Feeds

Hacker pwns police cruiser and lives to tell tale

The dark side of 'situational awareness'

Next gen security for virtualised datacentres

As a penetration tester hired to pierce the digital fortresses of Fortune 1000 casinos, banks and energy companies, Kevin Finisterre has hacked electronic cash boxes, geologic-survey equipment, and on more than one occasion, a client's heating, ventilation, and air-conditioning system.

But one of his most unusual hacks came during a recent assignment testing the security of a US-based municipal government. After scanning several IP addresses used by the city's police department, he soon discovered they connected directly into a Linux device carried in police cruisers. Using little more than FTP and telnet commands, he then tapped into a digital video recorder used to record and stream audio and video captured from gear mounted on the vehicle's dashboard.

He was shocked by the resulting live feed that eventually appeared on his computer screen

“There was an officer in his vehicle heading somewhere in traffic in the middle of the day,” said Finisterre, who is principal of security consultancy Digital Munition. “He was clearly trying to respond to an incident or go where he was told to go, and I was able to see this in real time.”

The account (PDF), which Finisterre published on Tuesday, underscores the overlooked risks that come with technology designed to give authorities minute-by-minute “situational awareness” about the emergencies to which their officers are responding. While real-time audio and video from cars often provides police brass with crucial information about what's happening during traffic stops, the devices often make that intelligence available to anyone with an internet connection.

In Finisterre's probe, he was able not only to tap the live feeds coming from the two separate cameras mounted on the cruiser, but also to control the hard drive of the DVR. Using default passwords that were hardcoded into the DVR's FTP server and disclosed in support manuals, he was able to upload, download, and delete files that stored months' worth of video feeds.

The ability for civilians to secretly spy on officers responding to calls could have serious consequences for their safety. What's more, allowing unauthorized people to view and alter video stored on cruisers could torpedo court cases that rely on the DVRs for evidence.

Screen capture of image lifted from police cruiser DVR

Finisterre was able to access this image from a police cruiser by hacking in to its DVR unit

“We had very adequately proved the point that we could access the hard drive on the DVR unit and clearly see through the eyes of the camera and hear through the microphones in the car, which was more than enough to let them know that, hey, there are things we need to look at on their end to get this stuff cleaned up,” Finisterre told The Reg.

The cruiser Finisterre penetrated, from a city he declined to name, was equipped with a communications appliance known as the Rocket and provided by Georgia-based Utility Inc.. The police department was using the appliance to connect laptops, DVRs, and other devices carried in vehicles, to the city's computer systems. But unbeknownst to anyone from the city, the Rocket was making those internal resources available over IP addresses that anyone could tap into.

Indeed, when Finisterre first came upon the addresses, he had no idea what was behind them. An Nmap scan showed the device was running what appeared to be an outdated version of Linux that left open ports used for several services, including FTP and Telnet utilities. Finisterre said IT admins had no idea the Rocket, which used cellular connections provided by Verizon Wireless, exposed their internal assets to the world at large.

“If you're making use of a cellular connection to provide services for what you consider to be a closed operation, you need to make sure you're on a closed network,” Finisterre said. “I don't know that everybody is aware that your services are wide open when you're making use of this Verizon service.”

Compounding the insecurity was the cruisers' use of the MDVR.3xx (PDF brochure here) which is marketed by a variety of websites, including Safetyvision.com, Americanbusvideo.com, and Eagleeyetech.com.

A support manual for the device, which Finisterre found through a Google search, told him the password for the DVR's FTP server was “pass.” Even more surprising, there appeared to be a bug in the device's telnet server that allowed him to log into that service with no password at all.

Finisterre said he contacted someone on Utility's support team and told him that the Rocket was exposing the DVR and possibly other devices. The support-team member told Finisterre such exposure was impossible, so the penetration tester said he abandoned all future attempts to bring the insecurity to the company's attention.

Utility CEO and cofounder Robert McKeeman issued the following statement:

What the paper refers to is not a security breach of the Rocket. Our Rocket, like any router, whether manufactured by Cisco, Juniper Networks or any others, will do port forwarding if configured to do so. In contrast to what the paper says, our client has total control over the Rocket configuration. There is no internal bridging between the cellular and LAN interfaces. The ports listed were likely port forwarded to an unsecured DVR. While we agree the DVR should have been better secured, this does not represent a security vulnerability in the Rocket.

With the DVR marketed by at least half a dozen websites with different names, Finisterre said he never found the right person to contact about the login bypass vulnerabilities in the DVR device.

A representative at Safetyvision.com said company officials are looking into the report, but didn't have an immediate comment. We will update this article if the company provides comment after publication.

In Finisterre's mind, the episode was proof that neither company is doing enough to help customers to safely lock down their devices.

“If you look at the wording on Utility's website or the DVR website, there's a huge disconnect between marketing and what the user actually got,” said Finisterre who pointed to promises such as those from the companies praising the security of the devices. “In reality, I'm pretty sure my ability as a random user to telnet into your DVR solution and use a default password and potentially delete or remove evidence is probably not a good thing.” ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New twist as rogue antivirus enters death throes
That's not the website you're looking for
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?