Security Cameras – To See Or Not To See?!
From live and automatic event log analysis up to personal “on-key” tokens and remotely controlled security cameras.
These technologies should be used carefully. For example if the token generates 6 digits and there is no password complexity enforcement, users can set their password to “1″ and then we’ll get a 7 character length password. If the data from the log will not be filtered and will be in html format, it may execute code. Even worse, if it is viewed at the command line console, it may execute code using the console color control characters.
When talking about security cameras, a security flaw in the camera’s simple application server may cause the entire video stream to be accessible to an intruder.
While consulting to a big financial customer, I discovered the security cameras installed are easily accessible to anyone thanks to a very simple logical flaw. Not to mention default user accounts, empty password sets, the ability to brute force, directory traversal and some classic authorization bypass vulnerabilities.
Attached are a few screen captures: