Subscriber Discussion

Washington DC Police Surveillance Hacked - What Manufacturer's Cameras / Recorders Were Used?

PS
Paul Shah
Jan 28, 2017

Hackers hit D.C. police closed-circuit camera network, city officials disclose

I wonder what recorders and cameras they are using?

(1)
MM
Michael Miller
Jan 28, 2017

I was just about to post this.  Would be interesting to know what system they have. 

U
Undisclosed #1
Jan 28, 2017
IPVMU Certified

Targeted ransom attack on video data?  Unlikely.

Can only be collateral damage/accidental, due to infected Windows host.

Thanks for posting though.  Its a sign that these data hostage attacks are on the rise.

MM
Michael Miller
Jan 28, 2017

"Archana Vemulapalli is Washington’s chief technology officer. She tells the newspaper that officials are investigating the source of the hacking. She says the incident was limited to the closed-circuit TV system and didn’t affect other D.C. government networks."

U
Undisclosed #1
Jan 29, 2017
IPVMU Certified

Thanks. I read that too.  

Do you think that it was a targeted attack on IoT devices?

Who would pay the ransom?

MM
Michael Miller
Jan 29, 2017

Do we even know if they wanted a ransom?  Maybe they just wanted to have the system shut down for a couple of days or video deleted.  Do we even know it was ransomware? Way to many unknowns at this point to make assumptions though I am very interested in learning more. 

U
Undisclosed #1
Jan 29, 2017
IPVMU Certified

City officials said ransomware left police cameras unable to record between Jan. 12 and Jan. 15. The cyberattack affected 123 of 187 network video recorders in a closed-circuit TV system for public spaces across the city, the officials said late Friday.

MM
Michael Miller
Jan 29, 2017

Sorry, I don't believe everything I read in the news.  Especially when it comes to security or politics. 

(1)
U
Undisclosed #1
Jan 29, 2017
IPVMU Certified

Sorry, I don't believe everything I read in the news. 

So you believe this

but not the very same article that says

Anyway, why did you ask me *twice* if it was ransomware if you knew it was reported to be by the Post?

Of all the types of malware, ransomware may be the easiest to identify: it comes up with a message demanding money in exchange for decrypting your files.  Its kind of hard to mistake.

Or do you think they are just lying about it being ransomeware as opposed to ddos?  

What would that gain?

(1)
MM
Michael Miller
Jan 29, 2017

This is going way off topic.   I don't have any direct knowledge of what happened so I have no clue as to if what was reported is actually what happened.   Normally the security world is very tight lipped about system comprises and system failures especially high-profile systems like this in the nation's capital.  

U
Undisclosed #1
Jan 29, 2017
IPVMU Certified

This is way off topic.

Look, you asked a question I answered it, after that its on you.

(4)
(1)
(1)
PS
Paul Shah
Jan 30, 2017

All these attacks are via the authentication. With Current username and password standards, these attacks will continue and at greater scale. 

The only solution will be to change authentication standards. 

(1)
U
Undisclosed #1
Jan 30, 2017
IPVMU Certified

How do you know that?

PS
Paul Shah
Jan 30, 2017

Undisclosed #1,

In order to install the malware on a device, the attacker would have to gain access to the device. Access is gained via a username and password.

This problem has been solved with technologies like the FIDO alliance and conceptually the Apples touch ID. These technologies will be a while before they are mainstream, but the solution is out there

U
Undisclosed #1
Jan 30, 2017
IPVMU Certified

In order to install the malware on the device, the attacker would have to gain access to the device.  Access is gained via a username and password.

Disagree.

Paul, this is ransomware, assuming you believe the CTO of Washington D.C. 

And ransomware attacks are, at least according to Wikipedia,

typically carried out using a Trojan, entering a system through, for example, a downloaded file or a vulnerability in a network service. The program then runs a payload, which locks the system in some fashion, or claims to lock the system but does not (e.g., a scareware program). Payloads may display a fake warning...

Now could this attack have been a novel form of ransomware delivery, targeting Linux based IoT devices, perhaps using a modified Mirai bot?

Sure, its possible.  

But there have been very few, if any, ransomware IoT attacks in the wild reported. (Although IPVM member Andrew Tierney has created a thermostat ransomware  POC as a demonstration, very entertaining!)

(1)
JH
John Honovich
Jan 28, 2017
IPVM

Paul, thanks for sharing. I emailed the Post reporter asking him that and will update if he has any information [He responded saying that info was not shared].

Otherwise, surely some members who know what system is being used here. Please share.

(2)
UI
Undisclosed Integrator #6
Feb 09, 2017

The problem came from portable computer(s) that were used to download stored video from the NVR's. The NVR's were not infected from a direct network-based intrusion from the outside world, i.e. the issue came from the computers used to connect to the NVR's to gather stored video, much like one could do for city cameras on poles that have their own NVR.

(1)
UM
Undisclosed Manufacturer #2
Jan 29, 2017

I am not sure which system you all are referring to in DC but a few years ago I went to Washington with my family and what I saw being deployed as a city surveillance system was Axis. 

(1)
U
Undisclosed #3
Jan 29, 2017

More ransomeware - this time in access control

Victim pays $1600

U
Undisclosed #1
Jan 30, 2017
IPVMU Certified

Yes, the number of attacks are increasing.

Similar to the OP it sounds like the PC running the system was infected with ransomware:

The incident took place earlier this month and hit the computer managing the hotel's electronic key lock system, reservation system, and the cash desk system, according to local media.

As a result, the electronic door locking system went down, new electronic room keys couldn't be issued, and new arrivals couldn't be confirmed as guests.

IMHO, this also not likely to be an intentionally targeted hack, i.e. some trying to take down this particular hotels Access Control system, but rather just someone downloading something on a PC used for the lock system.

U
Undisclosed #4
Jan 30, 2017

This note was interesting:

The network video recorders are connected to as many as four cameras at each site, she said.

"As many as four cameras"? So, they're obviously using some sort of very small appliances then.

Very interested to hear what comes back on this. I'm going to reach out to a few folks and see if they can find out what they might have...

U
Undisclosed #1
Jan 30, 2017
IPVMU Certified

"As many as four cameras"? So, they're obviously using some sort of very small appliances then.

Good catch.  Sounds like could be a NAS solution and maybe Paul is right with the Mirai ransomware :)

U
Undisclosed #1
Feb 22, 2017
IPVMU Certified

Turns out out to be a windows computer after all.  Most likely random infection therefore, not targeted.

JH
John Honovich
Feb 06, 2017
IPVM

Update: Two In UK arrested over Washington DC suspected CCTV hack. Lots of sources running the same article but very few details so far our only saying it was a man and a woman, aged 50.

(2)
U
Undisclosed #1
Feb 06, 2017
IPVMU Certified

Perhaps they were Windows machines.  

From a dc net structured cabling document:

UM
Undisclosed Manufacturer #5
Feb 06, 2017

It's look like attack on NVR only.

Let any "security" devices connected to the internet without firewall is really playing with fire

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions