Note. It turns out that the business name AVTECH, mentioned below, is used by two different companies. The company in the article is Taiwan-based AVTECH (avtech.com.tw) of Nangan, Taipei, which makes video surveillance equipment such as CCTV cameras and digital video recorders. That’s not the same as US-based AVTECH (avtech.com) of Warren, Rhode Island, which makes environment monitoring equipment such as temperature sensors and smoke alarms.
Indeed, with webcam security what it is, even the director of the US Federal Bureau of Investigation suggests covering up your webcam (we recommend a Sophos webcam cover, but a square of electrical tape will do just fine instead).
In fact, this story isn’t about consumer webcams, of the sort that you might plug into your laptop to make video calls, but about full-on CCTV surveillance systems, including internet cameras and video recorders.
That video system in your warehouse so that your security guards can keep an eye out for crooks on the property?
Imagine if the crooks could use the cameras to keep an eye out for your security guards in order to avoid them.
Those CCTV cameras you installed to watch out for cybercriminals installing skimming devices on your payment terminals or ATMs?
Imagine if the crooks could use them to watch out for innocent customers entering account details or PINs.
Those cameras you’re using to keep track of vehicle number plates in order to send penalty notices to drivers who don’t pay to park in your lot?
Imagine if the crooks could use them to keep track of who’s not at home.
Insecure CCTV systems are bad for security and privacy…
…and, ipso facto, good for crooks and creeps.
Learning our lessons
We still haven’t learned even the most basic lessons, it seems.
This time, the products under the spotlight come from AVTECH, a Taiwanese company that bills itself as “[bringing] new vision to the industry.”
Sadly, according to a recent disclosure by Hungarian security researchers, AVTECH’s concept of “vision” is much broader than you might like.
The researchers claim to have contacted AVTECH a year ago, then twice again in May 2016, and are going public now because they say that they still haven’t yet received any response, and the bugs are still there.
Unfortunately, a whole raft of AVTECH internet cameras and video recorders share many of the same easily-exploited holes.
- Anyone can retrieve the device configuration just by asking. For some reason, the web pages that generate this information don’t check that you’re logged in first.
- Many files and scripts on the device can be downloaded without logging in. The device doesn’t check carefully enough whether a filename you’ve requested is public or not, so you can trick the server into sending out files that it shouldn’t.
- Numerous web pages can be exploited to run commands on the device with root powers. The device doesn’t filter out system commands that have been sneakily added into URLs, leaving the door open to Remote Code Execution (RCE).
- Cloud synchronisation uses unauthenticated HTTPS. The device doesn’t check the TLS security certificates of the servers it’s connecting to, so a “man in the middle” (MiTM) can intercept and modify sensitive data.
- Device passwords are stored in plaintext files, instead of being salted-hashed-and-stretched. If you can combine this vulnerability with a hole that allows you to fetch files you’re not supposed to see, you’ll end up with the keys to the kingdom.
- The feature that makes it hard to guess passwords is optional. The device includes a CAPTCHA system so that you can’t login too quickly, which sounds like a security feature – until you realise that if you add
login=quickto the URL, the device won’t slow you down at all.
What to do?
If you have any AVTECH devices, you’re probably hoping that the company will finally get round to fixing these bugs, so watch out for any forthcoming firmware updates and apply them as soon as you can.
In the meantime, make sure you keep your AVTECH devices on their own separate network, and don’t administer or access them directly via the internet.
(Consider using a Virtual Private Network, or VPN, to enforce secure access to the camera network first, and then do all your administration via the VPN.)
If you’re an Internet of Things vendor who’s building devices that are designed to go onto a network, move “computer security” from the list of desirables to the list of necessities.
Then, move “computer security” from wherever it is on the list of necessities into first place.