The manufacturer(s) who did it are not disclosed but a talk on Abusing Network Surveillance Cameras has been cancelled. An article on ITWorld talks about legal pressure, but does not get into specific. Here is the LinkedIn Profile for the researcher Gianni Gnesa.
IP Camera Manufacturer Pressures Talk On Security Vulnerabilities To Be Cancelled
U
Undisclosed #1
Oct 06, 2015Access control manufacturers are less concerned with a sister talk:
Attacking Physical Access Systems
This talk will move beyond the card and explore all of the PACS components. After an overview of the components and architecture, we’ll discuss their unique attack surfaces, and how to locate them. Finally, we’ll put all of the attacks together to achieve complete takeover.
The manufacturers should have some fun with them and lock them in the conference room...
SM
Steve Mitchell
Oct 08, 2015*sigh*
This article appears to have a little more detail.
http://www.theregister.co.uk/2015/10/08/hitb_remote_exploit_ip_cameras/
JH
John Honovich
Oct 08, 2015Steve, thanks for sharing.
I wonder what weight those legal threats are based on. What's the grounds?
I imagine it's more to scare than real substance.
U
Undisclosed #1
Oct 08, 2015I'm not buying it, sorry everybody.
Reasons:
The article says:
The consultant for Zurich-based Ptrace Security found holes in pricey IP cameras sold on the shopping site for up to $600. Each camera vendor made claims about the high security integrity of its hardware, yet all were found to be hackable over the internet.
and then
An unnamed vendor caught up in the research hit Gnesa with a legal threat after he prepared to present his work at the Hack in the Box conference in Singapore next week.
So, just one vendor threatened him? And he decided it was too risky?
Over a camera hack disclosure? pleeeeeze!
He couldn't show any of the other manufacturers cameras? Surely, he could find enough material to get thru the talk with, no?
Anyway, worst case could have just done a 7-day responsible disclosure of a flaw or two, first.
Is anyone actually winning cases against pen testers anyway? Even zero-day ones?
Publicity stunt.
SM
Steve Mitchell
Oct 08, 2015I basically agree.
Reading between the lines of that second article I'd guess they simply collected a bunch of the usual suspects--vulnerability wise--and didn't have much to present anyway.
It's not hard to make the case that one can render a given camera unusable--given that any device can be knocked off the internet with a DDoS attack (depending on how it's set up). Or most are running at least one service that may be out of date and can be taken down with a tailored attack. And of course there are lots of default passwords out there.
If there was any real meat to this potential presentation it could have proceeded without naming the vendor that supposedly threatened him.
I suspect they get more publicity from being 'silenced' than they would have from delivering a ho hum talk about a bunch of common vulnerabilities.
New discussion
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
Newest discussions