Washington DC Surveillance Hackers Arrested

By: Brian Karas, Published on Dec 29, 2017

The US Department of Justice has announced that "Two Romanian Suspects Charged With Hacking of Metropolitan Police Department Surveillance Cameras in Connection with Ransomware Scheme" that occurred in January 2017.

IPVM initially covered the technical details in March 2017 examining Washington DC MPD's Surveillance Equipment.

In this note, we examine the criminal complaint affidavit, new information provided and the role the vendors involved, including Avrio and Genetec, had on this hack. 

***** ********** ** ******* has ************* "*** ******** ******** Charged **** ******* ** Metropolitan ****** ********** ************ Cameras ** ********** **** Ransomware ******" **** ******** in ******* ****.

**** ********* ******* *** technical ******* ** ***** 2017 ********* ********** ** ***'* ************ Equipment.

** **** ****, ** examine *** ******** ********* affidavit, *** *********** ******** and *** **** *** vendors ********, ********* ***** and *******, *** ** this ****. 

[***************]

Recorders **** *** ********** *******

** ********* ********* *********, *** ****** ******* claimed *** *** ******** used ****** ********* ** launch ** ***** **** campaign ** ********** **********. The ********** ******* **** launched **** *** *********** machines ** ** ******* by *** ******* ** disguise ***** ****** ******** and **** ** ****** to ** ****** ** authorities.

Hackers *** ********** ** ************ *** *******

***** ** ** ******** that ****** ** *** hackers ************ ********* ************ equipment, ** *******, *** *** they **** *** ******** in *** **** ** recorded ***** ** *** recorders. ** ** ****** the ******* **** ******* the ******* **** ***** and ******** ** *** MPD *** **** *** city ************, ** *** they **** ***** ** this, **** ***** **** likely ****** ** *** machines **** ***** ** less ****** ** ***** an ************* ********.

Equipment ****

** ********* ** ********** ** ***'* ************ Equipment, *** ******* ********** of *** ****** ****:

Integrator *****

*****, *** **********/*** **** built *** ******* **** by *** *** *********** ** ******* ** 2014. *********** *********, ***** ********** ********** as "the ******'* ******* ******** of **-************ ********* **** wireless ********", *** "********** results": 

****** ***********, **************, *** similar **********-******** ********* **** Avrio's ****** ******** ****.

Remote ******* ****** ********* *******

*** (****** ******* ********) was **** ** *** hackers *** ****** ******* of *** ****** *********. Having *** ********* ** the *******, *** *** blocked ** * ******** was ****** *** ******'* primary ********** ** ********* these *******. ** ***** frequented ** *****-*********, *** Secret ******* ***** *** following **** ** *** of *** *******, ******* for "*********" ** ******** with *** *******:

Low **** ******* **** ** ***** *******

********** *** ******* **** caught ** ***** ******** found ** **** ** the ****** *********, *** tracing ***** ******** **** by **** *******. *** Secret ******* *** **** to link ***** ***** ******** to ***** ********, *** access ** ******* **** Google *** ***** *********, ***** ultimately *** **** ** the ******* ****** ********** and *********. ***** ** the *********** ** *** Secret ******* ******, *** hackers **** ********, *** not *********, ***** ** conceal ***** ********** *** location, *** **** ******** primarily ******* ***** *******, and *** *** ****** of *** **** ** high **** ******** *******.

************, ******* ******** ** logs *** *********** **** on *** *********, *** Secret ******* *** **** to ******** **** ******* of *** *******, *** contacted ***** ******* ** retrieve ********** ******* **** helped ** ******** *** hackers:

Responsibility ** ******* *** ***********

***** **** ********* * fundamental ****** ********:

  • ******* ******* *** *** ********** with ******* ******** *** accounts ** *** ******* OS, ******** *** ******* to **** ****. ******* *** since ******* ******** **** ******* settings *** *** ********** the **** *** ********* to ****** ********* *************** for ***** ******* [**** no ****** *********].
  • *** ******* **** **** publicly ********** *** *** not *** * ***, a ******* ********* ** the*********** ******* ****. *** *** ****** video ************ ******, *** certainly *** ** *******, exposing *** ******* ** public ****** *** * major *******. *****'* ***** led ********* ** ******* that **** **** ********** best-in-class *** *******-***** ********* optimized *** **** ******** applications, **** ** **** they ******** ******* **** multiple *************** ******* *** unchanged ******* ******** *** lack ** ****** ************.

Comments (8)

Undisclosed #1

IPVMU Certified | 12/29/17 06:24pm

There is no evidence that points to the hackers specifically targeting surveillance equipment, or Genetec, nor did they have any interest in the live or recorded video on the recorders.

Yes, just targeting Windows.

Undisclosed Integrator #2

In reply to Undisclosed #1 | 12/29/17 07:48pm

I would say it was targeting stupidity, or laziness, more than Windows. How long would you guess it has been since those Server have been updated? 

Undisclosed Integrator #3

01/01/18 07:14am

This will probably be enough to get my boss to listen to me.  Thanks for sharing.  

Avatar

John Day

01/02/18 03:42pm

I'm floored that the customer didn't require the contractor to use a VPN and that the hackers used rdp to get in - that's almost as low tech as using default passwords!

At what point do we actually use the word "negligent"? What I'd love to know is whether there was anything in the specification requiring any baseline of network security or whether this was purely the integrator leaving the system open.

Unfortunately whoever is at fault would probably claim (correctly) that this is an accepted practice in the security business.

Undisclosed #1

IPVMU Certified | In reply to John Day | 01/02/18 04:04pm

Do you think an exposed rdp port is more or less vulnerable than a cameras exposed http port?

Avatar

Scott Napier

In reply to Undisclosed #1 | 01/02/18 04:15pm

I would say they are close to no different, but RDP is probably scanned for more frequently which means is it probably more of a vulnerability if my assumption is correct.  

Undisclosed Integrator #3

In reply to John Day | 01/02/18 04:17pm

I would argue that depending on a contractor to secure your critical networks is a bad idea from the start.  You should have competent professionals on staff to not only enforce standards on these contractors, but also to test what they install and verify it meets all appropriate protective measures.  

Avatar

John Day

01/02/18 04:56pm

Both are an issue - if the bad guy knows rdp vulnerabilities then he can probably get everything he needs to know off a service like Shodan. A hack using rdp would likely give the bad guy full control of the system in question - a hack of a camera would usually only give you access to the device.

Which is more vulnerable? Based on a quick Shodan search, cameras are certainly more plentiful... a rdp hack would be more destructive.

The issue with this is that anything (like RDP) that isn't essential to the operation of the system should be blocked by the firewall. 

 

Read this IPVM report for free.

This article is part of IPVM's 6,435 reports, 865 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
30 Million Criminal Face Database Tested (Captis Intelligence) on Apr 27, 2020
30 million criminal mugshots are now available for facial recognition...
Vape Detection Legal Battle: Soter Sues IPVideo Corp on Jul 22, 2020
The crosstown vape detection rivals are now in a legal battle. While IPVideo...
Anyvision Layoffs on Mar 19, 2020
Anyvision has conducted a layoff, citing the impact of coronavirus, joining a...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
Terrible Convergint Coronavirus Thermal Camera Recommendation on Apr 01, 2020
A week after Convergint disclosed falling revenue, pay and job cuts,...
London Live Police Face Recognition Visited on Feb 13, 2020
London police have officially begun using live facial recognition in select...
The Problem With Fever Detecting Thermal Sunglasses on Apr 15, 2020
While the media has promoted using thermal sunglasses to detect fevers, this...
JCI Sues Genetec For Patent Infringement on Jul 13, 2020
Surprisingly, security giant JCI has sued their partner, security software...
ROG Security - Cloud AI For Remote Monitoring on Jan 28, 2020
ROG Security is offering cloud-based AI analytics to remote guard companies,...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
ADI Branch Burglary on Apr 03, 2020
A security systems distributor branch is an odd target for burglary but that...
Defendry Presents AI Active Shooter Security System on Jul 14, 2020
Defendry presented its Active Shooter security system at the May 2020 IPVM...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Face Shields Impact On Temperature Measurement And Mask Detection on Jul 27, 2020
First, the use of face masks, and now, plastic face shields are rising...

Recent Reports

VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...
US Startup Fever Inspect Examined on Aug 03, 2020
Undoubtedly late to fever cameras, this US company, Fever Inspect, led by a...
Motorola Solutions Acquires Pelco on Aug 03, 2020
Motorola Solutions has acquired Pelco, pledging to bring blue back and make...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...