Toka - A Hacking Platform For Video Surveillance Devices Examined

By bashis mcw and Charles Rollet, Published Dec 30, 2022, 08:30am EST (Info+)

Israel cyber firm Toka was recently featured in Israeli media for letting "clients hack cameras and change their feeds – just like in Hollywood heist movies."

IPVM Image

NSO Group, also Israeli, is known for hacking smartphones, making Toka a similar solution but for IoT.

In this report, IPVM's Cybersecurity Director Bashis—discoverer of dozens of major video surveillance vulnerabilities—analyzes Toka and the technical feasibility of such practices.

Toka declined to comment about its methods, stating it "does not sell to private clients or individuals" and "has never encountered illegal usage of its products."

Executive *******

******* *******, *** ********** ************ ******* unnoticed ** *** *****, ** ******** but ******* *** *********, ********* ****** support ****** **** * ***-****-****-*** ****. Toka ****** **** * *********** ** vulnerabilities ** *** ***** *** ********* from ******, **** ****-****** ******* *********** paying ***** **** ** **** ****** on-site ** **** * ******.

******* ******* **** ******** ***** ***** for *********** ** **** ******* * court *****. **** **** **** ** would "*********** *********" *** ****** ***** its ******* *********, *** *** *** specify (** ** ***** ****) *** it ********* ***** ***** *** **** operation.

Toka **********

************* ******** "********** ********** ******** **** ************* capabilities ** *********** ***** ****** *** crime." **** **** ** ** "************* in *** ****, ******, *** ** Washington, *.*., **," ******* *** ***** co-founders *** ******* *** ****** *** employees *** ***** ** ******,********* ** ********:

**** *** ***** **-********:**** ************* *******, **** **-**** **** **** *** startup ***********, ********* *****, * ******* ****** ******* ****** (IDF) ******* *** ****** ** *** chief ** *** *** ***** ***** and ** *** ****'* ********.

Toka ***** ******** ****** "******," "************"

******* ************************ **** **************** *** ******* ** "***** *****" of "***** *** ******" ********** ** allow "******* ** **-**** **********" ****** "covert **********." **** **** ****** **** ************* *** **** ***** *** '**** VISINT' ******** ** ******** ******* ** "Access ******** *******" *** ******* *******, permitting ****** ******* "************" *** ************:

IPVM Image

*** ******** **** **** "*** ******** supports *** *** ***** **** *** camera ******." *******, * ****** ************, such ** *****, *** ******+ ******(*** ***/**********) ** **** ********* ***** be ********** ** * ****** *** doesn't ********** *** *******.

Possible ******* ******* ********

************* * ************* ******,******* Ó **********, **** **'* "********** ** ****" if **** ****** ******* ** **** already-exposed *******, ******* *********, ******* ***** own ********, ** *** ***** *******. IPVM ******** **** ***** *** *** three *******.

VSaaS/VMS ***************

*** ****** ** ***** *** ****, particularly ***** *** ****** ***** ***** able ** *****/******/******** *****, ***** ** through *****/***/***/*** ******* (*** ********** *******.) This ** ************ ** ******** ******** are******** ** **************. *** ****** *** ** ******* VSaaS ***************, ** *** **** ** provided ** ***** *********.

******** ****** ******* ******* ********* ** the ******'* *** ****, ** **** claims, ******** ************* ********* ** *** structure ** **** ****** *** (***** are **** ********** *******). ** * practical *****, ********** **** ********** ***** be *********** *** ******* ****** ****** procedures.

*********/****

*** ********* ****** *****, **** *** also *** *********/****—** ****, * **** job ** ** ******** *** ******* ****************** "********** **** ** ************* ******* such ** ****, *********, ***" ** an *********. **** ******** ******** ******** and *** ******* *****, ********* ** the **** ** ******* ****** *** Line ** ***** (***). *******, ** this ** *** ****-****** **********/************ ************, such ******* *** ****** ** *** for * ***** **-**** *** * day.

***** *** ***** ********, ********* **** many ************ ******* *** ** ********* networks ******* **** ******. *** **** type ** ****-******** ****** ***** *** blink ** ******** * ******* ** dispatch ** ****** **-****.

Already-Exposed *******

********** ******* ***, ** ******, ** great ******** ** ***** **** ****, as ***** ** ** ********** ****** of **** ********* ** *** ********, with **** ***** *************** *** **** likely ******* ***************. ** ** **** to*** **** *** *** ****** *** ******* **********, e.g. **** *** ** ******* ********* cameras ** ************ *********:

IPVM Image

***** *** *********** ***** *************** ** Toka's ***** **** **** ******* **** fixed *** *** ***** ****** *****, as **** ******* *** *** **** up ** **** **** *** ****** fixed *******. **** ****** ** *******, as *** ******** *** ***-**-**** (***) but ***** ** ******* *.*.*** ****** *********/***** ********************** **** ***,*** *******.

**** *** ***************

'****-***' *************** *** ***** *******/********* ** manufacturers *** **** ****** ****** ** hackers. **** *************** *** **** ******; it *** **** **** ** ****** and **** ****, *** ** ***** an ********** ****** ** **** ** find *************** **** *** ** **** for ************.

** ***** ** ************ ** ***** that *** ****-*** *************** ***** ** found ******, ******** **** ********* ***. **** likely, **** *************** *** ********* **** companies ************** ******** **** ******* ********* ******** researchers.********* **** ****** *** ****-*** *************** to *** **** ***** ***** *** product.

Requires ****** *******

* ******** **** ****'* ***** ********* require ********** ******* *** **** **********, as ********(*) *** **** ******** ******** regarding *************/********/********. **** ******** *** ** **** to ***********, *** ****** *** ** difficult *** **** ** * *****-*** process.

Legal *****

******* **** ****** ******* ** **** countries ** *******, *.*. *** ** Computer ***** *** ***** **********"************* ******[***] * ********* ******** ******* authorization" *** **** ******* "******** **********" activities ** *** ***********.

*** *******, ******** **************** ** *** ** ********** ** Justice**** ********** ** ****** ******** ***** and ***** (** ** * ***** in ******), **** ***** *** ********** to ****** **** ***** (** ** 20 ***** ** ******), *** ********** identity ***** (********* ******* ** ****** in ****** *********** ** ***** ***********).

**** ***** **** *** *** ******* to * **** ** ********* ***** risks. **** ** ****'* ******* *** not ** *** ******* ******, ** the ** *** **** ********* ********* such ********* ********** ******* ***** ****** even *** *** *********** *** ************ agencies.

Toka ********

**** ********* **** **** *** *********** of *** ******** *******. **** ******** to ******* ** ******** *******, *** provided **** * ********* **** ** "*** ***** *********** ******* ***** ** its ********, ** ** ***, **** would *********** ********* **** ********" ****** it "**** *** **** ** ******* clients ** ***********":

IPVM Image

**** ******** *** ***********, ******** ********, defense, *** ************ ******** **** ******** and * ******** ** ***, **********, and ******** ***** ************** *** **********. Toka *** ******* ** **** ********, intelligence, *** *** *********** ******** *** tools **** ******** **** *** ******* to ********, *******, *** ****** ****** the *********** **** ******* ** **** people, ******, *** *********** ****.
**** ** ****** ** ******** *** our ********* ***. ** *** *** that **** **** ***** ** *** U.S. *** *** ******* ******. ***** no ************* **** *** ******* **** our ******** ** ********* ** ******** sanctioned ** *** *.*. ****. ** Treasury ** ********** ** *** ******* Defense ****** ******* ****** — ******** our ********* ********* ** ******** ** fewer **** ***-***** ** *** ********* in *** *****.Toka **** *** **** ** ******* ******* ** ***********.
** *** ** ****, **** ******** a ********, ****** ****** *** ******** process **** ** ****** ** ************* indices ** **********, **** ** ***, and ***** ********* *** ***** ** outside ******** **** ********* *** ********* expertise ** ****-********** *********.
**** ** ********* ** *** ******* Ministry ** *******, *** ** ****, is ********** **** ********** *** ********’ security **********. *****Toka *** ***** *********** ******* ***** of its products, if it did, Toka ***** *********** ********* that contract. [emphasis added]

**** ********* *** ***** *** **** can ****** **** *** ******** *** used *******, *** *******, ******* **** requires ***** ** * ***** ***** for **** *********.

** ** ***** ****, **** *** not ******* ** *** ******-**. ** they **, ** **** ******.

Comments (5)

Undisclosed #1

01/01/23 01:37am

******, ***** *** ***** **** ** order *** ***** ***** ** ***** to ** ********* **** *** *********** targets **** ******** ****** ** *** BIOS ** *** ****... *** ***, say,** ********* **** ** *** ***********?

Agree

Disagree

Informative

Unhelpful

Funny

bashis mcw

In reply to Undisclosed #1 | 01/01/23 11:41am

**, * ***** ***** **** ** is ******** *** ** *** ****, but * ******* **** ** ****-*** and ******* ***** ******* ** *********** exploit.

Agree

Disagree

Informative: 1

Unhelpful

Funny

Undisclosed Integrator #2

01/01/23 05:50am

*** **** ******** ******** ** ** run **** * ** ********* ** the ******* ** ** *** *** itself?

Agree

Disagree

Informative

Unhelpful

Funny

bashis mcw

In reply to Undisclosed Integrator #2 | 01/01/23 12:10pm

****** ** *** ****** ****** ** what ******, *** ** *** ***** vulnerable ******* ** *** *******, *********/**** access, *********** ******* *******, ** ****** types **** ** ******* ****** ********.

Agree

Disagree

Informative: 1

Unhelpful

Funny

Undisclosed #1

01/04/23 10:25pm

********* **** *** **** * ******** ******* *******: ******** *******

*****Toka *** ***** *********** ******* ***** of its products, if it did, Toka ***** *********** ********* that contract.

*** ***** (*** ***** *******) **** exactly *** **** ***** ** **** documentary.

Agree

Disagree

Informative: 1

Unhelpful

Funny

Login to read this IPVM report.

Why do I need to log in?

IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.

Toka - A Hacking Platform For Video Surveillance Devices Examined

Comments (5)

Undisclosed #1

bashis mcw

Undisclosed Integrator #2

bashis mcw

Undisclosed #1

Login to read this IPVM report.

Subscriber Login

Loading Related Reports

Login to view the video.