Toka - A Hacking Platform For Video Surveillance Devices Examined

By bashis mcw and Charles Rollet, Published Dec 30, 2022, 08:30am EST (Info+)

Israel cyber firm Toka was recently featured in Israeli media for letting "clients hack cameras and change their feeds – just like in Hollywood heist movies."

IPVM Image

NSO Group, also Israeli, is known for hacking smartphones, making Toka a similar solution but for IoT.

In this report, IPVM's Cybersecurity Director Bashis—discoverer of dozens of major video surveillance vulnerabilities—analyzes Toka and the technical feasibility of such practices.

Toka declined to comment about its methods, stating it "does not sell to private clients or individuals" and "has never encountered illegal usage of its products."

Executive *******

******* *******, *** ********** ************ ******* unnoticed ** *** *****, ** ******** but ******* *** *********, ********* ****** support ****** **** * ***-****-****-*** ****. Toka ****** **** * *********** ** vulnerabilities ** *** ***** *** ********* from ******, **** ****-****** ******* *********** paying ***** **** ** **** ****** on-site ** **** * ******.

******* ******* **** ******** ***** ***** for *********** ** **** ******* * court *****. **** **** **** ** would "*********** *********" *** ****** ***** its ******* *********, *** *** *** specify (** ** ***** ****) *** it ********* ***** ***** *** **** operation.

Toka **********

************* ******** "********** ********** ******** **** ************* capabilities ** *********** ***** ****** *** crime." **** **** ** ** "************* in *** ****, ******, *** ** Washington, *.*., **," ******* *** ***** co-founders *** ******* *** ****** *** employees *** ***** ** ******,********* ** ********:

IPVM Image

**** *** ***** **-********:**** ************* *******, **** **-**** **** **** *** startup ***********, ********* *****, * ******* ****** ******* ****** (IDF) ******* *** ****** ** *** chief ** *** *** ***** ***** and ** *** ****'* ********.

Toka ***** ******** ****** "******," "************"

******* ************************ **** **************** *** ******* ** "***** *****" of "***** *** ******" ********** ** allow "******* ** **-**** **********" ****** "covert **********." **** **** ****** **** ************* *** **** ***** *** '**** VISINT' ******** ** ******** ******* ** "Access ******** *******" *** ******* *******, permitting ****** ******* "************" *** ************:

IPVM Image

*** ******** **** **** "*** ******** supports *** *** ***** **** *** camera ******." *******, * ****** ************, such ** *****, *** ******+ ******(*** ***/**********) ** **** ********* ***** be ********** ** * ****** *** doesn't ********** *** *******.

Possible ******* ******* ********

************* * ************* ******,******* Ó **********, **** **'* "********** ** ****" if **** ****** ******* ** **** already-exposed *******, ******* *********, ******* ***** own ********, ** *** ***** *******. IPVM ******** **** ***** *** *** three *******.

VSaaS/VMS ***************

*** ****** ** ***** *** ****, particularly ***** *** ****** ***** ***** able ** *****/******/******** *****, ***** ** through *****/***/***/*** ******* (*** ********** *******.) This ** ************ ** ******** ******** are******** ** **************. *** ****** *** ** ******* VSaaS ***************, ** *** **** ** provided ** ***** *********.

******** ****** ******* ******* ********* ** the ******'* *** ****, ** **** claims, ******** ************* ********* ** *** structure ** **** ****** *** (***** are **** ********** *******). ** * practical *****, ********** **** ********** ***** be *********** *** ******* ****** ****** procedures.

*********/****

*** ********* ****** *****, **** *** also *** *********/****—** ****, * **** job ** ** ******** *** ******* ****************** "********** **** ** ************* ******* such ** ****, *********, ***" ** an *********. **** ******** ******** ******** and *** ******* *****, ********* ** the **** ** ******* ****** *** Line ** ***** (***). *******, ** this ** *** ****-****** **********/************ ************, such ******* *** ****** ** *** for * ***** **-**** *** * day.

***** *** ***** ********, ********* **** many ************ ******* *** ** ********* networks ******* **** ******. *** **** type ** ****-******** ****** ***** *** blink ** ******** * ******* ** dispatch ** ****** **-****.

Already-Exposed *******

********** ******* ***, ** ******, ** great ******** ** ***** **** ****, as ***** ** ** ********** ****** of **** ********* ** *** ********, with **** ***** *************** *** **** likely ******* ***************. ** ** **** to*** **** *** *** ****** *** ******* **********, e.g. **** *** ** ******* ********* cameras ** ************ *********:

IPVM Image

***** *** *********** ***** *************** ** Toka's ***** **** **** ******* **** fixed *** *** ***** ****** *****, as **** ******* *** *** **** up ** **** **** *** ****** fixed *******. **** ****** ** *******, as *** ******** *** ***-**-**** (***) but ***** ** ******* *.*.*** ****** *********/***** ********************** **** ***,*** *******.

**** *** ***************

'****-***' *************** *** ***** *******/********* ** manufacturers *** **** ****** ****** ** hackers. **** *************** *** **** ******; it *** **** **** ** ****** and **** ****, *** ** ***** an ********** ****** ** **** ** find *************** **** *** ** **** for ************.

** ***** ** ************ ** ***** that *** ****-*** *************** ***** ** found ******, ******** **** ********* ***. **** likely, **** *************** *** ********* **** companies ************** ******** **** ******* ********* ******** researchers.********* **** ****** *** ****-*** *************** to *** **** ***** ***** *** product.

Requires ****** *******

* ******** **** ****'* ***** ********* require ********** ******* *** **** **********, as ********(*) *** **** ******** ******** regarding *************/********/********. **** ******** *** ** **** to ***********, *** ****** *** ** difficult *** **** ** * *****-*** process.

Legal *****

******* **** ****** ******* ** **** countries ** *******, *.*. *** ** Computer ***** *** ***** **********"************* ******[***] * ********* ******** ******* authorization" *** **** ******* "******** **********" activities ** *** ***********.

*** *******, ******** **************** ** *** ** ********** ** Justice**** ********** ** ****** ******** ***** and ***** (** ** * ***** in ******), **** ***** *** ********** to ****** **** ***** (** ** 20 ***** ** ******), *** ********** identity ***** (********* ******* ** ****** in ****** *********** ** ***** ***********).

**** ***** **** *** *** ******* to * **** ** ********* ***** risks. **** ** ****'* ******* *** not ** *** ******* ******, ** the ** *** **** ********* ********* such ********* ********** ******* ***** ****** even *** *** *********** *** ************ agencies.

Toka ********

**** ********* **** **** *** *********** of *** ******** *******. **** ******** to ******* ** ******** *******, *** provided **** * ********* **** ** "*** ***** *********** ******* ***** ** its ********, ** ** ***, **** would *********** ********* **** ********" ****** it "**** *** **** ** ******* clients ** ***********":

IPVM Image

**** ******** *** ***********, ******** ********, defense, *** ************ ******** **** ******** and * ******** ** ***, **********, and ******** ***** ************** *** **********. Toka *** ******* ** **** ********, intelligence, *** *** *********** ******** *** tools **** ******** **** *** ******* to ********, *******, *** ****** ****** the *********** **** ******* ** **** people, ******, *** *********** ****.

**** ** ****** ** ******** *** our ********* ***. ** *** *** that **** **** ***** ** *** U.S. *** *** ******* ******. ***** no ************* **** *** ******* **** our ******** ** ********* ** ******** sanctioned ** *** *.*. ****. ** Treasury ** ********** ** *** ******* Defense ****** ******* ****** — ******** our ********* ********* ** ******** ** fewer **** ***-***** ** *** ********* in *** *****.Toka **** *** **** ** ******* ******* ** ***********.

** *** ** ****, **** ******** a ********, ****** ****** *** ******** process **** ** ****** ** ************* indices ** **********, **** ** ***, and ***** ********* *** ***** ** outside ******** **** ********* *** ********* expertise ** ****-********** *********.

**** ** ********* ** *** ******* Ministry ** *******, *** ** ****, is ********** **** ********** *** ********’ security **********. *****Toka *** ***** *********** ******* ***** of its products, if it did, Toka ***** *********** ********* that contract. [emphasis added]

**** ********* *** ***** *** **** can ****** **** *** ******** *** used *******, *** *******, ******* **** requires ***** ** * ***** ***** for **** *********.

** ** ***** ****, **** *** not ******* ** *** ******-**. ** they **, ** **** ******.

Comments (5)

******, ***** *** ***** **** ** order *** ***** ***** ** ***** to ** ********* **** *** *********** targets **** ******** ****** ** *** BIOS ** *** ****... *** ***, say,** ********* **** ** *** ***********?

Agree
Disagree
Informative
Unhelpful
Funny

**, * ***** ***** **** ** is ******** *** ** *** ****, but * ******* **** ** ****-*** and ******* ***** ******* ** *********** exploit.

Agree
Disagree
Informative: 1
Unhelpful
Funny

*** **** ******** ******** ** ** run **** * ** ********* ** the ******* ** ** *** *** itself?

Agree
Disagree
Informative
Unhelpful
Funny

****** ** *** ****** ****** ** what ******, *** ** *** ***** vulnerable ******* ** *** *******, *********/**** access, *********** ******* *******, ** ****** types **** ** ******* ****** ********.

Agree
Disagree
Informative: 1
Unhelpful
Funny

********* **** *** **** * ******** ******* *******: ******** *******

*****Toka *** ***** *********** ******* ***** of its products, if it did, Toka ***** *********** ********* that contract.

*** ***** (*** ***** *******) **** exactly *** **** ***** ** **** documentary.

Agree
Disagree
Informative: 1
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports