This article is more than 1 year old

RSI Videofied is a 101 in how to build IP CCTV and alarms with zero security, zero encryption

Authentication based on serial number sent in plaintext

The Videofied wireless video surveillance cameras and alarm systems can be easily hijacked and spied on – thanks to practically nonexistent security.

According to London-based infosec biz Cybergibbons, the Videofied W panel is hopelessly insecure. It gathers live video from cameras, and data from security sensors, and feeds that information to software running on the customer's server.

That information is sent over wired, wireless or mobile IP networks unencrypted. The panel and the server also authenticate using a crypto key derived from the panel's serial number that's sent in plaintext at the start of transmissions.

It all means any network eavesdroppers can intercept and spy on video feeds and sensor readings, and tamper with the data in transit to disable alarms or destroy evidence.

A US CERT advisory issued today details the cockups blighting the Videofied system:

  • The authentication protocol uses a pre-shared key that is entirely derived from the serial number of the device. This serial number is transmitted in the plain in messages, allowing an attacker to determine the key. (CVE-2015-8252)
  • Messages and videos are sent unencrypted after the AES authentication handshake. The messages are sent in plain text, and the videos are sent as MJPEG video. (CVE-2015-8253)
  • Messages are sent without any integrity protection of the data. Messages may be spoofed to, for example, send false alarm signals or deactivate alarms. (CVE-2015-8254)

"In summary, the protocol is so broken that it provides no security, allowing an attacker to easily spoof or intercept alarms," Cybergibbons explained.

"It looks like they tried something and used a common algorithm – AES – but messed it up so badly that they may as well have stuck with plaintext."

The penetration-testing biz said it privately disclosed details of the security weaknesses to Videofied's maker – France-based RSI Video Technologies – but received no response, apparently.

According to the US Department of Homeland Security's CERT, RSI Video Technologies is in the process of rolling out a software update to address the blunders. The company did not respond to a Reg request for comment on the report. ®

More about

More about

More about

TIP US OFF

Send us news


Other stories you might like