Would love to see
Avtech's IP cameras and video recorders offer the world the usual list of possible exploits
What's the chance of those same devices being used to DDoS Avtech?
It shouldn't surprise anyone that closed circuit television (CCTV) rigs are becoming the world's favourite botnet hosts: pretty much any time a security researcher looks at a camera, it turns out to be a buggy mess. According to this advisory, Avtech's IP cameras and video recorders offer the world the usual list of possible …
"shouldn't we stop calling them "closed circuit" cameras"
Much of the world has called this stuff "surveillance cameras" or "video survellance" for decades.
"CCTV" is a particularly british term.
When I was a nipper one SF story I read had a world full of cameras where covert survellance _wasn't_ the issue, because every publicly placed camera was required to be publicly accessable. The scenario was that if you were wondering if the streets ahead were safe you could dial up the cameras along the way to see who was hanging around nearby.
It's going to be interesting to see how Avtech handle this. Judging by what I can see on Aliexpress there are a lot more knock-off devices on the market than genuine ones.
This doesn't surprise me - I own an AvTech 16 channel DVR, while trying to find a way to programmatically do stuff with it (show a quad screen camera view that swaps to the next 4 cameras every 4 seconds provided a) no-one is logged in for PC viewing and b) no motion has recently been detected, and if motion has been detected change to the camera(s) that have detected motion in full screen) a quick look at the the responses of the CGI scripts that are being asked for in the web interface show just how much information is on display, and a quick peruse of the API to see how you can change params via web requests to the CGI scripts. Perhaps even more strangely is that you can set some parameters to do with things like Auto Gain Control and such via CGI get requests - even though there is no where at all in the web interface to configure these parameters.
Still, the unit cost £160 minus HDD and has performed it's job reliably since 2012. It is not exposed to the internet so I don't need to worry about that, but thanks to this article I think I will block access to it's local address from the public cafe network.
Clearly the manufacturers of this crap don't care - if they cared the slightest they would have avoided at least the most obvious of those.
So, given that the information captured by these devices is most definitely considered "personal information", how about a complaint to the Information Commissioner - either by someone sho has bought one and "found out" that their information is being made insecure by the equipment design, or by someone who thinks their image may be on one of these devices. If the IC is prepared to play along, it might be able to get a ruling that has the effect of making the use of one of these devices illegal - and once the distributors are made aware, of course, whoever bought the test case device will want their money back won't they ;-), then they'll probably drop them.
OK, this won't stop sales completely - there's a lot of world outside of the EU, and a lot of personal/indirect imports. But perhaps having their product effectively declared illegal in part of the world might just get someone to think about it.
Something needs to be done. Clearly "name and shame" doesn't work when the offenders have no shame.
As I see it, the only other way anything will happen is if the big ISPs take users off-line when they are detected to be part of a botnet. Perhaps getting a "You are harbouring a criminal" portal page instead of FarceBork will get end users interested in the problem. But I can't see the ISPs being interested - there's no money in it for them.