A cautionary tale about the dangers posed by affordable Internet of Things devices turned into a much more sinister story after a company threatened an infosec bod with a police report (since retracted) unless he deleted a Twitter thread highlighting shortcomings in one of its products.
The device at the heart of the controversy was essentially a Raspberry Pi in a fancy enclosure, as Laurens Leemans of SignIPS, who analysed a sample Footfallcam 3D Plus product, told The Register.
SignIPS sells digital signage and other B2B goods. Leemans, who tweets as @OversoftNL, said he was privately reviewing the Footfallcam to assess whether to add it to SignIPS's range. The device is intended to be installed in shops to count the number of people passing through a doorway.
Based on his examination of the sample device, Leemans said it had an onboard Wi-Fi network with an admin password of 123456 which couldn't be changed – though Melissa Kao, director of international sales at Footfallcam told us the password could have been changed if the device was registered with the company's web services. SSH was also available through the Wi-Fi network, as Leemans discovered. There were other flaws too.
After notifying Footfallcam in January of these security shortcomings and waiting for five weeks with no substantive response, Leemans tweeted his findings.
The first thing that caught our eye, is that it sets up a network, with a broadcasted SSID and a default password. Bit strange, since it's also connected over Ethernet, but fine. Whatever.— OverSoft (@OverSoftNL) February 4, 2021
Except: you can't change the SSID or the password!
Footfallcam responded to this by setting up a bunch of Twitter accounts to hurl accusations of extortion at him and SignIPS. Kao later acknowledged these accounts originated from the company and blamed them on "one of our employees," adding: "It's not upon our management. It's definitely not me nor Edward [Wong, her fellow director]. It is an immature behaviour by an immature person. You know, I couldn't tell you names, but it's one of the engineers."
Nonetheless, Footfallcam reported SignIPS to police – and then tried to use that report as leverage to get Leemans' Twitter thread deleted.
Twitter accounts including ones named @cyber_secure_uk and @SayExtortion began hurling abuse at Leemans' OversoftNL Twitter account, and posting selective snippets of emails sent by him to Footfallcam (most of these have since been deleted). Leemans, so they said, was part of an extortion campaign; having drawn public attention to false reports of flaws in Footfallcam's product, Leemans' employer SignIPS was – so they claimed – trying to charge money for fixing them. The Register has neither seen nor heard anything to suggest any truth in these allegations.
Delete your tweets and we'll drop the police report
Emails sent by Footfallcam director Edward Wong and shown to The Register revealed the extent of the company's demands.
One said: "The main source of contention is the fact, despite my numerous requests made to you, you had repeatedly refused to remove or update the @OverSoftNL Tweet Deck on 4th Feb, given the fact that it contained a lot of outdated, misunderstood and non-existent issues; such as 'Music files in a home project', 'Cannot change WiFi password' etc. And it is contained a lot of racist and subjective quality comments that are unrelated to the purpose of IT security."
The thread can be viewed in full by clicking above where readers can judge for themselves. Within the thread, @OversoftNL provides screenshots of relevant code snippets found within the Footfallcam 3D Plus device's firmware.
Further, Wong's fellow director, Kao, confirmed the presence of a Bruno Mars MP3 file on the device to The Register, saying the company had informed the copyright holder. She also confirmed that there were security problems on the device and said her company would be working to fix those.
Wong's email to SignIPS continued:
If one of our servers are hacked during these times, you guys would be one of the suspects for 'revenge attacks'. This would lead us to think about the act of revenge after the police filing. What other logical deduction you expect me to have? If you action on the above two points, you may help us to remove the suspicion, and may lead us to believe this is a misunderstanding. With this in mind, we may report to the police as a misunderstanding, and request it to be closed.
When El Reg asked questions about this, Footfallcam appeared to have a change of heart.
Wong later emailed SignIPS to say: "But we will close the police filing by tomorrow unconditionally. From your genuine disappointment, I could see I did something wrong and there is a misunderstanding. At the time I GENUINELY [thought] you are a fraud with a ring of accomplices. I unconditionally apologise for the emtional [sic] overdrive which must have blinded my judgement."
Grey hat infosec consultancy extortion ring
During phone interviews with The Register this week, Kao repeatedly suggested that SignIPS had attempted to extort money from Footfallcam to fix the vulnerabilities it highlighted. When asked if she could prove this, she referred to an email quotation Leemans sent to the company.
Leemans told El Reg that Footfallcam had broken off ongoing email correspondence with a phone call asking for a consultancy quote. SignIPS sent them a quote as requested, he said, and the email containing that can be read here.
When asked if Leemans was lying, Kao at first told El Reg: "Yes... That is exactly what it is." She insisted that the quotation was unsolicited and formed part of an extortion attempt. Later, she forwarded us screenshots of emails sent by Wong walking back on this position and offering to "unconditionally" withdraw the Action Fraud report.
As for the security of her company's Footfallcam 3D Plus product, Kao commented: "So we wouldn't expect someone installing our devices [to] not [be] running their own pen test on all their devices in their company anyway."
She did not appear to recognise that this was precisely what SignIPS did.
Comment: A case study in how not to receive a vuln disclosure
On the face of it, Footfallcam's astonishing reaction to being told of vulns in their product is a he-said-she-said spat. But it runs far deeper than that: Footfallcam reported SignIPS to Action Fraud, the UK police operation, and then stated it would not withdraw that report unless the Twitter thread exposing its product was deleted.
This is a nightmare scenario for a responsible infosec bod, or indeed anyone discovering vulns in an internet-connected product. Leemans followed industry norms: indeed, he waited slightly more than 30 days before disclosing the vulnerabilities publicly after concluding the vendor wasn't taking action on his bug report.
Rather than responsibly engage with SignIPS to identify and patch the vulns, Footfallcam behaved badly, and its position on the police report only changed when The Register began asking questions. Kao even told El Reg that Footfallcam would start playing nicely with infosec people – seemingly at the same time as Wong was sending threats to SignIPS.
The situation has some similarities to the Bitfi kerfuffle, where an "unhackable" device's makers were forced to eat their words after it proved to be quite hackable.
It is to be hoped that other small vendors read this article. Having a bunch of infosec people descend on your operation can be scary. They might use inaccessible technical language or ask about a bounty or some other payment. Also, Twitter mobs can be intimidating. But if someone comes to you and says "your product is very insecure", it makes sense to engage with a calm head and ask for more information so you can address and fix those problems.
As for the wider infosec community: accessing web infrastructure without the owner's permission is a criminal offence under section 1(1) of the Computer Misuse Act 1990. Whatever bad things a person or company might have done, that doesn't excuse probing their systems without their permission. Go ask first. ®