Dear all,
last month I was visiting New York and I found this group of cameras at 96 St Subway station. Could not determine which brand they were.
Anybody here can provide info on this matter?
Excuse the blurry picture, I tried to not look suspicious ...
Thanks in advance for helping me out.
It looks like a battery of fixed domes, I'm guessing that look at aisles or entry point queue lines, and then two PTZs near the ends that are likely operator controlled?
Yes, right. They were monitoring entry/exit turnstiles. They had the same battery at the other side of the turnstiles, which seems overkill for me. That is one of the reasons I would like to know the brand of the cameras.
Looks like Panasonic outdoor domes mounted in the pendant kit:
The second one from the left is some indoor PTZ mounted in an outdoor housing, so not sure what that is. Probably also Panasonic. They have a pretty strong presence in city projects.
Thanks, Ethan.
Judging the commercial pictures of the camera, there was no way to see the brand without getting arrested or looking extremely stupid ...
Don't be shy. I take pictures all the time to add to my " What not to do" folder.
One time I was boarding a plane, and just standing there and there was an Avigilon camera with the plastic film still on it. It was clearly a finished install. People looked at me and kept looking at the camera, as to why I was taking the pictures.
They look like Panasonic Vandal dome, such as WV-SW355 or WV-SW559 or WV-NW502 or similar and the PTZ is WV-SC385 or WV-NS202 in an housing. Models will vary depending on age... The PTZ is definately an IP one. The dome could be IP or analog. The one Ethan shows is a much newer model, so I doubt that is the actual one.
Not sure why they mounted them in such an ungodly way. The fixed domes are vandal resistant. Not sure why they are dropped down. The PTZ could have been recessed...
Thanks, my friend. I also agree that the final installation is weird, but I would assume that those metal panels can be opened (there is something like hinges on the sides of them), therefore it is not a very good idea to install the cameras over there.
I would figure facial recognition is why they have them dropped down on the pendants..
Somebody should do a study and see if crime is eradicated in the area directly underneath the line of cameras :)
I can't recognize the brand, all I can see is the reason NYC $ubway fare$ keep ri$ing.
...all I can see is the reason NYC $ubway fare$ keep ri$ing.
Yet turnstile height has remained remarkably consistent over the years, keeping the barriers of entry low for those in the most need :)
Funny picture. I assume one of the functions of these cameras is for people counting. If the camera counting doesn't match the turnstile counting, they know how many "jumpers" they have in a month. :-)
Funny how we all talk about security loop holes (recent IPVM reports etc.), but someone 'undisclosed' can still easily post an image on IPVM and ask IPVM members about the camera brand. What if that someone 'undisclosed' is a hacker trying to know the brand first so he can go crack the code? Just saying...did not mean to attack anyone :) Cheers. Sorry IPVM and 'Undisclosed 1'
Parvinder, are you being serious here? Please clarify so I can respond appropriately.
Yes Sir, being serious here. Looking forward to know more about your views on it.
What if that someone 'undisclosed' is a hacker trying to know the brand first so he can go crack the code?
Any legitimate hacker is not going to be blocked by finding out what the model is. The bigger issue will be getting network access to the devices. Once they get network access, they can they start analyzing the transmission of the camera and probe the camera to see what ports are open and how it responds to various requests. For example, if they somehow get on the NYC subway's internal network (which is far harder than finding a camera brand, which is often marked on the exterior of the camera in public), http requests will often disclose the brand in the html markup (e.g., how we found the 80+ OEMs Verified Vulnerable To Hikvision Backdoor). Various other techniques can be used to exploit the device, etc.
So figuring out the camera brand of a camera in a public place is no material obstacle to actually hacking systems.
Sir, think of it from a hacker's point of view. As you would agree, any smart hacker would create a list of tasks first to develop his overall 'hacking' plan/strategy.
Here is an example strategy: Obviously, knowing a camera brand is much simpler than getting access to the network. So, he starts off by checking what the camera brand is (task 1 completed) before attempting to get on someones network (task 3). Once he know the brand he simply go buy it, and start exploiting it in his lab (task 2 completed). Once he has a good understanding of camera protocols and how the camera responds to his commands in his lab environment, he is now in a better position to proceed to task 3 (get access to someone's network) and quickly exploit the camera by using all the tools/commands he learnt in his lab environment (what a time saver!). [Obviously, he is not going to hack a network first and then start analyzing how to hack the camera]
So, the point is, in above scenario, task 1 is still pending as the camera manufacturer or installer did not explicitly printed the camera model/brand for public viewing. Thus Mr. Hacker is looking for other ways to know what the camera model is so he can prepare himself before actually executing the next task in his list (getting network access).
Anyway, I just gave out an example hacking strategy above :(
But what is the ultimate point of this theoretical hack? All that effort just to mess with a camera? If the hacker can already get onto the network, then he can attach any device he wants to do whatever, no need to take over a camera for some kind of attack. If the goal is to disrupt the video itself, you could do that as well through other means (ARP spoofing, traffic flood, etc.).
And if someone really wanted to know the camera brands, they could probably just find an opportunity to get a better picture in the first place (use a real camera, zoom lens for your phone, etc.).
Further, because IPVM is subscription-based and people have to sign up with credit cards, this would be an odd place for someone with that kind of ill intent to make such a post.
I think your suspicions of UD1 being some kind of hacker are better suited for a Hollywood script :)
"But what is the ultimate point of this theoretical hack? All that effort just to mess with a camera?"
- Whatever the reason may be, focus should be on 'how to make a bulletproof system' rather than leaving a security hole just because of.. 'all that effort just to mess with a camera?'
"If the hacker can already get onto the network, then he can attach any device he wants to do whatever, no need to take over a camera for some kind of attack."
- As John mentioned, getting network access is a bigger challenge. If a hacker is seriously thinking about having unauthorized access to someone's video surveillance system then he would first want to know what kind of a camera system his target is using so he can better prepare himself to access the system and yet go undetected without raising any red flags on the network or camera system side.
"And if someone really wanted to know the camera brands, they could probably just find an opportunity to get a better picture in the first place (use a real camera, zoom lens for your phone, etc.)."
- Yes, but in the specific scenario above, camera brand/model is not printed at all. In my experience some customers specifically request to hide camera brand and name as a security measure. Why publicly give out what brand/model security camera am I using on my property?
"Further, because IPVM is subscription-based and people have to sign up with credit cards, this would be an odd place for someone with that kind of ill intent to make such a post."
- I did not comment to judge on anyone's intent behind the post. I simply shared my views on how little things can create a security hole in the system.
"I think your suspicions of UD1 being some kind of hacker are better suited for a Hollywood script :)"
- There is no suspicion on my end, I just shared what if... with an example hacking strategy.
Cheers :)
he would first want to know what kind of a camera system his target is using so he can better prepare himself to access the system
Let's say the hacker finds out the brand. Since manufacturers put pictures of all their cameras publicly on their websites, this is obviously not hidden information in the first place. The hacker does not need IPVM. They can check manufacturer websites and/or use google image search. Maybe you should criticize manufacturers for putting up pictures of their products. Maybe they should hide them for security's sake. Maybe google image search should be shut down. (I am obviously being facetious).
Secondly, even if you know the brand and even if you know the exact model number, you cannot know the firmware version by looking at a camera. And if you are a real hacker and are going to hack a product, you need to know the firmware version to determine what vulnerabilities might exist specific to that firmware.
I guess your counter will be:
"But then this genuis hacker, who needed IPVM to figure out the model of a publicly installed camera with public pictures of the models on the Internet, can simply iterate through every firmware version of that camera mode, catalog every vulnerability for each firmware version, etc., etc."
So your conclusion then is people cannot discuss what the brand of a camera model is because that is going to be a hard part in some hackers attempt to infiltrate the NYC subway.
Wow John, there are tons of manufacturers out there, you think it is easier to just look at a camera and then go search on google/manufacturer website and guess its brand/model? No way! In my opinion, it is a lot easier to just come on IPVM, post the camera image, and then ask our knowledgable members about the model/brand.
And, no my conclusion is not that people can not discuss publicly installed camera models, they obviously can and will, my whole point was centered around little things that can leave a security hole in the system. Just blaming manufacturers is not going to solve the problem, everyone (manufactures, installers, IT teams) who serve in the industry is equally responsible to fight against the reported vulnerabilities.
You are doing a good job in exposing those vulnerabilities.
Cheers.
centered around little things that can leave a security hole in the system.
Parvinder, you are engaging in a shallow form of 'security through obscurity'. If a system is at material risk simply because 'hackers' know what the brand of the camera is, that is a very insecure system.
I am happy to accept that you mean well here but you are not materially improving security by worrying about whether people can find out the brand of publicly deployed cameras.
"If a system is at material risk simply because 'hackers' know what the brand of the camera is, that is a very insecure system."
- Sir, any hacker would prefer to know what camera system he is going to break into than trying to hack an unknown system. Knowing camera brand/model does not make that manufacturer's system insecure, it just helps hacker to better prepare himself with required scripts/tools before he actually attempt the hack on a live system.
"I am happy to accept that you mean well here but you are not materially improving security by worrying about whether people can find out the brand of publicly deployed cameras."
- I am happy that you are happy. We are all trying to improve security systems with our own little policies and efforts. Not giving away an installed camera manufacturer name publicly is a good policy in my opinion, might not be big of a deal for many, but for those who ask for it, I help them with it.
There is also another important consideration here: the NYC subway system's VMS is most likely a CLOSED system, or at best connected via VPN to other city agencies. It is common practice for municipalities, hospitals, military installations, etc. to run their security systems completely isolated Internet access. This means that even if the cameras are all set to user "admin" with password "12345," it will be next to impossible to hack into the video feeds. Real life is not Hollywood.
If you are at the station trying to hack in, all you need to do is look up. All Panasonic cameras have their brand facing the customer.
Instead of the hoodie gal buying an expensive camera, they'd first do some Googling around. Oh, lookie:
NYC Transit is now replacing the flawed equipment with devices manufactured by Panasonic and expect to have the cameras completely up and running in June
Edit: after finding out the model, they'd probably ask Shodan first to see if there's any of them online to poke. Only if they were very dedicated and had Big Bad plans would they spend money on it, I believe.
Thanks for the article, although it was written in 2010 and the 96 Station was opened in 2017. A lot of stuff can go on in 7 years.
True, although the bigger the installation is, the more likely it is to stay the same longer. The article was just to illustrate that there's often bits of information available on the internet about these systems, even though they're considered sensitive.
If one could get a glimpse of the VMS they're using, that would help too in deducing how their system is laid out and perhaps even what hardware is likely involved.
By the way, another interesting article about some hidden cameras in the subway had a nice picture of one. That's quite covert indeed: 
So figuring out the camera brand of a camera in a public place is no material obstacle to actually hacking systems.
True.
But now imagine that they’re identified as a row of Hik WiFi models :)
Wow, never thought this post could end this way. Not a hacker here, not remotely close. Just a technician with troubles even to terminate a RG-59 connector so... Your theory in my case is not applicable.
Thanks for the entertaining story tho...
Just a technician with troubles even to terminate a RG-59 connector so...
Really?
Methinks the technician doth protest too much...
The outdoor enclosure for the PTZ cameras seems to be a SONY UNI-IRS7C1 ...
Really strange combination.
No, it is a wren or videolarm housing, which Panasonic uses for their housings.
Videolarm RHW7CF2
Thanks for your input. Could not acesss Wren website, is this company still making business?
Absolutely Wren is still around. I am working with Wren currently on various projects. They are very responsive and great to work with. Their website came up for me with no problems.
I also forgot to mention Moog (pic below). Panasonic has used them in the past as well.
Can´t access their site, must have some type of region filter or something.
I´ll try later. Thanks for your help!
Weird indeed... doesn't work for me either where I live, but if I go through a VPN from UK or Iceland for example, it does. From US, Italy etc. it just gives some blank or a placeholder page for me.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
