Hacker pwns police cruiser and lives to tell tale

The dark side of 'situational awareness'


As a penetration tester hired to pierce the digital fortresses of Fortune 1000 casinos, banks and energy companies, Kevin Finisterre has hacked electronic cash boxes, geologic-survey equipment, and on more than one occasion, a client's heating, ventilation, and air-conditioning system.

But one of his most unusual hacks came during a recent assignment testing the security of a US-based municipal government. After scanning several IP addresses used by the city's police department, he soon discovered they connected directly into a Linux device carried in police cruisers. Using little more than FTP and telnet commands, he then tapped into a digital video recorder used to record and stream audio and video captured from gear mounted on the vehicle's dashboard.

He was shocked by the resulting live feed that eventually appeared on his computer screen

“There was an officer in his vehicle heading somewhere in traffic in the middle of the day,” said Finisterre, who is principal of security consultancy Digital Munition. “He was clearly trying to respond to an incident or go where he was told to go, and I was able to see this in real time.”

The account (PDF), which Finisterre published on Tuesday, underscores the overlooked risks that come with technology designed to give authorities minute-by-minute “situational awareness” about the emergencies to which their officers are responding. While real-time audio and video from cars often provides police brass with crucial information about what's happening during traffic stops, the devices often make that intelligence available to anyone with an internet connection.

In Finisterre's probe, he was able not only to tap the live feeds coming from the two separate cameras mounted on the cruiser, but also to control the hard drive of the DVR. Using default passwords that were hardcoded into the DVR's FTP server and disclosed in support manuals, he was able to upload, download, and delete files that stored months' worth of video feeds.

The ability for civilians to secretly spy on officers responding to calls could have serious consequences for their safety. What's more, allowing unauthorized people to view and alter video stored on cruisers could torpedo court cases that rely on the DVRs for evidence.

Screen capture of image lifted from police cruiser DVR

Finisterre was able to access this image from a police cruiser by hacking in to its DVR unit

“We had very adequately proved the point that we could access the hard drive on the DVR unit and clearly see through the eyes of the camera and hear through the microphones in the car, which was more than enough to let them know that, hey, there are things we need to look at on their end to get this stuff cleaned up,” Finisterre told The Reg.

The cruiser Finisterre penetrated, from a city he declined to name, was equipped with a communications appliance known as the Rocket and provided by Georgia-based Utility Inc.. The police department was using the appliance to connect laptops, DVRs, and other devices carried in vehicles, to the city's computer systems. But unbeknownst to anyone from the city, the Rocket was making those internal resources available over IP addresses that anyone could tap into.

Indeed, when Finisterre first came upon the addresses, he had no idea what was behind them. An Nmap scan showed the device was running what appeared to be an outdated version of Linux that left open ports used for several services, including FTP and Telnet utilities. Finisterre said IT admins had no idea the Rocket, which used cellular connections provided by Verizon Wireless, exposed their internal assets to the world at large.

“If you're making use of a cellular connection to provide services for what you consider to be a closed operation, you need to make sure you're on a closed network,” Finisterre said. “I don't know that everybody is aware that your services are wide open when you're making use of this Verizon service.”

Compounding the insecurity was the cruisers' use of the MDVR.3xx (PDF brochure here) which is marketed by a variety of websites, including Safetyvision.com, Americanbusvideo.com, and Eagleeyetech.com.

A support manual for the device, which Finisterre found through a Google search, told him the password for the DVR's FTP server was “pass.” Even more surprising, there appeared to be a bug in the device's telnet server that allowed him to log into that service with no password at all.

Finisterre said he contacted someone on Utility's support team and told him that the Rocket was exposing the DVR and possibly other devices. The support-team member told Finisterre such exposure was impossible, so the penetration tester said he abandoned all future attempts to bring the insecurity to the company's attention.

Utility CEO and cofounder Robert McKeeman issued the following statement:

What the paper refers to is not a security breach of the Rocket. Our Rocket, like any router, whether manufactured by Cisco, Juniper Networks or any others, will do port forwarding if configured to do so. In contrast to what the paper says, our client has total control over the Rocket configuration. There is no internal bridging between the cellular and LAN interfaces. The ports listed were likely port forwarded to an unsecured DVR. While we agree the DVR should have been better secured, this does not represent a security vulnerability in the Rocket.

With the DVR marketed by at least half a dozen websites with different names, Finisterre said he never found the right person to contact about the login bypass vulnerabilities in the DVR device.

A representative at Safetyvision.com said company officials are looking into the report, but didn't have an immediate comment. We will update this article if the company provides comment after publication.

In Finisterre's mind, the episode was proof that neither company is doing enough to help customers to safely lock down their devices.

“If you look at the wording on Utility's website or the DVR website, there's a huge disconnect between marketing and what the user actually got,” said Finisterre who pointed to promises such as those from the companies praising the security of the devices. “In reality, I'm pretty sure my ability as a random user to telnet into your DVR solution and use a default password and potentially delete or remove evidence is probably not a good thing.” ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022