Tampering with surveillance cameras is a common activity for Hollywood heroes and criminals alike. Now, researchers have shown how they can do it in real life.
Remember Speed, the 1994 movie where Keanu Reeves and Sandra Bullock had to keep a bus moving above a certain speed to stop Dennis Hopper blowing it up? Hopper’s character, Howard Payne, watches them with a hidden video camera. Any funny business, and he presses the button. To fool him, they persuade a local news crew to record the camera footage and then broadcast it in a loop, enabling everyone to escape while convincing Payne that they were still there.
Back then, cameras were analogue, but researchers at security company Forescout have demonstrated how to do the same thing with digital cameras over a network.
They conducted the project, which they described in a technical paper, to see how easy it would be to attack internet-connected smart building environments rather than save speeding buses. They set up a test network incorporating smart lighting, IP surveillance cameras, and an IoT device that connected energy consumption and space consumption sensors.
Technology may make things more functional, but it also makes them more hackable. Many IP cameras come with weak protocols such as Telnet and FTP enabled by default, they pointed out – even when their users don’t need them. This needlessly increases the attack surface of the devices. They also stream video using unencrypted real-time transport (RTP), along with the real-time streaming protocol (RTSP).
There are secure versions of RTP and RTSP, but Forescout’s report said that it rarely sees them used in real-world deployments. You could tunnel the RTSP stream through an encrypted protocol such as a Transport Layer Security (TLS) stream, but again, vendors typically don’t bother.
Forescout’s team verified that they could gain access to the network by compromising an existing device. Given the reliance on default login credentials, this is all too common. Hackers can then use a compromised device to attack other devices on the network.
In this case, they mounted a man in the middle (MiTM) attack by using ARP (address resolution protocol) poisoning to convince devices on the network that their hacked device was actually at a different IP address. They used this to impersonate the camera when talking to the network video recorder, and vice versa.
Inserting themselves in the communication stream between the two devices enabled them to mount two kinds of attack. The first, a denial of service, interfered with the connection between the network video recorder and the surveillance camera. The researchers dropped command requests from the recorder, and did the same with responses from the camera. They could also tamper with the recorder’s requests, forcing it to listen on a different network port, meaning that it wouldn’t see the camera’s video.
They applied some of these techniques in the other attack, which will appeal a bit more to fans of Hollywood movies. They forced the recorder to replay fake footage instead of showing the real live footage from the camera. To do this, they captured video traffic sent from the camera to the recorder. They’d only need a small sample because the images in most surveilled rooms move even less than the inside of a speeding bus.
Then, they forced the camera to end its current session by tampering with a periodic RTSP command that the recorder sends to check that the camera is still there. This causes the camera to stop streaming immediately and makes the recorder establish a new session. At this point, the researchers intercept the session setup command and change the communications port specified by the recorder. The camera begins streaming live video to that incorrect port. Meanwhile, the researchers sent the fake, prerecorded video traffic to the recorder on its original port.
A lot of theoretical attacks are just that, but this one has real potential. You could see how someone might use it to cover up a burglary in a secure facility. Of course, they’d also have to neutralise the other physical protections like burglar alarms and door locking systems first.
The Forescout team also succeeded in hacking smart light bulbs and the IoT gateway. They’ll be presenting their findings at DEF CON next week.
Tombert3
“This needlessly increases the devices’ attack *service.” -surface
Why Telnet is still a thing in Internet-facing consumer electronics is beyond me. Most users don’t know or could care less about a command line, and the protocol was never meant to be secure. And the checkbox to “always use HTTPS” is never checked either. The procedure behind the MiTM attack above seems quite amazing (even though it’s an old technique), and you describe it well. Devices should start with all but one protocol disabled, though manufactures don’t really care.
John Lord
Have your connected camera pointing to an area that has a battery powered analog clock in view. That would make the video loop a lot trickier to hack convincingly.
martin
“the devices’ attack service” – do you mean “attack surface”?
Paul Ducklin
Fixed, thanks!