As a penetration tester hired to pierce the digital fortresses of Fortune 1000 casinos, banks and energy companies, Kevin Finisterre has hacked electronic cash boxes, geologic-survey equipment, and on more than one occasion, a client's heating, ventilation, and air-conditioning system.
But one of his most unusual hacks came during a recent assignment testing the security of a US-based municipal government. After scanning several IP addresses used by the city's police department, he soon discovered they connected directly into a Linux device carried in police cruisers. Using little more than FTP and telnet commands, he then tapped into a digital video recorder used to record and stream audio and video captured from gear mounted on the vehicle's dashboard.
He was shocked by the resulting live feed that eventually appeared on his computer screen
“There was an officer in his vehicle heading somewhere in traffic in the middle of the day,” said Finisterre, who is principal of security consultancy Digital Munition. “He was clearly trying to respond to an incident or go where he was told to go, and I was able to see this in real time.”
The account (PDF), which Finisterre published on Tuesday, underscores the overlooked risks that come with technology designed to give authorities minute-by-minute “situational awareness” about the emergencies to which their officers are responding. While real-time audio and video from cars often provides police brass with crucial information about what's happening during traffic stops, the devices often make that intelligence available to anyone with an internet connection.
In Finisterre's probe, he was able not only to tap the live feeds coming from the two separate cameras mounted on the cruiser, but also to control the hard drive of the DVR. Using default passwords that were hardcoded into the DVR's FTP server and disclosed in support manuals, he was able to upload, download, and delete files that stored months' worth of video feeds.
The ability for civilians to secretly spy on officers responding to calls could have serious consequences for their safety. What's more, allowing unauthorized people to view and alter video stored on cruisers could torpedo court cases that rely on the DVRs for evidence.
Finisterre was able to access this image from a police cruiser by hacking in to its DVR unit
“We had very adequately proved the point that we could access the hard drive on the DVR unit and clearly see through the eyes of the camera and hear through the microphones in the car, which was more than enough to let them know that, hey, there are things we need to look at on their end to get this stuff cleaned up,” Finisterre told The Reg.
The cruiser Finisterre penetrated, from a city he declined to name, was equipped with a communications appliance known as the Rocket and provided by Georgia-based Utility Inc.. The police department was using the appliance to connect laptops, DVRs, and other devices carried in vehicles, to the city's computer systems. But unbeknownst to anyone from the city, the Rocket was making those internal resources available over IP addresses that anyone could tap into.
Indeed, when Finisterre first came upon the addresses, he had no idea what was behind them. An Nmap scan showed the device was running what appeared to be an outdated version of Linux that left open ports used for several services, including FTP and Telnet utilities. Finisterre said IT admins had no idea the Rocket, which used cellular connections provided by Verizon Wireless, exposed their internal assets to the world at large.
“If you're making use of a cellular connection to provide services for what you consider to be a closed operation, you need to make sure you're on a closed network,” Finisterre said. “I don't know that everybody is aware that your services are wide open when you're making use of this Verizon service.”
Compounding the insecurity was the cruisers' use of the MDVR.3xx (PDF brochure here) which is marketed by a variety of websites, including Safetyvision.com, Americanbusvideo.com, and Eagleeyetech.com.
A support manual for the device, which Finisterre found through a Google search, told him the password for the DVR's FTP server was “pass.” Even more surprising, there appeared to be a bug in the device's telnet server that allowed him to log into that service with no password at all.
Finisterre said he contacted someone on Utility's support team and told him that the Rocket was exposing the DVR and possibly other devices. The support-team member told Finisterre such exposure was impossible, so the penetration tester said he abandoned all future attempts to bring the insecurity to the company's attention.
Utility CEO and cofounder Robert McKeeman issued the following statement:
What the paper refers to is not a security breach of the Rocket. Our Rocket, like any router, whether manufactured by Cisco, Juniper Networks or any others, will do port forwarding if configured to do so. In contrast to what the paper says, our client has total control over the Rocket configuration. There is no internal bridging between the cellular and LAN interfaces. The ports listed were likely port forwarded to an unsecured DVR. While we agree the DVR should have been better secured, this does not represent a security vulnerability in the Rocket.
With the DVR marketed by at least half a dozen websites with different names, Finisterre said he never found the right person to contact about the login bypass vulnerabilities in the DVR device.
A representative at Safetyvision.com said company officials are looking into the report, but didn't have an immediate comment. We will update this article if the company provides comment after publication.
In Finisterre's mind, the episode was proof that neither company is doing enough to help customers to safely lock down their devices.
“If you look at the wording on Utility's website or the DVR website, there's a huge disconnect between marketing and what the user actually got,” said Finisterre who pointed to promises such as those from the companies praising the security of the devices. “In reality, I'm pretty sure my ability as a random user to telnet into your DVR solution and use a default password and potentially delete or remove evidence is probably not a good thing.” ®