August 24, 2018 | By Caleb Purcell
A demonstration at DEFCON 2018 this month as well as Georgia Tech analysis of five, police body-camera models from different vendors revealed that a broad sector of these devices fail to maintain the integrity of evidence they were designed to produce. From devices themselves to the software ecosystems that support them, all of the surveyed camera models contained vulnerabilities that would allow attackers to track their locations or manipulate the software.
IISP Analyst Caleb Purcell: "When I first received an article about this from colleague and fellow Source Port contributor, Chris M. Roberts, my immediate reaction was a simple thought, 'Finally!' For me, this article brings finality and confirmation to some of my earliest security research. In 2015, our group performed a similar vulnerability survey on Internet of Things (IoT) wearable devices, with my focus being police body cameras. Even a few of the same cameras we analyzed were included in this article’s list. The results of the survey were alarming. I’m no proponent of cyber fear-mongering, but the relative ease of compromise genuinely shocked me.
At a high level, we came to many of the same conclusions: default WiFi passwords with no change requirements, lack of software signing, and lack of media digital signatures – all of which represent a fundamental breakdown in security – seem consistent across the spectrum of police body cameras. Together, these vulnerabilities provide an avenue for attackers to deliver malware and tamper with evidence. The details that led to these discoveries, however, are really astonishing.
One camera we analyzed had no password requirement to connect via USB, which would allow any attacker with physical access to update the device’s firmware and WiFi password. Connection via WiFi required a password, but each camera had a default password (‘1234567890’) that wasn’t required to be changed before use. Using this default password, we were able to hack into the camera’s live video feed from a laptop. In addition, the camera’s processor hosted an anonymous FTP server rooted in the main drive, granting any user with a wireless connection total control over device files and data. Connecting to the camera’s internal debug port revealed that, on reboot, the processor always checked that FTP accessible drive for specific filenames to trigger firmware and WiFi password updates. With a default WiFi password, an anonymous FTP server, and automatically triggered firmware updates – remote malware delivery shifts from possible to probable. We successfully pushed firmware modifications to the body camera without any interruption to normal operations. A well-designed malware could reach back and infect any PC that connects to that camera.
Another camera from our survey came with bolder security claims (i.e., FIPS 140-2 compliant digital signatures for media, etc.) and required a combination of vendor-specific software/cables to interface with it. These claims provided the framework for our testing. Using the vendor-specific cable, we devised two methods to bypass the vendor software requirement and obtain full access to all of the camera’s files and data. We then uploaded, downloaded, altered, and deleted video evidence without restriction and without detection. As for the digital signatures, we came to the conclusion that the signatures were applied only after importing videos from the camera into the vendor database. Any modifications or deletions prior to importing the evidence were effectively undetectable.
I’ll end with an anecdote that is less technical, more humorous. The last camera we analyzed seemed to have the most effective security implementation, including a password that, if forgotten, could only be reset by the vendor. Given that our time to complete the survey was quickly running out, I decided to go on a hunch that the vendor had built-in a master password. I reached out to the vendor’s engineering team explaining that I had forgotten my password and didn’t have time to return it. No dice. I then reached out to the sales team with the same story. They responded with a master password – one that could not be changed and worked on every single camera. Amazing. In the end, I suppose humans will always be the weakest link in security.
The world of IoT is held in constant tension between the drive for rapid, low-cost development and the need for better security. There is always a place for the ‘you get what you pay for’ mentality, but the vulnerabilities displayed here are unacceptable. Malware, poor digital signing, and master passwords – all on devices intended to provide integrity. If you can’t trust the cameras or the evidence they produce, then why even have the cameras in the first place? Before investing in IoT, organizations should take the time to properly vet products with security in mind. Especially when those products are intended to support an environment of integrity."
For further reading
- Engadget: https://www.engadget.com/2018/08/13/security-flaw-body-cameras-hacks/
- Wired: https://www.wired.com/story/police-body-camera-vulnerabilities/