Shaken-Not-Stirred Technology Mixed Right!

Brett Wynkoop

Subscribe RSS

This site's referrers - 2445 hits - 187 hits - 102 hits - 95 hits - 87 hits

Brooklyn Repertory Opera

New Yorkers for Fair Use

Brooklyn On Line

Resume of Brett Wynkoop

Brett Wynkoop's GPG public key

Stand Alone Sysadmin

System, Network, And Data Security Stupidity    
Image for Entry 1334629553Stupid Security Camera Trick

A few years ago I purchased 2 IP cameras from TigerDirect. They were Trendnet TV-IP 110 security cameras. Before I purchased them I determined by speaking to a Trendnet representative that the cameras ran GNU/Linux. This would be good if I needed to do some custom work on them. I was also told that all features of the camera would work using any browser on any computer. Well, I was upset when I got the camera and discovered that MS-Windows and Active-X were required to access all the features of the camera. I was even more upset to discover that there was no ssh or ssl on the camera. A phone call to the Trendnet tech support about the total lack of security was met with the response that it had to be secure because there was a password. It seemed that the fools at Trendnet never heard of snooping the wire to get plain text credentials. I further poked at the camera and found the flaw recently reported by the Console Cowboys. I made another call to Trendnet again requesting the source code and offering to work with their people to fix the issues. Not only did they refuse the source code request, but they also still refused to see the GLARING OBVIOUS security flaws in their product.

I put the cameras away since TigerDirect would not accept a return on them. This past week I pulled them out with the thought of putting them to use somehow. I discovered that Trendnet has at last posted the code, so there is some hope that if I put up a cross compile environment I just may be able to fix the issues.

Unfortunately the most recent firmware update (Feb of 2012) from Trendnet still has all the security flaws of no SSL or SSH and the ability to BYPASS the BASIC AUTH.

I just checked several other IP cameras from other makers to find that they too do not seem to have any idea about system or network security either. What is worse is some of them seem to also be GNU/Linux based, but do not seem to supply source code.

While Trendnet does supply source code they seem to mix up all the sources for all their cameras into one zip file. They seem to be just following the letter of the GPL, and not the spirit of the GPL. They provide no guidance as to what needs to be compiled for what camera and also do not provide any information on how to set up the the binary firmware package.

Why in this day and age are the above issues still common? I strongly believe it is because those of us in the know just accept that this is the way of things. We do not make enough noise about security flaws such as poorly designed hardware/software systems and most so-called security cameras. For years vendors have been supplying routers, cameras, and other devices with only http or telnet access. Many vendors I have spoken too have used the excuse that including ssh or ssl on the administrative interface would take too much memory of disk space. We all know that neither statement is true.

Time for change:

It is time for a change. The only way this change can happen is if we refuse to accept such poor excuses for products as are currently on the market. We need to tell our friends and family about the security flaws and encourage them to vote with their pocket books. We, as knowledgable professionals, need to put pressure on vendors to supply products that are not 20+ years out of date in their security layers. When you see a poor product make noise. First contact the maker and tell them. If
they will not fix the problem then post the flaw everywhere you can. Let everyone know about the problems. If we, the geek elite, do nothing there is no telling what harm will come from poorly engineered products. It might also be time for a class action lawsuit against a vendor or two for using known flawed security practices in their products.

No Comments Yet - Post Comments