For one thing, you don't know what other dependencies exist around the current parameters of those systems. Some of them may be monitored and have automation software programmed to respond to specific channel names/camera names.
This is true, no matter how few instances of Internet accessible, and password defaulted Dahua DVRs are likely to have PSIM integration dependent on the actual channel string, which then might miss an important event before the new label was noticed.
It could happen. Even one would be one too many. And even though I might argue that someone with such a sophisticated and critical system would prefer to be notified of their vulnerability, that is not my call.
So forget changing channel names, which could be considered cyber-vandalism.
Therefore Version 2 just triggers a custom event. Which causes a window to appear on the console. Much more elegant and appropriate, something like "Internet Access Detected - from shodan.io, blah, blah, blah, change your password..."
As for the law, the big one in the U.S. is the Computer Fraud and Abuse Act, and it has seven statutes: I would expect you would agree that 1, 3, 4, 6, 7 are not applicable. Starting with 2 then:
2) Whoever who intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains... information.
This one does not apply, since I retrieve no information. In fact, I close the TCP/IP socket before reading even the return code.
Statute five seems the most problematic, it breaks into 3 sub-paragraphs: A, B, C
5A) Whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
This one fails because I certainly am not intentionally causing damage, even if damage is done, I do not wish for it to be.
Which leaves us with 5B and 5C, of which the Version 1 channel rename method would arguably be in violation of both.
- 5B) Whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
- 5C) Whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
However, with the Event pop-up method, I find it a stretch to imagine any damage or loss. No information is changed or erased, only an additional event is created.
Also, if it came down to a lawsuit you have posted here publicly that you were debating "hacking" cameras. Even though your post is undisclosed your actual information would easily be subpoenaed.
Agreed that information could be subpoenaed, disagree that it is likely to be used against me for two reasons.
- The use of the word "hacking" is clearly used by me as a shorthand way to communicate the mechanics of the act easily to others. As the entire discussion would be read, my intention is would be understood not to cause damage to anyone's system. In fact, I would be the first to provide this discussion as a priori as opposed to ex post facto evidence of my intent.
- I wouldn't do this unless I have at a strong belief that it is legal.
Officially, I wouldn't recommend pursuing something like this. But if you didn't take my advice, I also wouldn't recommend posting a public request for comments about it.
I understand your concern and did not undertake this lightly. But as I said, as I would not knowingly do something illegally, I would rather hear any objection and be able to discuss it with the widest ranging input possible before making such a decision.
Thank you for your comments, and please continue to challenge any of mine as you see fit.