Monday, June 15, 2009

Security Cameras - To See Or Not To See?!

These days, security is going digital.

From live and automatic event log analysis up to personal "on-key" tokens and remotely controlled security cameras.

These technologies should be used carefully. For example if the token generates 6 digits and there is no password complexity enforcement, users can set their password to "1" and then we'll get a 7 character length password. If the data from the log will not be filtered and will be in html format, it may execute code. Even worse, if it is viewed at the command line console, it may execute code using the console color control characters.

When talking about security cameras, a security flaw in the camera's simple application server may cause the entire video stream to be accessible to an intruder.



While consulting to a big financial customer, I discovered the security cameras installed are easily accessible to anyone thanks to a very simple logical flaw. Not to mention default user accounts, empty password sets, the ability to brute force, directory traversal and some classic authorization bypass vulnerabilities.

Most of the security cameras in my country are bought from Korea, some of the software is written by the vendor and some by the distributer. Both of them should pay much more attention to security so we won't have the same classic vulnerabilities over and over again.

Attached are a few screen captures:

another white night at work

another white night at work

Clothing Shop

Clothing Shop

Coffee Shop

Coffee Shop

Eyes on the ball!!!

Eyes on the ball!!!

How's that shirt?

How's that shirt?"

Anyone knows a Safe-Cracker?!

Anyone knows a Safe-Cracker?!