Genetec Comments on Washington DC MPD HackBy: Brian Karas, Published on Mar 13, 2017
This January, the Washington DC police video surveillance system was hacked with ransomware, impacting 123 of 187 cameras.
Last month, IPVM confirmed that the police system was using Genetec recorders, Axis cameras and Cradlepoint equipment.
Now, Genetec has responded to IPVM's request with a preliminary statement.
Genetec: No Fault In Omnicast
After conducting an initial investigation, Genetec offered the following statement to IPVM:
"To the best of our knowledge, no security vulnerability was discovered, nor exploited within our software or appliances."
They did point out that their investigation is not 100% complete, and that they will be sending a notification to customers running OmniCast 4.1 (the version used by the MPD) once they have all details of the breach.
No Omnicast Updates Planned
Genetec also confirmed that they do not intend to release any patches or updates to Omnicast 4.x as a result of this attack, or the investigations from it. Omnicast 4.x is still actively supported by Genetec, making the lack of patches/updates related to this issue further indication that Genetec believes their software to not be at fault in this breach.
Genetec Promotes Hardening
In a recent blog post, [link no longer available] Genetec called attention to their Hardening Guide for 4.x, in particular advising users of Genetec SV-16 or SV-32 appliances: "to carefully review Section 4", which provides tips for securing Omnicast systems.
The key recommendations in this section are as follows:
- Change the default username and password of any video units or encoders attached to your system
- Set a password for the Genetec Admin user
- In the case of a Federated Omnicast system, create a new user with limited rights and a password. This user should only be used to access the Federation service
- Windows updates should be installed periodically. This will always insure a secure Omnicast environment
- Change the password of the OmnicastSvcUsr
- Set up a password for the Omnicast console
Failure Of Best Practices Most Likely Cause
Given Genetec's statements, no software update / fix, and their republishing of a 5 year old document, this implies the MPD incident was most likely avoidable, and the result of not following a basic set of best practices. Over the past several years Microsoft has introduced a number of security fixes for Windows for vulnerabilities related to common services like remote desktop, IIS, and SMB, if the recorders had not received updates to the Windows operating system they were likely vulnerable to several of attack methods.
Potential For Other Genetec Appliances To Be Hacked
While this ransomware attack may not have been specifically attributed to a flaw in the Omnicast software, it did occur to appliances built and sold by Genetec. Other SV-16 or SV-32 appliances that were shipped with the same Windows build, and not updated to Genetec's hardening guidelines are most likely susceptible to similar attacks. Users of these appliances should update them and ensure they are secured to Genetec's recommendations.
Call For Information On MPD Systems
We are still actively gathering information on the details of the MPD systems and attack methods. If you have information, you can email us anonymously at firstname.lastname@example.org or use an anonymous email service, as always we keep the privacy of sources confidential.