Who's Watching? Hacked Security Cams Spoof Images, Attack Network

It's a standard scene in most heist movies. The crime team needs to get through an area that's covered by security cameras, so they hack into the security system to make the camera show an empty hallway. A Black Hat conference presentation demonstrated how incredibly simple that hack can be on a modern Internet-connected security camera. In truth, if you've got security cameras in your office or business, this hack is the least of your worries. A hacker could well get full access to the network through your cameras. Hey, weren't they supposed to give you better security?
I See You
Presenter Craig Heffner is a Vulnerability Researcher with Tactical Network Solutions, but he's had other jobs. "The news stories talked a lot about the fact that I used to work for a three-letter agency," said Heffner. "Some claimed that this presentation is based on work I did for the NSA. That resulted in some interesting calls from my former employer." Heffner clarified that all of the research going into this presentation was performed for his current employer, not the NSA.
Heffner evaluated cameras from D-Link, Linksys, Cisco, IQInvision, and 3SVision. Without going into the gory low-level details, in every case he found a way to run arbitrary commands remotely. "I dubbed this the Ron Burgundy exploit," quipped Heffner. "It just runs anything you give it, and it will send you a response." In several cases he found administrator login credentials hard-coded in the firmware. "The problem with secret hard-coded passwords and secret backdoors," said Heffner, "is that they don't stay secret."

In the end, Heffner gained access at the root level to every camera. He pointed out that there's a huge re-use of code between a company's own models and also between companies, so these vulnerabilities cover a lot of cameras. And because firmware so rarely gets updated, vulnerabilities from several years ago are still subject to exploit.
It Gets Worse
Heffner pointed out that most security cameras are connected to the office network. "I'm in your network, I can see you, and I'm root," he said. "Not a bad position! I have root-level control of a Linux-based machine inside your network."
"But let's take a step back," Heffner continued. "What can I do to the camera itself? I can modify the video stream, the classic Hollywood hack." He finished up with a real-world demonstration, setting up a camera to protect a bottle of beer on the speaker's table. With the camera in place, he launched an exploit that tweaked the administrator's view to show the bottle, safe and sound while he "stole" the bottle. The attendees loved it.
Insecurity Camera?
"Most of these bugs are epically trivial," concluded Heffner. "Most cameras will tell you the model number even if you're not authenticated. I can Google the model, download the firmware, and start analyzing it without ever buying a device." In fact, Heffner developed all of these attacks strictly by firmware analysis, before ever testing on an actually camera.
Asked if he'd found any security cameras that he couldn't hack, Heffner said no. "There are so many more, but I would have needed a two-hour talk, at least."
The Shodan website makes it easy to search for cameras that are visible online. If you have security cameras in your office or factory, your video feeds may already be wide open. Even if they're not, it's very likely that a hacker could take control of the video feed. In particular if you're using cameras from any of the vendors mentioned, you'll want to carefully review Heffner's presentation, as it contains full details that would allow anyone to hack the affected cameras. There's more at stake here than worrying about Danny Ocean blanking your cameras for a heist.