back to article Surprise! Another insecure web-connected CCTV cam needs fixing

Siemens has issued a security patch for CCTV cameras that cough up their admin passwords to remote attackers. The cameras are now sold by Vanderbilt Industries, which acquired the camera business unit from the German industrial giant in 2015. The security bug lies in the web server in the gadgets' firmware, and is present in …

  1. a_yank_lurker

    Is Mr. Bumble running these IOT outfits

    It's depressing to see how many IOT outfits are run imbeciles that make your average PHB look like a genius. Do any of these idiots talk to anyone who knows anything about computer security? It appears not.

    1. Oengus

      Re: Is Mr. Bumble running these IOT outfits

      Do any of these idiots talk to anyone who knows anything about computer security?

      Of course not. The short sighted bean counters that run these companies see security as an unnecessary expense that just increases costs and hurts their profits and dividends.

    2. Voland's right hand Silver badge
      Trollface

      Re: Is Mr. Bumble running these IOT outfits

      Not, just realtime embedded development at its "business as usual setting". It is unfortunately, not Mr Bumble, it is his staff.

      They have a brain rotting disease known as realtime embedditis. The primary symptom are uncontrollable urges to take on the OS in hand to hand combat and run everything in real-time, because if you miss an interrupt or a frame somewhere the world will end and the lamb will break the seventh seal.

      So everything has to be re-invented and no component can be used off the shelf because, oh my god, the off the shelf stuff does not have this precious 0.0005% optimization and it is not running in realtime as a part of one giganto-monolitic statically linked blob. It is running as a separate process? There is an IPC? It is written in Lua? It uses components from well established framework like OpenWRT? It is not using DIY encryption and "my special supercrypto"? The world has ENDEEEEED, run for the hills.

      This cannot be helped - it comes with the territory in embedded land. We will see it for a couple of decades at least until the current crop of numpties dies out.

      1. Down not across

        Re: Is Mr. Bumble running these IOT outfits

        They have a brain rotting disease known as realtime embedditis. The primary symptom are uncontrollable urges to take on the OS in hand to hand combat and run everything in real-time, because if you miss an interrupt or a frame somewhere the world will end and the lamb will break the seventh seal.

        So everything has to be re-invented and no component can be used off the shelf because, oh my god, the off the shelf stuff does not have this precious 0.0005% optimization and it is not running in realtime as a part of one giganto-monolitic statically linked blob

        Whilst I am not denying that there might be some truth in that, I think it is bit unfair. Embedded devices often do have quite a few resource constraints (not just CPU, but regards to image size and available RAM) that may render many off the shelf stuff unsuitable.

        It is understandable that someone might thing that given the limited functionality required, writing it from scratch might be better option than off the shelf module that is either overcomplicated to the requirements, too expensive, or both.

        Of course if they choose to write their own, they should pay more attention to security. And we all know that they rarely do.

    3. Christian Berger

      We _are_ talking about Siemens

      ...the company, that even in this century had software that stored settings in an SQL database... accessed by hardcoded credentials.

  2. redpawn
    Coat

    Keep IoT in its Box

    Without power it is most likely safe.

    1. VinceH

      Re: Keep IoT in its Box

      In the event of an intruder, that IoT thing in its box could be used as a blunt instrument against you.

      Leave it in the shop.

  3. Mark 85
    Meh

    Hmm.. updates and patches

    This basically doesn't do 99% of the owners any good unless it's a forced patch. The MSM doesn't carry news and advisories on IoT holes or even OS holes for PC's. They just won't know about the problem and if they did, most wouldn't have a clue on how to fix it.

  4. Oengus

    Bigger surprise

    The bigger surprise is that a manufacturer of IoT tat has actually come up with an update to remedy the issue. Full kudos for at least providing a patch for the issue.

  5. Notas Badoff
    Happy

    Ahh, this is a marketing ploy!

    It just clicked. Every time I unbox some bit'o'kit, out falls a postcard or envelope to post to "register your product". I've always chucked those away as useless and with the downside that I'd start receiving _more_ unwanted postal advertising directly from manufacturers and resellers.

    But Mark 85 has opened my eyes. If we all returned those registrations we could be posted warnings whenever a past purchase needed to be patched. If we also added email addresses the warnings could be timely! Isn't this just wonderful?

    And given the frequent need for these notifications that would enable the added in advertising in these important communications. And with such engendered warm feelings for the caring and responsible manufacturers surely we would welcome each packet of love.

    Why did the rose-colored lenses in my glasses just shatter? Hmm, let me go look in my mailbox...

    1. Mark 85
      Facepalm

      Re: Ahh, this is a marketing ploy!

      Is that what those postcards are for? I thought all they were is a way to grant them permission to sell any info they have on you and also spam your physical (not the PC) mailbox. Damn... I could have getting AOL-like CD's with app and program updates.

  6. Anonymous South African Coward Bronze badge

    Repeated percussion testing with the proper tool will sort out any IoS**t frippery. Properly.

  7. NonSSL-Login
    Coat

    Oh noes

    20 minutes of fuzzing http requests from shodan results will give all the info needed to abuse this.

    Expect this attack vector to be added to botnet x and it's variants in 3...2...1

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like