First Axis, now NUUO. Full disclosure.
OrwellLabs just released a POC on how to hack Axis certain cameras and video servers (h.t. Gavin Millard). This is just a few days after I received a marketing email from Axis (the July 2016 Axis ADP eNewsletter), containing this verbiage.
Service release for critical security vulnerability
Recently, a critical security vulnerability was discovered in some of Axis’ products that are accessible from the Internet. We have now published firmware service releases for the majority of our products; see http://www.axis.com/support/product-security. Axis recommends users to update the affected products’ firmware as soon as possible, especially if the products are accessible from the Internet.
The very same email contains this message
Taking responsibilityCEO Ray Mauritsson comments on privacy, business ethics, the Axis code of conduct, and how we – together with our partners – are working to create a smarter, safer world
Axis did put out a press release on the 6th of July 2016 about the vulnerability on their security page (about 9 months after Axis was notified by Orwelllabs). But honestly, how many owners of the affected devices will go there? How many owners of the affected devices will get an email about this sort of thing? Even if they do, they have to visit a link to determine the severity. I don’t know if issuing a press release 9 months later, that your company’s cameras may become part of a botnet army is “taking responsibility”. I know it is not uncommon for companies to behave this way, but that doesn’t make it right.
For all intents and purposes, the impact of this bug is not that big. The vast majority of sensible users will not expose their CCTV system directly to the internet. Your camera may access the internet – outbound – to send notifications etc. but that will not make you vulnerable. To be vulnerable, you need to map a port on your firewall to your camera, so that you can see the camera web-interface from a public IP address.
But there are a minority of users who will, and who do this sort of thing. And even if it is the minority, they can do a lot of damage to others (by participating in botnets), and obviously to themselves too (paying $$$ for a useless/dangerous device).
It’s depressing because Axis does a lot of things to improve security : no default passwords is a pain in the ass, but it does make things a little more secure (only just a little because people will put in 12346, pass, or something similar).
A while ago I read a piece about a guy who stopped reading industry news. Reading industry news can be a massive distraction to a long term strategy. Every time your competitors (real or imagined) launch something, there’s a line of pundits ready to hail praise to the “innovation”. You start wondering why you aren’t doing gait-recognition in your app. Then a few months later, it’s psychoacoustic categorization and so on.
The default assumption is that “oh, they got that working?”, and then I remember that people have wildly different opinions on what “works” means. I usually have the opposite point of view; until I have seen the thing, I don’t believe that it works.
I saw some Kinect footage before it was released, and I was pretty suspicious – once I tried it, I wasn’t disappointed. It was shit. There was, maybe, once in awhile, if I was willing to suspend my belief, a few times where raising my arm would make something happen on the screen. You’ll probably find a bunch of people who would tell you that bundling Kinect with Xbox One was a stroke of genius. If selling half the number of devices of your competitor is “genius”, then I wonder what “stupid” is. In any case, they removed the crap completely from Xbox One S (although you can get an adaptor if you are a masochist).
I decided not to get an Oculus Rift either. The dev kits we had were just too shitty for my taste. Sure, it was very odd/cool, to watch myself from somewhere else. But nothing I would pay a large sum of money for, and I predict that there will be a lot of unused VR kits lying around in boxes 12 months from now (Google cardboard is good enough for me, but I am told the HTC Vive is pretty good). The AR “demos” also seems too fake. Tango seems fine, but Hololens and Magic Leap will surely disappoint me.
And the same thing goes for some of the services we’ve tested in the office. A lot of them are just not reliable. There’s a large chasm between, “what a cool idea, and it sorta, kinda works, if you hold it juuuust right”, to “it just works”. A while ago I did a trial on a ALPR system, and the results were terrible. Sure, from time to time, it would get it right, but too often it would fail. I am not going to buy into a system that promises plug and play, but then, when I test it, I am led down the maze of infinite tweaks and caveats. If you require special lighting, special positioning, external sensors and so on, then I might as well write the damn thing myself. We also tried another product that made marketing and sales people drool, even potential customers were excited. But I could not get anyone to set this stuff up to work the way people imagined that it worked. They were so thrilled about the idea, that they lost sight of the implementation and result.
I have a pet theory that a lot of products are really turds. To mask the smell, the turd is doused in condiments, and the more condiments the better, even if the condiments are tasteless/bitter themselves.
I suggest that the first company to offer real cake will take the price. I bet that a large number of people would rather eat a donut with NO condiments than a turd, regardless of the amount of great stuff pile on top of it.
For kicks I downloaded Milestone Xprotect GO this morning.
My handiwork is still in there!
In the Milestone/Milestone Surveillance folder, you’ll find a file called “mask.exe”. Don’t try executing the file, just copy the file and rename the extension to .jpeg. So you get
mask.exe -> mask.jpeg
Then open the file in your favorite JPEG viewer, and behold, a wonderful image i made in 3DSMax about 10 years ago.
This was used for demo-mode purposes. If you had not entered a valid license code, we’d embed this frame into the video (a costly process). To ensure that you didn’t just replace the demo image with a 1×1 pixel image, we validated a hash of the file content.
LinkedIn’s user database was leaked online a while ago, now usernames and passwords are for sale in the dark net. LinkedIn were not the first, nor the last to have their user database stolen, and published online.
Companies go to great lengths to protect their databases from outside intrusion; but what about the disgruntled employee? Your best friend had root access to the system, but when things went sour, he had already made a copy of the database (just in case), and so when he was finally let go, he decided to post the database snapshot online.
In the terrible old days, the database would contain the username and password in plaintext, so you’d see something like this:
User | Pass ----------+------- Morten | 123456
Then someone thought to encrypt the passwords, but the disgruntled employee has access to the key and the algo used, so he could just post that information online as well. A tell-tale sign of such a (horrific) implementation is that the system sends your password to your email address if you forget it, instead of the usual reset password email that you get today.
These days we do salted hashes to make it hard to determine the passwords if the database is compromised. The basic idea is that you no longer store the password, but instead store the result of a hash function. When the user provide their password, the system combines the password with another value and computes the resulting hash value. This value is then compared to the value stored in the database, if they match the user gets access. Since the user database contains the RESULT of a computation, there is “no way” to deduce the original password from the hash value stored in the database.
Here is a very simple example:
Say we only allow 4 digits as our password, and our hash is simply to add the numbers together (this is a TERRIBLE hashing function!), but this will serve as an example.
So the user has a pin of 1234, and for this user we have made a salt value of 3333.
So the user enters 1234, we then append the salt, so we get 12343333, then hash that value (1+2+3+4+3+3+3+3 = 22), so we store 22 in the database.
User | Salt | Hash ----------+------+----- Morten | 3333 | 22
Now, say someone tries to use my account, and attempted to gain access. He then enters 1111 as the PIN. The system then computes the hash (1+1+1+1+3+3+3+3 = 16). The hash computed (16) is then compared to the value in the database (22), since they don’t match, the user is denied access.
The observant reader will have realized that if I know the salt it will be simple to find a combination of PIN that will give us the desired result (22). 4321 would work and grant us access, so even if I don’t have exactly the same PIN we will get access just the same.
This is primarily because the hash function is so terrible; so you do not use idiotic hash functions, but pick some that are generally accepted as being “good”, for example MD5 is widely used. So when you use good hash functions, the likelihood of 2 PINS given the same hash is very small. This means that you have to try a lot of combinations to find a combination where function ( guess, known_salt ) == hash. But computers are happy to try a lot of combinations, and the number of combinations can be greatly reduced by using “rainbow tables”. These are tables of known, often used passwords, usually retrieved from other hacks, and while this doesn’t give us all the passwords, it usually breaks enough accounts for whatever purpose is needed. We might also want to target just one account in the DB, and try a much wider range of passwords.
Someone might argue that since I don’t have the hashing algo used I will be unable to set up my little script to run through the rainbow table, but this could have been leaked as well. Even if it wasn’t there might be known accounts in the database, where I will be able to try different hashes with a known username, password and salt.
If you are in the “same password everywhere” camp, then you are SOL. Even if the blog comes clean and discloses that they have been compromised, it is too late. Changing the password on the blog does not remove the password in the leaked database.
I had forgotten the smell of an electronics store. I am not talking about Best Buy, or Radioshack, but one where you can get LEDs, resistors, wires and breadboards, where the guy behind the counter tells you that a 220 ohm resistor is suitable for the LED.
The computers I am playing with these days are very low cost (down to $5), but they have digital IOs readily available, and I must say that I am amazed the kinds of things that are available. RFID readers, 433MHz transceivers, PIR detectors, touch screens, cameras etc. And did I mention that you can play Minecraft on these things?
So today I got myself a breadboard, some LEDs and resistors, and set up my little script so that when motion is detected by a camera, the LED turns on for 5 seconds. It feels almost magical to see the little LED light up when I move in front of the cameras. Strange how this little addition somehow makes it all seem more “real”.
Google and Amazon would like to place a sort of Peeping Tom on your house. You’ll pay for it, and in return it will turn your light on (when WiFi works), play music and order crap you don’t need when you yell at it. But most likely, it will hear when you tell your wife that your sphincter has been giving you grief lately, and the next thing you know, every page will pop ads for Preparation H (now it just pops ads for skin cleansers!?!?!).
I hardly go to the movies any more, and if I do, I sure as shit wouldn’t trust the Google Peeper to book the tix for me (there are several screens, not all are good, and in Denmark we have numbered seating and so there’s a lot of things that can go wrong).
The general direction seems to be to allow you to be completely passive except for the occasional yelling at your golem, but then – the next thing Google shows is a watch with a fitness tracker. So, you get this device that listens to everything you say, and does trivial things for you, and then you put on this other device that tracks where you are, and tries to motivate you to burn off those excess calories, that you’ve accumulated from sitting on your ass all day.
Some of the tech is designed to let you connect with friends and family, but the demo then shows an automated response to a picture of a bowl spaghetti (they say it can tell the type of pasta being served, which is probably a lie). I’m sure that the system, in time, will know that you are cooking linguini and autonomously send a picture of some linguini to you wife, who’s phone will then create an automated reply “yummy”.. awesome… I feel connected already.
The caveat is that it can only do still shots at 4K, while it can do 1080p30 video.
A video breakdown of the changes to the new PI Zero and a demo of the camera can be found here.
A friend of mine dropped off a HikVision camera a while ago, and I had added it to my DIY NVR. Setting up the motion detection was a breeze, and so I was optimistic when I added a second camera. An older
Axis Canon camera.
This camera wanted to use Java, which was problematic. In fact, neither of my 3 browsers would allow running Java – regardless of how many “I am aware of the risks, just let me do my thing” boxes I checked.
In the end, I had to ask a friend, and surprisingly I had to use IE and add the camera to the list of “compatible” sites.
So suddenly, the motivation to do server side motion detection is clear to me – it is not about using the resources optimally (most people probably realize this already, and I’ve heard that Pelco is not recommending this as well), but it’s just such a massive pain in the ass to do it.
Maybe ONVIF will make a protocol for setting up motion detection (but since there is no notion of “motion detection”, and no fixed node to poll for such an event, I am not holding my breath). I’ll just recommend using a camera with a sensible configuration interface.
Vigilant is offering, what I can only assume is a rebranded low cost DVR, with POE and 4 cameras for $250. That is pretty cheap even if it’s without storage (max seems to be 2 TB).
Happe contends that consumers having been “getting ripped off.” During the conference call he cited research by Security Sales & Integration, which found the cost to install an eight-camera system on average is $15,000. (See 2016 Gold Book installation statistics.) Compare that, he said, to an eight-camera system by Vigilant installed by a certified U.S. Install contractor for about for $2,000.
“The industry is going to hate us but consumers obviously will love us. I’m not going to miss lost sleep worrying about Tyco ripping off fewer consumers as we take more and more market share. We are going to change the game,” he said.
So I was wondering if I could match that with my $100 DYI kit. First of all, I can strip out storage, but I will need to add a POE and 4 cameras.
Newegg has a Netgear 8 port switch with 4 POE at $50, so we’ll grab one of those.
So, all in all, “NVR box” + POE + cameras come in at $220 bucks (you’ll need to add the cables though).
While I am not intimately familiar with the Vigilant NVR I am guessing that it is similar to the embedded systems that I’ve seen on YouTube that are pretty impressive. However, the DIY solution has some advantages to the Vigilant offering; you can replace the POE if (when?) it dies, without replacing the entire NVR. You get a “real” computer that runs real Linux instead of a closed down embedded Linux of unknown origin. You can pick a different set of cameras (maybe you don’t need/want 4 terrible cameras).
Is it a race to the bottom? Trunk-slammers galore?
Even the best integrators want to get rid of needless complexity, and the low-cost NVRs surely does that, but they go a little too far in my opinion. Surely there’s a place for these boxes, but that place is not large scale installations with centralized management and monitoring etc. And at $250 I am wondering what sort of customer support you will be getting.