poor man s panopticon
play

Poor Mans Panopticon Mass CCTV Surveillance for the masses Andrei - PowerPoint PPT Presentation

May 24, 2023 •103 likes •455 views

Poor Mans Panopticon Mass CCTV Surveillance for the masses Andrei Costin @costinandrei FIRMWARE.RE andrei# whoami SW/HW/Emb security researcher, PhD student Mifare Classic Hacking MFPs + MFCUK PostScript Avionics + ADS-B 1 DISCLAIMER

  1. Poor Man’s Panopticon Mass CCTV Surveillance for the masses Andrei Costin @costinandrei FIRMWARE.RE

  2. andrei# whoami SW/HW/Emb security researcher, PhD student Mifare Classic Hacking MFPs + MFCUK PostScript Avionics + ADS-B 1

  3. DISCLAIMER  This presentation is for informational purposes only. Do not apply the material if not explicitly authorized to do so  Reader takes full responsibility whatsoever of applying or experimenting with presented material  Authors are fully waived of any claims of direct or indirect damages that might arise from applying the material  Information herein represents author own views on the matter and does not represent any official position of affiliated body  tldr;  DO NOT TRY THIS AT HOME!  USE AT YOUR OWN RISK! 2

  4. Intro – Panopticon  The concept of the design is to allow a watchman to observe ( -opticon ) all ( pan- ) inmates of an institution without them being able to tell whether they are being watched or not  Synonym for “Big - Brother” 3

  5. Intro – CCTV  CCTV as in “Closed Circuit TV”  Not as in “CNTV CCTV9 China Central Television”  Meaning:  BNC cameras  RF cameras  IP cameras  DVR/NVR systems  And all HW + SW + Analytics + Integration + Interfacing systems 4

  6. Intro – CCTV  Simplified schematic of most CCTV systems today: 5

  7. Timeline – Existing Work  Early "IP cameras google dorks “  2005 22C3 - Hacking CCTV. A private investigation.  2007 - ProCheckup - Owning Big Brother: Multiple vulnerabilities on Axis 2100 IP cameras  2010 BH10DC - Joshua Marpet - Physical Security in a Networked World: Video Analytics, Video Surveillance, and You 6

  8. Timeline – Existing Work  2011 - DigitalMunition - Owning a Cop Car  2012 DefCon - Robert Portvliet and Brad Antoniewicz - The Safety Dance: Wardriving the Public Safety Band.  2013 HITB AMS - Sergey Shekyan and Artem Harutyunyan - To Watch Or To Be Watched. Turning your surveillance camera against you.  2013 BH13US - Craig Heffner - Exploiting Surveillance Cameras. Like a Hollywood Hacker. 7

  9. Timeline – In the recent news  28 Oct 2013 - "Israeli Road Control System hacked ... seems that the attackers used a malware to hit the security camera apparatus in the Carmel Tunnel toll road in Sept. 8 and to gain its control“  4 Sep 2013 – “FTC settles with Trendnet after 'hundreds' of home security cameras were hacked… FTC Forcing TRENDnet to Suffer 20 Years of Auditing.”  How about… hundreds of thousands ?! 8

  10. Reality Check The state of security of CCTV products?  Few roots of most evils: "Default credentials, design f@$k- ups and dumb users“  Kafkian-style notes in the documentation 9

  11. Reality Check The state of security of CCTV products?  Few roots of most evils: "Default credentials, design f@$k- ups and dumb users“  Insane design and even more insane users  Some user leave these on indefinitely… 10

  12. CCTV Device Population – Search & Results  Goal:  Estimate publicly accessible IPcam/DVR/NVR/CCTV systems  So, how much can someone theoretically own?  Sources:  Shodan  Internet Census 2012  (optional) Google dorks  Results:  Statistics and queries should be released soon 11

  13. CCTV Device Population – Search & Results  Results – Internet Census 2012 (top matches) TOTAL ~ 450.000 Avtech AVN801 network camera 137,066 AvTech GeoVision GeoHttpServer for webcams 121,907 GeoVision Netwave IP camera http config 53,813 Foscam DVR Systems webcam http interface 18,775 ? Netwave webcam http config 15,785 Foscam Swann DVR8-2600 security camera system httpd 15,458 Swann 12

  14. CCTV Device Population – Search & Results  Results – Shodan (top matches, Jun 2013)  Today – numbers are ~10-20% up TOTAL >> 1,200,000 q=netwave+camera 332,342 Foscam q=port%3A80+Avtech 309,801 AvTech q=GeoHttpServer 278,148 GeoVision q=Server%3A+alphapd 89,831 ? q=realm%3D"DVR" 87,095 Hunt/Svat/Defender q=Server%3A+Network+Camera 51,378 Mixed q=dcs-lig-httpd 50,547 D-Link 13

  15. CCTV Device Population – Fun Facts  Let’s map “surveillance” coverage of publicly accessible CCTV device population over a geographical area  As if all exposed devices were located in a given area  Assumptions:  between 450k and 1.2M devices, let’s take 500k devices  each found "device" covers 100 m2 (10x10m)  stretched assumption, but reasonable on average  many DVRs with 2 to 32 cameras each  many cameras are good resolution HD  all devices cover a continuous flat surface/space 14

  16. CCTV Device Population – Fun Facts  Math:  500.000 x 100 m2 = 50.000.000 m2 = 50 km2  City of Luxembourg ~ 51.46 km2  We could survey  City of Luxembourg entirely (orange spot)  Monaco ~ 2.02 km2  If Monaco was covered totally by a 25 floor state-wide building  We could survey that state-wide building entirely 15

  17. CCTV Online Live Demo Systems  What?  IPcam/DVR/CCTV systems put intentionally on the internet by the vendor or security/surveillance online shops  Why?  Usual audience – Intended for marketing and sales boost  Geek audience – think differently   How?  Google for:  "demo dvr ”, "demo nvr ”, " cctv demo“  "live cctv demo”, "live dvr" 16

  18. CCTV Online Live Demo Systems  Google dork stopped working? Let's create our own brand new! 17

  19. Targets and Motivations  Attackers by motivation  Voyeurs, Stalkers, Criminals, Govt Organizations, Hacktivism Groups  Targets  Persons, Cars, Property  Embedded devices  PCs of operators (secondary)  Other integrated interfaces (see Israeli’s road control sys) 18

  20. Targets and Motivations  Motivations  Money (eg.: blackmailers, bounty hunters for fugitives/missing-persons/stolen-cars)  Covering a crime (eg.: robbery – tap-in before, DoS during, restore after)  Uncovering cenzorship (eg.: hacktivism – checking what is going on for real during demonstrations)  Botnets of embedded devices 19

  21. Attacks – Types by Location  Remote  may come as a remote scan & exploit (classical)  Local (Software)  may come as local-network exploit (classical)  may come as a physical attack over USB  Local Physical Proximity  may come as a physical attack over infra-red  may come as a physical attack over USB  may come as a software attack over "visual layer" 20

  22. Attacks – Unconventional – Invisible layer  Infra-red channel – DoS, Command injection 21

  23. Attacks – Unconventional – Visual layer  Visual layer backdoors (more wicked than Google Glass hack)  Visually encoded information  QR codes  Any other visual (custom) code that can convey info & commands  Can be as custom as a  The trick is to highly-reliable trigger  accurate visual mark detection  accurate decoding visually-encoded info & commands 22

  24. Attacks – Unconventional – Visual layer  Visually encoded information and commands example Disable recording Update malware Contact C&C serv Blur face 23

  25. Attacks – Unconventional – Visual layer – How?  Software (video I/O kernel modules, streaming application video filters)  easy to hard to detect or reverse  Hardware (integrated video/audio codecs and chipsets)  hard to impossible to detect or reverse  even if I/O to chip is possible  The range of video imagery pixels to create a “semantic” image is huge  hard to trigger, thus detect, "visual information decoding" after all 24

  26. Attacks – Most Common Vulnerabilities  Backdoor credentials/access 25

  27. Attacks – Most Common Vulnerabilities  Clear-text credential storage + Insufficient access controls 26

  28. Attacks – Most Common Vulnerabilities  Old software (kernel, web-server, interpreter) 27

  29. Attacks – Most Common Vulnerabilities  Denial of Service  DoS on CCTV is critical, not a nuisscance  Weakest points seem to be /cgi-bin/*  Causing coredump & reboots  Short demo  Rogue/Modified firmware  Short demo  Command-injection  Eg: via ping "127.0.0.1; evil_command_here;“  Insufficient access controls on webroot and filesystem 28

  30. I pwn device(s). Now what?  Determining geo-location can be  Useful, eg. for finding missing persons, stolen car  Dangerous, eg. for tracking people  Getting video stream is really useful, but how?  iSpyConnect – APIs and software  Detect camera vendor, grab the API and off you go  What about faces?  Face detection and recognition is easy these days  OpenCV is our friend 29

  31. I pwn the device. Now what?  Demo 30

  32. Closing thoughts  Hitachi Hokusai Electric CCTV Camera  Can Scan 36 Million Faces/Second  LG Roboking VR680VMNC equipped with wi-fi and  3 cameras at once to capture the surrounding areas  What’s next? 31

  33. Summary  Around 1,000,000 publicly exposed DVRs/IPCAMs/CCTVs  Demonstrated multiple attacks  Demonstrated new vulnerabilities  Introduced novel attack ideas  DVR/IPCAM/CCTV vendors must secure their systems better 32

  34. Thank you! Questions, ideas, corrections? zveriu@gmail.com http://andreicostin.com/papers/ http://andreicostin.com/secadv/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Executive summary 2 Hash tables suffer from poor core utilization & poor spatial poor core

Executive summary 2 Hash tables suffer from poor core utilization & poor spatial poor core

L EVERAGING C ACHES TO A CCELERATE H ASH T ABLES AND M EMOIZATION G UOWEI Z HANG AND D ANIEL S ANCHEZ MICRO 2019 Executive summary 2 Hash tables suffer from poor core utilization & poor spatial poor core utilization poor spatial

451 views • 28 slides
Challenges of Microfinance and the Poor Poor people have little or no access to financial

Challenges of Microfinance and the Poor Poor people have little or no access to financial

Ellen Morris, Ph.D. President Sustainable Energy Solutions 11 May 2006 Learning Center 14th Session of the United Nations Commission on Sustainable Development New York Challenges of Microfinance and the Poor Poor people have little or

281 views • 8 slides
Finding t Finding the he fue fuel poor: an l poor: an exploration of challenges and ex

Finding t Finding the he fue fuel poor: an l poor: an exploration of challenges and ex

Finding t Finding the he fue fuel poor: an l poor: an exploration of challenges and ex practicable pract icable s solut olutions ions. Postgraduate symposium on household energy consumption, technology and efficiency, University of

551 views • 27 slides
How Pro-Poor is your Institution? Improve Client Outcomes with the Pro-Poor Principles,

How Pro-Poor is your Institution? Improve Client Outcomes with the Pro-Poor Principles,

How Pro-Poor is your Institution? Improve Client Outcomes with the Pro-Poor Principles, Essential Practices and Indicators 17TH MICROCREDIT SUMMIT # 17MCSumm GENERATION NEXT: INNOVATIONS IN it MICROFINANCE Session Outline I. Your Panelists

625 views • 39 slides
Almshouse (Poor House) A House for Employment and Support of the Poor in Adams County Provincial

Almshouse (Poor House) A House for Employment and Support of the Poor in Adams County Provincial

Almshouse (Poor House) A House for Employment and Support of the Poor in Adams County Provincial Pennsylvania laws to relieve the poor, old, blind, lame, and impotent The Act of March 24, 1817 Elect five respectable citizens to

638 views • 27 slides
In many countries, blind people are among the poorest of the poor. They have no food, poor

In many countries, blind people are among the poorest of the poor. They have no food, poor

In many countries, blind people are among the poorest of the poor. They have no food, poor sanitation, unsafe drinking water and limited access to health care. About Operation Eyesight + = Donors & Partners Operation Eyesight Mission

581 views • 23 slides
Poor health reporting: Do poor South Africans underestimate their r he health needs ds? Laura

Poor health reporting: Do poor South Africans underestimate their r he health needs ds? Laura

Poor health reporting: Do poor South Africans underestimate their r he health needs ds? Laura Rossouw (Stellenbosch Uni.) . Eddy van Doorslaer (Tinbergen Institute). 6 August, 2014 Context: Differences in health outcomes by wealth status

610 views • 16 slides
More Relatively-Poor People in a Less Absolutely- Poor World? Martin Ravallion Director of the

More Relatively-Poor People in a Less Absolutely- Poor World? Martin Ravallion Director of the

Department of Economics public lecture More Relatively-Poor People in a Less Absolutely- Poor World? Martin Ravallion Director of the World Bank Research Department Professor Craig Calhoun Chair, LSE Suggested hashtag for Twitter users:

801 views • 57 slides
When I give food to the poor, they call me a saint. When I ask why the poor have no food, they

When I give food to the poor, they call me a saint. When I ask why the poor have no food, they

When I give food to the poor, they call me a saint. When I ask why the poor have no food, they call me a communist. Dom Helder Camara Three Themes Changing the world with technology Surviving as bicultural in a colonialist world

146 views • 12 slides
DEVELOPMENT Poverty targeting: is it pro-poor or anti-poor? Stephen Kidd 10 th

DEVELOPMENT Poverty targeting: is it pro-poor or anti-poor? Stephen Kidd 10 th

DEVELOPMENT Poverty targeting: is it pro-poor or anti-poor? Stephen Kidd 10 th January 2019 Why undertake poverty targeting? Lower Economic or spending and justice? taxes? 2 If there are limited resources, it is best to

683 views • 41 slides
Professional Issues Poor oral presentation skills Poor literary skills Communicating in

Professional Issues Poor oral presentation skills Poor literary skills Communicating in

Employers' views of graduates (Remember this?) Inarticulate and illiterate: Professional Issues Poor oral presentation skills Poor literary skills Communicating in English grammar, sentence structure, punctuation, spelling 1

340 views • 8 slides
The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication

The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication

The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication (Its the way you tell it..) www.iapf.ie More confusion and more complaints result from poor communication than from almost any other single

408 views • 18 slides
S P R E A D T H I N: HUMAN SERVICES ORGANIZATIONS IN POOR NEIGHBORHOODS The State of the

S P R E A D T H I N: HUMAN SERVICES ORGANIZATIONS IN POOR NEIGHBORHOODS The State of the

S P R E A D T H I N: HUMAN SERVICES ORGANIZATIONS IN POOR NEIGHBORHOODS The State of the Nonprofit Sector in Los Angeles Conference March 5, 2013 Nonprofit Human Services in Poor Neighborhoods 31% of LA County Census Tracts are in Poor

672 views • 28 slides
Overview Poor Mental Health Poor Mental Health in the in Wales UK Understanding Supporting

Overview Poor Mental Health Poor Mental Health in the in Wales UK Understanding Supporting

C reative R eflective E ducation & T raining A ssisting D evelopment A chieving U nderstanding Overview Poor Mental Health Poor Mental Health in the in Wales UK Understanding Supporting Mental Health and people wellbeing Effectively

281 views • 17 slides
Greg Kirk Director Planfarm Pty Ltd Poor Price Good Price Poor Price Good Price Poor Season

Greg Kirk Director Planfarm Pty Ltd Poor Price Good Price Poor Price Good Price Poor Season

Greg Kirk Director Planfarm Pty Ltd Poor Price Good Price Poor Price Good Price Poor Season Poor Season Good Season Good Season 2006 2006 2007 2007 2005 2005 2008 2008 2009 2010 2007 (for some) Year Low High Range Cash

296 views • 15 slides
Abhijit V. Banerjee Microfinance has proved to be an effective way into the lives of the poor.

Abhijit V. Banerjee Microfinance has proved to be an effective way into the lives of the poor.

Abhijit V. Banerjee Microfinance has proved to be an effective way into the lives of the poor. Large numbers of the poor clearly want microfinance Moreover MFIs have created a large cadre of non poor who have a stake in the economic

265 views • 15 slides
Interactive Media and Game Development Frontiers 2008 Mark Claypool What Do You Think Goes

Interactive Media and Game Development Frontiers 2008 Mark Claypool What Do You Think Goes

Interactive Media and Game Development Frontiers 2008 Mark Claypool What Do You Think Goes Into Developing Games? Choose a game youre familiar with Assume you are inspired (or forced or paid) to re-engineer the game Take 1-2

572 views • 38 slides
20 years Marc Espie < espie@lse.epita.fr > July 7, 2019 1 / 23 20 years Marc Espie <

20 years Marc Espie < espie@lse.epita.fr > July 7, 2019 1 / 23 20 years Marc Espie <

20 years Marc Espie < espie@lse.epita.fr > July 7, 2019 1 / 23 20 years Marc Espie < espie@lse.epita.fr > July 7, 2019 2 / 23 20 years Marc Espie < espie@lse.epita.fr > July 7, 2019 3 / 23 Some numbers github mirror

583 views • 23 slides
An empirical dynamical approach to modelling teleconnections using the DREAM model Nick Hall

An empirical dynamical approach to modelling teleconnections using the DREAM model Nick Hall

An empirical dynamical approach to modelling teleconnections using the DREAM model Nick Hall LEGOS / OMP University of Toulouse Advanced School on Tropical-Extratropical Interactions, ITCP Trieste, Oct 2017 DREAM: Dynamical Research

1.07k views • 75 slides
Introduction to FreeNAS development John Hixson john@ixsystems.com iXsystems, Inc. A bit about

Introduction to FreeNAS development John Hixson john@ixsystems.com iXsystems, Inc. A bit about

Introduction to FreeNAS development John Hixson john@ixsystems.com iXsystems, Inc. A bit about me BSD geek that does geeky BSD things Maintains jail, plugin, and directory service systems on FreeNAS Occasional committer to PC-BSD

566 views • 35 slides
0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel

0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel

0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel developer(Windows/Linux/Own)/Microarchitecture geek (Intel)/Security Researcher (Lenovo, Microsoft, Mysql, Python etc.)/ Software Engineer Architect/Hardware Engineer (FPGA, ASIC,

300 views • 12 slides
Parallel Software Design ASD Shared Memory HPC Workshop Computer Systems Group, ANU Research

Parallel Software Design ASD Shared Memory HPC Workshop Computer Systems Group, ANU Research

Parallel Software Design ASD Shared Memory HPC Workshop Computer Systems Group, ANU Research School of Computer Science Australian National University Canberra, Australia February 14, 2020 Schedule - Day 5 Computer Systems (ANU) Parallel

1.67k views • 141 slides
Technology Must Haves FOR EARLY CHILDHOOD ADMINISTRATORS GIOVANNI ARROYO | MEDIA SPECIALIST

Technology Must Haves FOR EARLY CHILDHOOD ADMINISTRATORS GIOVANNI ARROYO | MEDIA SPECIALIST

Technology Must Haves FOR EARLY CHILDHOOD ADMINISTRATORS GIOVANNI ARROYO | MEDIA SPECIALIST OCTOBER 8, 2014 Who am I? Giovanni Arroyo Father Husband Media Specialist Geek A t the McCormick Center for Early Childhood

927 views • 76 slides
Lesson 5 Emphasis WRITING CAN BE WRITING CAN BE BOLD WRITING CAN BE BOLD COLOR WRITING CAN

Lesson 5 Emphasis WRITING CAN BE WRITING CAN BE BOLD WRITING CAN BE BOLD COLOR WRITING CAN

Lesson 5 Emphasis WRITING CAN BE WRITING CAN BE BOLD WRITING CAN BE BOLD COLOR WRITING CAN BE BOLD COLOR UNDERLINE WRITING CAN BE BOLD COLOR UNDERLINE Italics WRITING CAN BE BOLD COLOR UNDERLINE Italics !!! WRITING CAN BE BOLD

699 views • 55 slides

More recommend