back to article Firm threatens action against CCTV whistleblower

A row has broken out between a supplier of secure CCTV products and a whistle blower who discovered a vulnerability with the company's products that allowed world+dog to view static images from any camera connected to its servers. The flaw affects The LookC 4x4 server and Pro IX server, some of which are installed in primary …

COMMENTS

This topic is closed for new posts.
  1. amanfromMars Silver badge

    Thugs'r'Us

    "Stephens could not be reached for comment in response to LookC's threats at the time of going to press on Friday afternoon (19 September)."

    Probably best all round whenever Golightly loses the plot and turns heavy.

  2. Anonymous Coward
    Anonymous Coward

    Turn off your LookC camera or be liable for it's flaws

    Turn off your LookC camera, because they apparently have a security hole in them and you are exposing yourself to legal liability by using it now that you've been told they have the vulnerability.

    You don't know if they're secure now, or if LookC are just threatening researchers to conceal the insecurities. All you know is they *had* or *have* a security hole and tried to cover it up with threats and false accusations made to the police.

    Their statement to the police is clearly false, publishing info on a vulnerability on a website clearly does NOT show criminal intent. Ergo if they lie to the police, they can lie to you.

    Also since they don't let you know what that security hole is, you have no way of testing to see if it's been closed yourself. You can neither trust their word, nor test it yourself.

    So I'd turn off your LookC camera and avoid buying LookC products until their products can stand up to independent public security testing.

  3. Christoph

    Where's the news angle?

    Security researcher reports serious flaw to company

    Company ignores it

    Researcher publicises the flaw

    Company finally takes action - they try to have the researcher arrested

    This is about as unusual as the government losing personal data., or politicians lying.

  4. Mark

    The companies lack of security

    can only be the result of criminal intent. The CEO MUST be a paedo and wanted "plausible deniability" for his perversions if caught.

    After all, why would someone put cameras in all the private places of a school if not to view the antics of innocent children at play?!?

  5. Mike

    3 days?

    How can 3 days be enough time for something like this to be acted upon?

    I'm not surprised they are a bit hostile about it.

  6. Ferry Boat

    Kill the messenger

    Kill the messenger - it's the only language they understand.

    Idiots.

  7. Hollerith

    looks as if the person had a brain

    If you find something rotten in your company, you can 'go through channels' and lose your job, be sidelined, be fobbed off and strangely find yourself redundant in six months,or be bought off.

    If you want something to change, to have to put it out there in enough places that the sun will shine on it.

    Not 'criminal intent' but serious intent.

  8. Anonymous Coward
    Flame

    I'll see your criminal intent...

    ...and raise you criminal negligence via breach of contract, whereby the CCTV company are vicariously liable for peados logging on to their networks and watching kiddies due to a failure to perform duty of care.

    Ar$eholes.

  9. Anonymous Coward
    Paris Hilton

    Ok, we're embarrassed

    And more so since you have now pointed out to the public that we're a bunch of wankers and our kit is rubbish. Now we're gonna have to sue you into silence.

    Paris, because she takes the good publicity with the bad.

  10. frymaster

    4 days to expect them to isolate, patch, test, and distribute?

    I strongly believe that in the cases where exploits are in the wild, or vendors refuse to cooperate, that public disclosure of vulnerabilities is in the best interests of users. There's no evidence of either of these here. It's very possible that the company wouldn't have given a toss without public disclosure, but we'll never know, will we? This guy has given this company enough rope to hang HIM by, all for want of a bit of patience and probably the desire for kudos. Posting an exploit is a lot sexier than pointing to a patch and saying "I found that issue"

  11. Alan Parsons
    Joke

    Think of the children

    People who think that bugs should be exposed are yoghurt drinking hippie tree hugging leftie liberal wankers. Security by obscurity is the way forward. If these cameras are in schools then hacking them should result in being neutered. He's a paedophile! Hang him etc

  12. Why
    Black Helicopters

    MIA?

    Stephens could not be reached for comment in response to LookC's threats at the time of going to press on Friday afternoon (19 September).

    Hmm, cant be reached. Is that a black heli...

  13. Gareth

    Hack...? Wha...?

    How is this a hack? The cameras, if not configured with security details, publish themselves on the public internet, saying "Cooo-ee boys! Look at me!" This guy merely said "Hey - here's how you can find them with a simply Google search."

    It's like, say I had this car, and the..... Oh buggerit - no bad analogies needed - it's just simply not a hack.

  14. Gary F

    Naughty to give public instructions on how to exploit insecurity

    The informer shouldn't have made the precise "hack" public. It's one thing to warn people about an insecurity but it's a different matter when you tell people how to take advantage of it.

    If the CCTV company had failed to act quickly then perhaps upping the ante by posting screenshots (with mosaic fuzz where necessary) of the hack in action would be justified to cause the panic and bad PR necessary to get it fixed.

  15. Tom

    @frymaster

    "There's no evidence of either of these here."

    Maybe they didn't respond, or told him to piss off, or said the new version is not affected so people should upgrade (I've received that one)... we don't know.

  16. Pierre

    Google has the flaw disclosure cached:

    http://64.233.169.104/search?q=cache:Ax9-Ou8eAUsJ:www.freepchelp.co.uk/forum/computing-news/3791-cctv-server-major-security-flaw-lookc-4x4-and-lookc-pro-ix-servers.html+LookC+camera&hl=fr&ct=clnk&cd=3&client=whatever-a

  17. Pierre

    PS: he apparently REALLY tried to tell them

    The post explains it.

    Here is the (short) part about the flaw (that's criminally obvious security hole, too):

    "The vulnerability is so simple, I bet LookC kicked themselves when they found out they missed something as obvious as this.

    Find a LookC server. This can accomplished very easily by typing in either of the following into Google.com “LookC 4x4” or “LookC Pro IX”.

    In this example, we will use a made up server with the IP address of 123.456.789.10

    Using your web browser navigate to this address.

    http://123.456.789.10/

    Simply by adding the following after the last slash, we can open a backdoor and view a static image of the requested camera. Note the two queries in the URL.. "&card" and "&camera". As it would suggest, "&card" is which card in the server we are accessing, and "&camera" is the CCTV camera we are accessing. There are 4 cameras to each card, so once we have reached camera 4 we would change the card value to “2” and the camera value back to “1”.. This would display the 5th camera on the server.

    media/getimage_sid.php?card=1&camera=1

    The URL should read,

    http://123.456.789.10/media/getimage...ard=1&camera=1

    If you hit Refresh on your browser you can easily produce an almost streaming image of the CCTV Camera."

    I seem to remember that you can find tens of similar "google hacks" where they belong, but in that case the cams are marketted as secure (!).

  18. Mike
    Pirate

    Google cache

    Thanks to google cache and a quick web search I can confirm that this "exploit" is so easy as to be labeled stupid. I really couldn't call this an exploit or hack as you simply have to put the correct URL into your browser and you have images. There is no security whatsoever, as far as I could tell.

    where is the ROFLMAO icon.

  19. Anonymous Coward
    Anonymous Coward

    I found this...

    http://64.233.169.104/search?q=cache:Ax9-Ou8eAUsJ:www.freepchelp.co.uk/forum/computing-news/3791-cctv-server-major-security-flaw-lookc-4x4-and-lookc-pro-ix-servers.html+LookC&hl=en&ct=clnk&cd=9&gl=uk&client=firefox-a

  20. Anonymous Coward
    Anonymous Coward

    -4 days to expect them to...

    He has no duty to them, if he didn't report it to them, so what, their tough luck for releasing a buggy product. Even if it's -4 days, or NEVER.

    They do have a duty to make their products secure, perhaps they would consider that, rather than silence researchers?

    If they don't make crap products then people will not discover they are crap. The fix here is for LookC to make less crap products.

  21. Anonymous Coward
    Black Helicopters

    Security, schmurity!

    Man I love Google and it's cache. And to think, if they hadn't kicked up a fuss I would never know about it! Is that a black helicopter on the CCTV????

  22. Troy Peterson
    Pirate

    Oh no! No More Pirate CCTV Images?!?!?

    So that's how El Reg gets their hands on all that wonderful CCTV footage of major stories. Is this the end of the quality insider reporting on such important issues? And I was really hoping to see some of that famous cctv footage of pirates today on International Talk Like a Pirate day, with Optimus Prime making an appearnace of course.

    Please, Please, Please dedicate your top Hacker-Reporter-Boffins to finding us a new source for these quality images.

  23. Anonymous Coward
    Stop

    So another reason why CCTV is bad

    Seems CCTV needs pulling out of schools. If anybody puts a CCTV camera thats filming a school on the public networks, they should be taken out back and shot.

    I personally never liked the fact that I am watched without my consent almost everywhere these days. CCTV in public should require a licence!!

  24. Anonymous Coward
    Thumb Down

    I don't get it!

    Following the instructions:

    Find a LookC server. This can accomplished very easily by typing in either of the following into Google.com “LookC 4x4” or “LookC Pro IX”

    produces barely a handfull of LookC servers, so the problem is hardly widespread!!

  25. Anonymous Coward
    Thumb Down

    Audit trail

    There will be a nice audit trail - e.g. telephone bills showing he phoned the company, emails being sent, a late lamentable reply. etc.

    However, the threat of a company with finance to hire the best lawyers against one individual is enough to make the individual want to back off and go into hiding.

    I personally would have emailed the Information Commissioner via this form:

    http://www.ico.gov.uk/ESDWebPages/GenEnq.asp

    Now, if he didn't respond to this risk to children within a week then I'd be forced to do exactly what this chap has done and include my correspondence in the posting.

    I wonder if anyone has told the Information Commissioner that many educational institutions are in breach because of a lack of due-diligence on their part ?

  26. Pierre

    LookC4x1 too

    The (cheaper) LookC 4x1 is wide open too. Same URL construction. Same lack of security. Same sort of boring images (useful for a break-in or a robbery though).

  27. Nano nano

    Don't worry

    1. If there's an (e.g.) anti-war demonstration nearby, CCTV cameras seem to stop working by themselves for some reason ...

    2. He should have told Carol "Ocean Finance" Vorderman first anyway.

  28. Anonymous Coward
    Alert

    Its called the Streisand Effect

    Unbelievable - the supplier appears oblivious to similar recent disclosures (xref transport system payment cards) and how not to respond:

    http://www.wired.com/politics/security/commentary/securitymatters/2008/08/securitymatters_0821

    Let alone how to stop digging when in a hole:

    http://en.wikipedia.org/wiki/Streisand_effect

    Idiots.

    The internet gets what the internet wants...

  29. Nanki Poo
    Paris Hilton

    Er...

    I wondered what LookC had to say themselves, in the name of impartiality...

    Not seeing anything on this <surely> critical update I thought I'd try News and Support. Nope nothing there...

    Then I tried myLookC link... ha ha ha (For impartiality I tried it on Chrome, Firefox, and Exploder)

    http://www.grayzone.co.uk/lookc.jpg

    Nothing much I can add to that, a security firm who doesn't know their security...

    Paris, cos she possibly has better security from CCTV.

    Nk

  30. Steven Knox
    Stop

    Go Lightly

    Now that's a name some security "professionals" should know better.

    AC, Of course Stephens had a duty -- not to LookC, perhaps, but to their customers. It's not a duty born of law or contract, but of ethics. He was right to disclose the fact that there was a flaw, and he was right to disclose the existence of that flaw to both LookC and the general public. Where he failed is in publishing not just the flaw, but (a) how to exploit the flaw, and (b) further information on how to use Google to find flawed systems to exploit. If you wish, you may be able to justify (a) as giving customers the info needed to test their systems, but (b) does nothing but ensure that anyone can exploit any of the flawed systems. It doesn't help fix the problem in any way, and releasing that information without giving LookC or its customers time to respond to the discovery of the flaw, he did nothing but make the problem worse.

  31. William Bronze badge
    Unhappy

    Still working....

    Shame its Saturday though.

  32. bobbles31
    Coat

    Not wanting to sound too much like a Daily Mail reader with a up tw@t-o-tron set to kill but....

    what the fuck are schools doing connecting their CCTV system to the internet. Just a small detail I know, but how did anyone with even a minimum of intelligence not see a slight flaw in that plan?

    Whatever next? Banks trusting estate agents to sell mortgages....oh yeah right the whole crunch thing.....mines the one with a pair of wire snips in the pocket.

  33. Anonymous Coward
    Anonymous Coward

    Sounds familiar

    I recall another incident a couple years back, where certain consumer webcams put themselves on the web and could be found with a google search.

  34. Anonymous Coward
    Anonymous Coward

    Security flaw found in whistle blowing

    It would appear that if you publish without covering your tracks they can attempt to sue you :)

    Hmm, what could work well is linking into a dark net, there is no law about reporting on something and hey aren't we all journalists now.

  35. Ben Griffiths

    Daily Mail

    If I were him I would have wrote a quick letter to the Daily Mail explaining cctv cameras in schools were wide open to public viewing. Bingo, front page news and no nasty comeback.

  36. Anonymous Coward
    Anonymous Coward

    it's a serious crime that

    criminal intent meaning....................looking at the CCTV images and killing them with your death ray vision from 5000 miles away (through a monitor too. Impressive.) ?

    Who cares if they supposedly 'exploited' it by giving the information out. Why should that be a crime? Oh, we must sweep this under the rug and try to stop this kind of information getting out. Umm.. why??? The last time I heard, it was not illegal to refuse to cover someone else's ass.

    The problem should've been fixed or MAYBE...you know.. not insecure in the first place.

  37. ikki

    Pls, have a look at http://www.wiretrip.net/rfp/policy.html

    Have a look at: http://www.wiretrip.net/rfp/policy.html

    As you can see, the vendor has 5 days to reply the first email (5 days is a reasonable time to avoid problems with holidays, time zone and so on...). Even if I don't like the vendor's reply, this is not ethical full disclosure indeed.

  38. P. Lee
    Pirate

    Its a problem with the vendor?

    Maybe. Its a dumb to put backdoors in like this, but.... if you put a video camera on the internet instead of behind a firewall, its a little like leaving the keys in your car and the doors wide open. Sure its illegal to steal it, but who would be surprised if it went?

    If its sophisticated enough to have a built in webserver, doesn't it have ip address connection filters to protect it at the network layer?

    Skull icon - he's rolled his eyes back so far they fell out.

  39. Anonymous Coward
    Thumb Down

    The implications are obvious to me...

    Here is a company in the security business that prefers to threaten the person that told the world about a hole in their product that threatens the security of their customers instead of fixing the problem and keeping their customers save. "It's OK. If they don't know about it then it doesn't matter."

    I'm not sure which is more frightening from a security company; That they might think it's OK for a flaw to exist as long as the customer doesn't find out or that they might be living in fairyland and believe that there aren't people on the net that would exploit it. The other possibility is that their understanding of computer security is so poor they've made such a mess and made this exploitable code so essential to their software that they can't fix it without having to throw the whole thing away and start again.

    Continued selling a product that they new had a flaw of this severity *strike 1*

    Didn't fix it as a matter or urgency *strike 2*

    Tried to muzzle the messenger to stop customers finding out *strike 3*

    Clearly not a company I could ever trust. They've been added to my mental Rolodex of companies that will never find their way through the door at any of my customers if I have anything to do with it.

  40. Anonymous Coward
    Thumb Down

    @Steven Knox

    I beg to differ. By publishing the details, the company was forced to fix its buggy product.

    A software company who, no doubt, hides behind a EULA that states something to the effect of "we are not liable if this software screws up your PC or your life".

    Even companies like Microsoft can take an age to fix security bugs if they are not under pressure.

  41. Mark

    re: Naughty to give public instructions on how to exploit insecurity

    Even naughtier is to put cameras in schools without putting some form of security in place. This "hack" is no such thing, any more than I can "hack" your computer by sitting next to you and watching what you type...

    This exploit should have been absolutely impossible. It should never have been IN the product. Releasing this information on how there IS NO SECURITY is the only thing that can be done.

  42. Anonymous Coward
    Unhappy

    Old news

    Google camera surfing is ooooold news.

    There's loads of cameras out there with this "vulnerability" and quite a few owners who know about it.

    Kinda hard to miss when some of the cameras are controllable via the web. This was news in 2005 :(

    Points for anyone that can find a link to the German(?) guy that offers you cake when you play with the camera.

  43. Anonymous Coward
    Go

    sufficient time to respond

    For those who have been complaining that 3--4 days isn't enough to close the hole, let me put on my imagination cap and help you (and LookC) find a quick solution. 1) The leak was shown to be via a URL. 2) Either the URL was to a static page, in which case 3a) you lock down that directory and all is well, or it was to a dynamic script, in which case 3b) you remove that script from the web site. Since the primary function of the web side of the system seems to be to provide a live feed rather than static (albeit "live") snapshots. Notwithstanding the suggestion of hitting refresh repeatedly to get a "live feed" this "feature" seems to be surplus to requirements and shutting it down should hardly cause any knock-on effects to the core functionality of the system. Of course, all of this assumes a certain degree of care in designing and coding the system in the first place. Oh, right... Sorry, I just seem to have shot my argument in the foot there...

  44. William Bronze badge
    Unhappy

    Some interesting links...

    https://82.144.238.157/media/getimage_sid.php?card=2&camera=3

    Seems like a bar. This is the front of house.

    https://82.144.238.157/media/getimage_sid.php?card=3&camera=3

    This is the kitchen.

    Just had fun watching the two watiresses having fun...

    https://82.144.238.157/media/getimage_sid.php?card=4&camera=3

    Behind the bar...

    Very interesting...

  45. Dr. Mouse

    Contradiction

    "Stephens said he informed LookC about the flaw on 9 September and went public with the vulnerability on 12 September, via a security advisory on his website"

    ...

    "A problem concerning the live image acquisition by unauthorised internet users was reported to us on 12 September 2008"

    So either:

    a) Stephens lied about when he informed LookC,

    b) LookC lied about when Stephens informed them, or

    c) LookC didn't care, ignored the email and hoped Stephens would leave it at that.

    And as for:

    "The person who highlighted the vulnerability to us also saw fit to publicise the means of hacking the LookC servers on the internet and then to log on to other blogs to point other internet users and hackers to the article. We can only guess at the motivation behind this action but have not ruled out criminal intent"

    Assuming (a) above is not true, did LookC immediately check their servers, and warn their customers? Not so far as I know. So Stephens did it for them. Now admins can implement some form of temporary fix to protect themselves (most likely for legal reasons), while LookC play the blame game and try to have Stephens arrested.

    Thing is, especialy with such a simple "hack", if an honest person has found an exploit and reporsted it, it is likesly that a DISHONEST person has already discovered it and started using it to their advantage. So Stephens has done you a favour guys, stop bitching and fix your damned product!!

This topic is closed for new posts.