poor man s panopticon
play

Poor Mans Panopticon Mass CCTV Surveillance for the masses Andrei - PowerPoint PPT Presentation

May 24, 2023 •103 likes •455 views

Poor Mans Panopticon Mass CCTV Surveillance for the masses Andrei Costin @costinandrei FIRMWARE.RE andrei# whoami SW/HW/Emb security researcher, PhD student Mifare Classic Hacking MFPs + MFCUK PostScript Avionics + ADS-B 1 DISCLAIMER

  1. Poor Man’s Panopticon Mass CCTV Surveillance for the masses Andrei Costin @costinandrei FIRMWARE.RE

  2. andrei# whoami SW/HW/Emb security researcher, PhD student Mifare Classic Hacking MFPs + MFCUK PostScript Avionics + ADS-B 1

  3. DISCLAIMER  This presentation is for informational purposes only. Do not apply the material if not explicitly authorized to do so  Reader takes full responsibility whatsoever of applying or experimenting with presented material  Authors are fully waived of any claims of direct or indirect damages that might arise from applying the material  Information herein represents author own views on the matter and does not represent any official position of affiliated body  tldr;  DO NOT TRY THIS AT HOME!  USE AT YOUR OWN RISK! 2

  4. Intro – Panopticon  The concept of the design is to allow a watchman to observe ( -opticon ) all ( pan- ) inmates of an institution without them being able to tell whether they are being watched or not  Synonym for “Big - Brother” 3

  5. Intro – CCTV  CCTV as in “Closed Circuit TV”  Not as in “CNTV CCTV9 China Central Television”  Meaning:  BNC cameras  RF cameras  IP cameras  DVR/NVR systems  And all HW + SW + Analytics + Integration + Interfacing systems 4

  6. Intro – CCTV  Simplified schematic of most CCTV systems today: 5

  7. Timeline – Existing Work  Early "IP cameras google dorks “  2005 22C3 - Hacking CCTV. A private investigation.  2007 - ProCheckup - Owning Big Brother: Multiple vulnerabilities on Axis 2100 IP cameras  2010 BH10DC - Joshua Marpet - Physical Security in a Networked World: Video Analytics, Video Surveillance, and You 6

  8. Timeline – Existing Work  2011 - DigitalMunition - Owning a Cop Car  2012 DefCon - Robert Portvliet and Brad Antoniewicz - The Safety Dance: Wardriving the Public Safety Band.  2013 HITB AMS - Sergey Shekyan and Artem Harutyunyan - To Watch Or To Be Watched. Turning your surveillance camera against you.  2013 BH13US - Craig Heffner - Exploiting Surveillance Cameras. Like a Hollywood Hacker. 7

  9. Timeline – In the recent news  28 Oct 2013 - "Israeli Road Control System hacked ... seems that the attackers used a malware to hit the security camera apparatus in the Carmel Tunnel toll road in Sept. 8 and to gain its control“  4 Sep 2013 – “FTC settles with Trendnet after 'hundreds' of home security cameras were hacked… FTC Forcing TRENDnet to Suffer 20 Years of Auditing.”  How about… hundreds of thousands ?! 8

  10. Reality Check The state of security of CCTV products?  Few roots of most evils: "Default credentials, design f@$k- ups and dumb users“  Kafkian-style notes in the documentation 9

  11. Reality Check The state of security of CCTV products?  Few roots of most evils: "Default credentials, design f@$k- ups and dumb users“  Insane design and even more insane users  Some user leave these on indefinitely… 10

  12. CCTV Device Population – Search & Results  Goal:  Estimate publicly accessible IPcam/DVR/NVR/CCTV systems  So, how much can someone theoretically own?  Sources:  Shodan  Internet Census 2012  (optional) Google dorks  Results:  Statistics and queries should be released soon 11

  13. CCTV Device Population – Search & Results  Results – Internet Census 2012 (top matches) TOTAL ~ 450.000 Avtech AVN801 network camera 137,066 AvTech GeoVision GeoHttpServer for webcams 121,907 GeoVision Netwave IP camera http config 53,813 Foscam DVR Systems webcam http interface 18,775 ? Netwave webcam http config 15,785 Foscam Swann DVR8-2600 security camera system httpd 15,458 Swann 12

  14. CCTV Device Population – Search & Results  Results – Shodan (top matches, Jun 2013)  Today – numbers are ~10-20% up TOTAL >> 1,200,000 q=netwave+camera 332,342 Foscam q=port%3A80+Avtech 309,801 AvTech q=GeoHttpServer 278,148 GeoVision q=Server%3A+alphapd 89,831 ? q=realm%3D"DVR" 87,095 Hunt/Svat/Defender q=Server%3A+Network+Camera 51,378 Mixed q=dcs-lig-httpd 50,547 D-Link 13

  15. CCTV Device Population – Fun Facts  Let’s map “surveillance” coverage of publicly accessible CCTV device population over a geographical area  As if all exposed devices were located in a given area  Assumptions:  between 450k and 1.2M devices, let’s take 500k devices  each found "device" covers 100 m2 (10x10m)  stretched assumption, but reasonable on average  many DVRs with 2 to 32 cameras each  many cameras are good resolution HD  all devices cover a continuous flat surface/space 14

  16. CCTV Device Population – Fun Facts  Math:  500.000 x 100 m2 = 50.000.000 m2 = 50 km2  City of Luxembourg ~ 51.46 km2  We could survey  City of Luxembourg entirely (orange spot)  Monaco ~ 2.02 km2  If Monaco was covered totally by a 25 floor state-wide building  We could survey that state-wide building entirely 15

  17. CCTV Online Live Demo Systems  What?  IPcam/DVR/CCTV systems put intentionally on the internet by the vendor or security/surveillance online shops  Why?  Usual audience – Intended for marketing and sales boost  Geek audience – think differently   How?  Google for:  "demo dvr ”, "demo nvr ”, " cctv demo“  "live cctv demo”, "live dvr" 16

  18. CCTV Online Live Demo Systems  Google dork stopped working? Let's create our own brand new! 17

  19. Targets and Motivations  Attackers by motivation  Voyeurs, Stalkers, Criminals, Govt Organizations, Hacktivism Groups  Targets  Persons, Cars, Property  Embedded devices  PCs of operators (secondary)  Other integrated interfaces (see Israeli’s road control sys) 18

  20. Targets and Motivations  Motivations  Money (eg.: blackmailers, bounty hunters for fugitives/missing-persons/stolen-cars)  Covering a crime (eg.: robbery – tap-in before, DoS during, restore after)  Uncovering cenzorship (eg.: hacktivism – checking what is going on for real during demonstrations)  Botnets of embedded devices 19

  21. Attacks – Types by Location  Remote  may come as a remote scan & exploit (classical)  Local (Software)  may come as local-network exploit (classical)  may come as a physical attack over USB  Local Physical Proximity  may come as a physical attack over infra-red  may come as a physical attack over USB  may come as a software attack over "visual layer" 20

  22. Attacks – Unconventional – Invisible layer  Infra-red channel – DoS, Command injection 21

  23. Attacks – Unconventional – Visual layer  Visual layer backdoors (more wicked than Google Glass hack)  Visually encoded information  QR codes  Any other visual (custom) code that can convey info & commands  Can be as custom as a  The trick is to highly-reliable trigger  accurate visual mark detection  accurate decoding visually-encoded info & commands 22

  24. Attacks – Unconventional – Visual layer  Visually encoded information and commands example Disable recording Update malware Contact C&C serv Blur face 23

  25. Attacks – Unconventional – Visual layer – How?  Software (video I/O kernel modules, streaming application video filters)  easy to hard to detect or reverse  Hardware (integrated video/audio codecs and chipsets)  hard to impossible to detect or reverse  even if I/O to chip is possible  The range of video imagery pixels to create a “semantic” image is huge  hard to trigger, thus detect, "visual information decoding" after all 24

  26. Attacks – Most Common Vulnerabilities  Backdoor credentials/access 25

  27. Attacks – Most Common Vulnerabilities  Clear-text credential storage + Insufficient access controls 26

  28. Attacks – Most Common Vulnerabilities  Old software (kernel, web-server, interpreter) 27

  29. Attacks – Most Common Vulnerabilities  Denial of Service  DoS on CCTV is critical, not a nuisscance  Weakest points seem to be /cgi-bin/*  Causing coredump & reboots  Short demo  Rogue/Modified firmware  Short demo  Command-injection  Eg: via ping "127.0.0.1; evil_command_here;“  Insufficient access controls on webroot and filesystem 28

  30. I pwn device(s). Now what?  Determining geo-location can be  Useful, eg. for finding missing persons, stolen car  Dangerous, eg. for tracking people  Getting video stream is really useful, but how?  iSpyConnect – APIs and software  Detect camera vendor, grab the API and off you go  What about faces?  Face detection and recognition is easy these days  OpenCV is our friend 29

  31. I pwn the device. Now what?  Demo 30

  32. Closing thoughts  Hitachi Hokusai Electric CCTV Camera  Can Scan 36 Million Faces/Second  LG Roboking VR680VMNC equipped with wi-fi and  3 cameras at once to capture the surrounding areas  What’s next? 31

  33. Summary  Around 1,000,000 publicly exposed DVRs/IPCAMs/CCTVs  Demonstrated multiple attacks  Demonstrated new vulnerabilities  Introduced novel attack ideas  DVR/IPCAM/CCTV vendors must secure their systems better 32

  34. Thank you! Questions, ideas, corrections? zveriu@gmail.com http://andreicostin.com/papers/ http://andreicostin.com/secadv/

Recommend

Executive summary 2 Hash tables suffer from poor core utilization & poor spatial poor core

Executive summary 2 Hash tables suffer from poor core utilization & poor spatial poor core

L EVERAGING C ACHES TO A CCELERATE H ASH T ABLES AND M EMOIZATION G UOWEI Z HANG AND D ANIEL S ANCHEZ MICRO 2019 Executive summary 2 Hash tables suffer from poor core utilization & poor spatial poor core utilization poor spatial

451 views • 28 slides
Challenges of Microfinance and the Poor Poor people have little or no access to financial

Challenges of Microfinance and the Poor Poor people have little or no access to financial

Ellen Morris, Ph.D. President Sustainable Energy Solutions 11 May 2006 Learning Center 14th Session of the United Nations Commission on Sustainable Development New York Challenges of Microfinance and the Poor Poor people have little or

281 views • 8 slides
Finding t Finding the he fue fuel poor: an l poor: an exploration of challenges and ex

Finding t Finding the he fue fuel poor: an l poor: an exploration of challenges and ex

Finding t Finding the he fue fuel poor: an l poor: an exploration of challenges and ex practicable pract icable s solut olutions ions. Postgraduate symposium on household energy consumption, technology and efficiency, University of

551 views • 27 slides
How Pro-Poor is your Institution? Improve Client Outcomes with the Pro-Poor Principles,

How Pro-Poor is your Institution? Improve Client Outcomes with the Pro-Poor Principles,

How Pro-Poor is your Institution? Improve Client Outcomes with the Pro-Poor Principles, Essential Practices and Indicators 17TH MICROCREDIT SUMMIT # 17MCSumm GENERATION NEXT: INNOVATIONS IN it MICROFINANCE Session Outline I. Your Panelists

625 views • 39 slides
Almshouse (Poor House) A House for Employment and Support of the Poor in Adams County Provincial

Almshouse (Poor House) A House for Employment and Support of the Poor in Adams County Provincial

Almshouse (Poor House) A House for Employment and Support of the Poor in Adams County Provincial Pennsylvania laws to relieve the poor, old, blind, lame, and impotent The Act of March 24, 1817 Elect five respectable citizens to

638 views • 27 slides
In many countries, blind people are among the poorest of the poor. They have no food, poor

In many countries, blind people are among the poorest of the poor. They have no food, poor

In many countries, blind people are among the poorest of the poor. They have no food, poor sanitation, unsafe drinking water and limited access to health care. About Operation Eyesight + = Donors & Partners Operation Eyesight Mission

581 views • 23 slides
Poor health reporting: Do poor South Africans underestimate their r he health needs ds? Laura

Poor health reporting: Do poor South Africans underestimate their r he health needs ds? Laura

Poor health reporting: Do poor South Africans underestimate their r he health needs ds? Laura Rossouw (Stellenbosch Uni.) . Eddy van Doorslaer (Tinbergen Institute). 6 August, 2014 Context: Differences in health outcomes by wealth status

610 views • 16 slides
More Relatively-Poor People in a Less Absolutely- Poor World? Martin Ravallion Director of the

More Relatively-Poor People in a Less Absolutely- Poor World? Martin Ravallion Director of the

Department of Economics public lecture More Relatively-Poor People in a Less Absolutely- Poor World? Martin Ravallion Director of the World Bank Research Department Professor Craig Calhoun Chair, LSE Suggested hashtag for Twitter users:

801 views • 57 slides
When I give food to the poor, they call me a saint. When I ask why the poor have no food, they

When I give food to the poor, they call me a saint. When I ask why the poor have no food, they

When I give food to the poor, they call me a saint. When I ask why the poor have no food, they call me a communist. Dom Helder Camara Three Themes Changing the world with technology Surviving as bicultural in a colonialist world

146 views • 12 slides
DEVELOPMENT Poverty targeting: is it pro-poor or anti-poor? Stephen Kidd 10 th

DEVELOPMENT Poverty targeting: is it pro-poor or anti-poor? Stephen Kidd 10 th

DEVELOPMENT Poverty targeting: is it pro-poor or anti-poor? Stephen Kidd 10 th January 2019 Why undertake poverty targeting? Lower Economic or spending and justice? taxes? 2 If there are limited resources, it is best to

683 views • 41 slides
Professional Issues Poor oral presentation skills Poor literary skills Communicating in

Professional Issues Poor oral presentation skills Poor literary skills Communicating in

Employers' views of graduates (Remember this?) Inarticulate and illiterate: Professional Issues Poor oral presentation skills Poor literary skills Communicating in English grammar, sentence structure, punctuation, spelling 1

340 views • 8 slides
The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication

The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication

The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication (Its the way you tell it..) www.iapf.ie More confusion and more complaints result from poor communication than from almost any other single

408 views • 18 slides
S P R E A D T H I N: HUMAN SERVICES ORGANIZATIONS IN POOR NEIGHBORHOODS The State of the

S P R E A D T H I N: HUMAN SERVICES ORGANIZATIONS IN POOR NEIGHBORHOODS The State of the

S P R E A D T H I N: HUMAN SERVICES ORGANIZATIONS IN POOR NEIGHBORHOODS The State of the Nonprofit Sector in Los Angeles Conference March 5, 2013 Nonprofit Human Services in Poor Neighborhoods 31% of LA County Census Tracts are in Poor

672 views • 28 slides
Overview Poor Mental Health Poor Mental Health in the in Wales UK Understanding Supporting

Overview Poor Mental Health Poor Mental Health in the in Wales UK Understanding Supporting

C reative R eflective E ducation & T raining A ssisting D evelopment A chieving U nderstanding Overview Poor Mental Health Poor Mental Health in the in Wales UK Understanding Supporting Mental Health and people wellbeing Effectively

281 views • 17 slides
Greg Kirk Director Planfarm Pty Ltd Poor Price Good Price Poor Price Good Price Poor Season

Greg Kirk Director Planfarm Pty Ltd Poor Price Good Price Poor Price Good Price Poor Season

Greg Kirk Director Planfarm Pty Ltd Poor Price Good Price Poor Price Good Price Poor Season Poor Season Good Season Good Season 2006 2006 2007 2007 2005 2005 2008 2008 2009 2010 2007 (for some) Year Low High Range Cash

296 views • 15 slides
Abhijit V. Banerjee Microfinance has proved to be an effective way into the lives of the poor.

Abhijit V. Banerjee Microfinance has proved to be an effective way into the lives of the poor.

Abhijit V. Banerjee Microfinance has proved to be an effective way into the lives of the poor. Large numbers of the poor clearly want microfinance Moreover MFIs have created a large cadre of non poor who have a stake in the economic

265 views • 15 slides
Can the chronically poor benefit from a pro-poor growth strategy? Edward Anderson, Ursula Grant

Can the chronically poor benefit from a pro-poor growth strategy? Edward Anderson, Ursula Grant

Can the chronically poor benefit from a pro-poor growth strategy? Edward Anderson, Ursula Grant and Andy McKay Poverty and Public Policy Group, ODI Introduction Conventional view: growth for poverty reduction Direct and indirect

472 views • 16 slides
ROOME FOR COMPANIE Defini fining ng the Poor r and d their ir Place e in the Ea

ROOME FOR COMPANIE Defini fining ng the Poor r and d their ir Place e in the Ea

ROOME FOR COMPANIE Defini fining ng the Poor r and d their ir Place e in the Ea Early y Moder dern n En England nd Commun unity ty by Jessica ca Spark rks WHAT TO EXPECT Historiography My Argument Laws Poor

536 views • 14 slides
The Poor Peoples Energy Outlook 2016: Putting Poor People at the Heart of National Energy

The Poor Peoples Energy Outlook 2016: Putting Poor People at the Heart of National Energy

The Poor Peoples Energy Outlook 2016: Putting Poor People at the Heart of National Energy Access Planning 2 November 2016 Disclaimer 2 The Clean Energy Solutions Center does not endorse or recommend specific products or services.

282 views • 17 slides
A Womens Economic Empowerment Framework Can M4P make markets work for poor women and for poor

A Womens Economic Empowerment Framework Can M4P make markets work for poor women and for poor

A Womens Economic Empowerment Framework Can M4P make markets work for poor women and for poor men? Linda Jones, Coady International Institute Outline of Presentation Background to the study Womens economic empowerment definition

458 views • 20 slides
THE SIN OF FAVORITISM P A R T 2 5 Listen, my beloved brethren: did not God choose the poor

THE SIN OF FAVORITISM P A R T 2 5 Listen, my beloved brethren: did not God choose the poor

THE SIN OF FAVORITISM P A R T 2 5 Listen, my beloved brethren: did not God choose the poor of this world to be rich in faith and heirs of the kingdom which He promised to those who love Him? 6 But you have dishonored the poor man. Is it not

492 views • 36 slides
Measured as poor versus feeling poor: Comparing objective and subjective poverty rates in South

Measured as poor versus feeling poor: Comparing objective and subjective poverty rates in South

Measured as poor versus feeling poor: Comparing objective and subjective poverty rates in South Africa Dorrit Posel and Michael Rogan UNU-WIDER Conference September 20-21, 2013 1. Background - Widely documented that objective poverty rates

854 views • 21 slides
How Can Globalization Become More Pro-Poor? Presentation Based on UNU-W I DER Program of Research

How Can Globalization Become More Pro-Poor? Presentation Based on UNU-W I DER Program of Research

How Can Globalization Become More Pro-Poor? Presentation Based on UNU-W I DER Program of Research on The I m pact of Globalization on the W orlds Poor Machiko Nissanke and Erik Thorbecke Prepared for the Brookings I nstitution Book

388 views • 18 slides
Poor drug distribution and Poor drug distribution and repopulation as neglected and modifiable

Poor drug distribution and Poor drug distribution and repopulation as neglected and modifiable

Poor drug distribution and Poor drug distribution and repopulation as neglected and modifiable causes of drug modifiable causes of drug resistance in solid tumours I Ian F Tannock MD, PhD F T k MD PhD Princess Margaret Hospital and

923 views • 53 slides

More recommend