Washington DC MPD's Surveillance Equipment

Published Feb 21, 2017 16:25 PM

The Washington DC Metropolitan Police Department's surveillance system was hacked in January 2017.

Two immediate questions were:

  • Whose equipment was it?
  • How did it happen?

We have been able to answer the first of those two questions through obtaining government records, which we examine inside.

Executive *******

*** ********* **** **** ***** ******** consisting ** ****, *********** *** *******.

Source *********

*** ********* (**) ******* *** ******** ********* ** the *** ** ******* * ******** CCTV ****** ** ****: (*)**** ******** *********** (*)**** *** ************. *** ***** ********, ***** ******** the ******** ***** ********* *** ******** of ** "******* **** ****** ******** Outdoor ******* ************ ******" (*****) *** the ******, ****** *** ********* *********.

***** **********

*** ******* *** * ******* ** Avrio *** *****. ***** *** ** IP ***** *** ******* ** ******, MD. ***** *** ********** ** ***** cameras, Avrio *** ***** ******** ** *******.

***** *******

*****'* ******* *** ******** ** ************** that ****** ** ****** ****** ******* and ********* **** ***** *****. *******'* could ** ********** **** ********* ******** to **** ******** ************, ** *** time ***** ****** ****, ********,  *******, OnSSI, *** **** ** **** ** their ********.

MPD ******* *************

******* *********** *** ******** ********* *** ******** ********* ***** **** in *** ******** ******** ** *** ***. The ******* ********** ********:

*** *********** ****** ********* **** ***** systems **** ***** ******** ************** *** video ******. *******, *** ** *** configured *** *** * ****** *** able ** ****** *** ********* ** unknown.

Ransomware ******

** * ********** **** ******* ** *** ****, *** ***'* *** **** **** ransomware *** ***** ** *** ********* (presumably ******* **-** *****). ********** ******** **** ****** on * ******* ***** *** **** pays *** **** ** ******* * decryption *** ** ******* *** **** to ** *********** ******. ** ** not *** ***** *** ****** ** the **-**'* *** *********** ** ***** hackers ** ******* *** **********.

Ongoing *************

** *** ********** ** *********** *** details ** *** ****, ********* ************* with *** ************* ********, *** **** release * ******** ****** **** **** information ******* *********, ****** **** **** or **** ***** *******. ****** **** direct *********, ****** ******* ** ** info@ipvm.com ************* ***** **.

Comments (14)
U
Undisclosed #1
Feb 21, 2017

Can Hitachi shed more light on this as Avrio is part of them?

(2)
(1)
(1)
Avatar
Rich Moore
Feb 21, 2017

Avrio Group Surveillance Solutions is located in Easton, MD, not Eaton.  I live in Maryland so I noticed.

MC
Marty Calhoun
Feb 21, 2017
IPVMU Certified

Thank you for the story and we look forward to the final report.

It will be interesting to see how far or how deep the published results will be concerning GENETEC, AXIS or CRADLE POINT. Amazing that this apparent 'hack' has even made it to the news without blaming Chinese camera manufacturers.

 

 

 

 

 

 

 

 

 

 

 

 

(1)
(5)
U
Undisclosed #2
Feb 22, 2017
IPVMU Certified

So it was a Windows machine after all!

That makes sense because that's the platform that ransomware overwhelmingly targets.

One scenario would be that a user PC was infected first thru an ill-advised download.  Once a client PC was infected, state of the art ransomware has the capability to infect other PCs on the LAN based on credentials found out the infected PC.  

 

(1)
UI
Undisclosed Integrator #3
Feb 22, 2017

IPVM must have been so disappointed it wasn't Hikvision.

(1)
(6)
(4)
Avatar
Rian Schermerhorn
Feb 22, 2017

Disappointed, I'd think, is the wrong word.  Maybe a little surprised, but I personally would be even more surprised if I found out that Wash. DC surveillance was actually using a Chinese product like HIK.

Most would probably agree that Axis and Genetec are pretty strong when it comes to their focus and efforts toward cyber security, so all this information does is strengthen and enforce the reality that even the best products are vulnerable without outside help, and that installers / integrators today have as much responsibility as ever to ensure that the network side of the house is no longer a separate conversation.  Physical and cyber security systems will never be secure when they are treated separately.

(1)
(1)
UM
Undisclosed Manufacturer #5
Feb 24, 2017

I doubt that, remember this is a genetec system. Unlikely they were attached to Genetec ;)

PK
Paul King
Feb 23, 2017

So the hack occurred outside MPD's firewall? And also was it done wirelessly? Questions to ask, before sounding the alarm. 

SR
Samuel Rodgers
Feb 23, 2017

Sounds like they went in through the cell 4G modem to access the sv16...i am assuming each pole site has an SV16 connected to the 4G router to connect back to main genetec system, and a small switch connected to the cameras on a local network.

We have a similar setup since we have a bunch of scattered buildings that connect back to main system over the internet, sv16 and axis cameras. However we do have a cisco firewall appliance at each location to protect our SV16s, so that those are only reachable from within our own network. Without that, it would just be a windows machine exposed to everything.

(1)
Avatar
Matthew Netardus
Feb 23, 2017
IPVMU Certified

Has there been any information released about how this first came to light, or how the infection started (was it a hack of the wireless system, through a camera, through the NVR's, or done with a physical attack on the hardware itself)?

Were any other DC systems compromised as a result of this or was it contained to just the edge based appliances?

U
Undisclosed #4
Feb 24, 2017

I keep hoping that someone will have these details, but I'm guessing that we will never know...

JH
John Honovich
Feb 24, 2017
IPVM

I keep hoping that someone will have these details

More details are going to come. It's just early.

This is not like Mirai where hundreds of thousands of devices were hit around the globe and therefore it was easy to figure out what was happening.

(1)
(1)
Avatar
Matthew Netardus
Feb 24, 2017
IPVMU Certified

Has there been a mention of who was behind it? I know it ended in ransomware (I am assuming the city did not pay, or at least will publicly say they didnt pay; getting someone out to just wipe and re-install all of those machines seems do-able at this scale I suppose) but it would be interesting if they were able to pinpoint what group or individual was behind it

JH
John Honovich
Feb 24, 2017
IPVM

Has there been a mention of who was behind it?

On Feb 4th, there was an announcement that 2 were arrested in London. I have not seen any new news reports since on those arrests.

RS
Robert Shih
Feb 24, 2017
Independent

I think...and this may be a wild guess, this is a Windows vulnerability. Especially with the ransomware element and the fact that the Genetec appliance is Windows (and from 2013 probably 7 Pro [8 if they were stupid]) based...and knowing the overall mindset, they probably disabled updates so it was vulnerable.

In fact, chances are, most of the rest of the equipment probably isn't compromised. Just the NVR.

(1)