showing where such devices were located and allowing you to connect directly to them. The website has now been taken down thankfully as the goal of highlighting the issue in mainstream media again was achieved. Professional Security This is a pretty good demonstration though of just how prolific an issue this can be when Joe Public gets his hands into the pot but it also reminds me of the many poorly secured 'professional' installations I have come across in my time (I'm sure you have too) and it is hopefully a wake up call to some businesses to improve their security practices. How would you feel if 'XYZ Security - Live CCTV feeds' was the next google map mashup launched showing devices which you are maintaining or monitoring? Also take note that despite the publicity around the Trendnet devices, they are not the only ones affected. There was a website called Shodan HQ launched some time ago which gives the ability to search devices which are 'web facing' (in other words can be connected to over the internet) and list those matching specific url strings or other flags. This offers much more capability than Google searches for example in highlighting potential 'target devices'. It is already possible now to list unsecured access points on some very well known 'professional' DVRs and NVRs. Ease of connectivity is very much a double edged blade. We must remember that many of the devices we use are now starting to utilise built in web servers and connectivity. Considerations How are you ensuring that you are aware when exploits are announced on devices you utilise? What are your plans to identify, notify affected users and upgrade potentially affected devices quickly and effeciently? Are you considering these issues when investigating new web facing technology? How do you measure for and protect against potential built in backdoor access to foreign equipment? As well as looking outwards at your clients are your own systems secured and protected? Is technology advancing too quickly to ensure adequate security is deployed? As always I welcome your thoughts, questions, answers and debate.....