back to article GET pwned: Web CCTV cams can be hijacked by single HTTP request

An insecure web server embedded in more than 35 models of internet-connected CCTV cameras leaves devices wide open to hijacking, it is claimed. The gadgets can be commandeered from the other side of the world with a single HTTP GET request before any password authentication checks take place, we're told. If your camera is one …

  1. Ole Juul

    whistle blowers

    I'm surprised that no developer for this stuff has come forward to expose some of this. Are they under that much company control, not competent, or just not ethically inclined? Surely the importance of security has crossed somebody's mind who works in that industry.

    1. Dan 55 Silver badge

      Re: whistle blowers

      Are they under that much company control, not competent, or just not ethically inclined?

      All three.

      In which part of the world did you think this software was written? Hint: It's in the Contact Us section on Titathink's website, if you're brave enough to visit.

    2. Christian Berger

      Re: whistle blowers

      I guess the developers just don't understand what kinds of errors they made. After all if they did, they probably would have avoided them.

    3. Steve Evans

      Re: whistle blowers

      Well certainly not competent... Honestly...

      This is the kind of coding assumption which was laughable twenty years ago, now it's gross negligence.

      Rule #1 of C programming is never assume the length of the data you are being given!

      (OK, it's probably not rule #1, but it damn well should be!).

      1. Anonymous Coward
        Anonymous Coward

        Re: whistle blowers

        Which doesn't help diddly if ALL you're given is raw data (like say a stream) where there's no way to anticipate the length of the data (it comes from outside the scope of the code), whether there is any data to work with, or even if it's properly structured. You don't know how much is coming in, only what to do with it when it comes in. Hard problem to solve if all you CAN do is assume because you're working blind.

  2. Sebastian A

    I've been disabling uPnP on the router for years, as I imagine many technically-minded folks do. But the millions of home users are left with no idea of the risks. :/

    1. waldo kitty
      Boffin

      I've been disabling uPnP on the router for years, as I imagine many security-minded folks do. But the millions of home users are left with no idea of the risks. :/

      FTFY ;)

      another possible "fix" would be the following but benefit of the doubt and all that rot :)

      s/are left with no idea of/don't care about/

  3. JeffyPoooh
    Pint

    It's 2016 and buffers are still overflowing...

    Sigh...

    Suggestion: The compilers could enforce an end to this, assuming that the coder isn't being deliberately-opaque.

    Crikey. It's 2016!

    1. Charles 9 Silver badge

      Re: It's 2016 and buffers are still overflowing...

      How when limits and pointers can be dynamic in nature?

      1. Stoneshop Silver badge

        Re: It's 2016 and buffers are still overflowing...

        Some cases, like when using pointers in copying operations, can be handled and made safe(ish) by the compiler: it can determine the size of the target structure (because at some point it has been allocated, and if not it's error time already), and limit the pointer frobbing to that allocated area.

        I managed to stay away from that kind of problems (without compiler support) 30 years ago already; it just takes a few minutes of thinking, coding and testing, but you have to realise there's a potential problem in the first place.

        1. Charles 9 Silver badge

          Re: It's 2016 and buffers are still overflowing...

          That falls into the "do one thing" problem. That's assuming you do everything yourself, but the moment you apply a third-party library, you run into the risk of them doing one thing WRONG. Plus you mention safeISH, meaning there are still ways to make the CPU lose track, such as perhaps complex calculations or multiple indirection. Plus there are the tricks some programmers make when faced with extreme memory or time limitations where they intentionally monkey with the stack or heap.

      2. JeffyPoooh
        Pint

        Re: It's 2016 and buffers are still overflowing...

        Chas: "How when limits and pointers can be dynamic in nature?"

        I shouldn't have to explain.

    2. ecofeco Silver badge

      Re: It's 2016 and buffers are still overflowing...

      Better suggestion: hire programmers who know what the fuck they are doing.

      Chance of suggestion being implemented? Yeah, none.

      The Big Crash is coming. It's only a matter of when.

      1. Charles 9 Silver badge

        Re: It's 2016 and buffers are still overflowing...

        "Better suggestion: hire programmers who know what the fuck they are doing."

        You have a shoestring budget. Try pulling it off.

  4. Sorry that handle is already taken. Silver badge

    "Titathink Babelens"

    That all sounds perfectly above board...

    1. Sorry that handle is already taken. Silver badge

      Re: "Titathink Babelens"

      Oh right, it's a "baby monitor." Apparently.

      1. Stoneshop Silver badge
        Coat

        Re: "Titathink Babelens"

        So, instead of images of Maroesja Lacunes, you get those of her grandkids

  5. Anonymous Coward
    Anonymous Coward

    Here's looking at you kid!

    C R E E P Y

  6. Anonymous South African Coward Silver badge

    Yay for more IoTurdThings...

    ...NOT

    Maybe we should rename IoT to IoTT then? Seems it is never going to stop.

  7. Anonymous Coward
    Anonymous Coward

    Internet of Titanics

    Call it secure, get it out there, worry about holes later.

    (Hope the band keeps playing as the whole thing sinks).

  8. wyatt

    It cost me a fair bit of money to get my wifes shop CCTV viewable via the internet. 2 new routers, 1 lan2lan VPN and then dial in VPN setup. However.. all connections/streams are now (reasonably) secure.

    Will there be something I've missed? Probably. Would my wife or father in law have been able to do this? Unlikely, they're not interested in the security side just convenience.

    Until security (that works) is forced onto people purchasing devices, they won't be secured.

    1. Charles 9 Silver badge

      But security gets IN THE WAY of most people, thus it makes people STOP buying things and look for things that don't get in the way. They don't care about security; they care about getting the job done, tout suite, si vous plais.

  9. ForthIsNotDead

    Java

    Wouldn't have happened if the firmware was written in Java. It would have crashed, sure, but the buffer overrun would have been caught by the JVM.

    C and C++ are great, and certainly the best choice if performance is a major factor, but the freedom that comes with C and C++ requires responsible coding, and a devotion to quality checking. I'd argue that in a webcam server app, performance is not the major factor. As long as it can stream the video in real-time, anything else is kind of superfluous. A higher level, strongly typed language with dynamic run-time checking might be the better option for developing software of this nature. As I say, it wouldn't stop the buffer over-run, but it would catch it, and Java Embedded can be set to reset/reboot a unit if the watchdog isn't fed regularly.

    Heck - even C and C++ would have been fine if the quality hadn't failed at at least two layers (the initial development layer (don't they have shop rules about this stuff?) and the quality/testing/review layer).

    There's really no excuse for this in 2016. We have the tools to prevent this, and we have the knowledge of other people's mistakes. What some people appear to lack is pure good old fashioned common sense.

    1. Charles 9 Silver badge

      Re: Java

      "I'd argue that in a webcam server app, performance is not the major factor. As long as it can stream the video in real-time, anything else is kind of superfluous."

      Unless the processor is UNDERPOWERED. Meaning it has to work mightily just to keep up, leaving no time for garbage collection. Think a little store just outside the big stadium and the game just let out. Only that's it's NORMAL situation.

      Overspeccing may sound cheap, but only on a per-device basis when costs usually have to figure quantities in the millions or so, where every penny adds up especially for a startup or a company on razor-thin margins.

      "Heck - even C and C++ would have been fine if the quality hadn't failed at at least two layers (the initial development layer (don't they have shop rules about this stuff?) and the quality/testing/review layer).

      There's really no excuse for this in 2016. We have the tools to prevent this, and we have the knowledge of other people's mistakes. What some people appear to lack is pure good old fashioned common sense."

      But NO MONEY. Security COSTS, period. No one wants to pay, and externalities can usually be deflected (fly-by-night operation and coverage by a hostile sovereign power) so it doesn't affect them.

  10. Matt Bradley

    @FFD8FFDB

    @FFD8FFDB is worth a follow on Twitter. A bot posting images from unsecured CCTV cameras around the world. Some really quite astonishing stuff in there.

    1. waldo kitty
      Paris Hilton

      Re: @FFD8FFDB

      ya really gotta wonder about those pixelated ones, too... what are they really supposed to be and why/how are they being pixelated now...

  11. Version 1.0 Silver badge

    Investigatory Powers Act - who needs it?

    The current snooper legislation seems like overkill given that it appears that most of the kit available has more holes than a block of Swiss cheese.

    Buffer overflow - nobody expected that ... ROTFLMAO

  12. Kevin McMurtrie Silver badge

    Junk IoT

    All of the white-labeling and firmware borrowing drove my crazy while I was trying to find a good security camera. They'd all die instantly when exposed to the Internet, and would literally crash on a gust of wind. Each new camera that I purchased was either exactly the same model or a clone of another that I'd tried and returned.

    They all had the same flaws:

    - Telnet or some mystery port stuck on.

    - OOM crash on multiple concurrent connections of any kind.

    - OOM crash if storage device slows down.

    - Video bitrate regulation bugs (crash on moving leaves).

    - Malformed video file headers.

    - Sensor Bayer pattern wrong when rotating video.

    - Session ID in URL and leaking through occasional plain HTTP requests.

    - Unprotected REST/AJAX endpoints here and there.

    - Remote access panel that crashes just using it normally.

    - Running antique Linux compiled with no 64 bit anything so it overflows big numbers.

    1. seanb-uk

      Re: Junk IoT

      Did you find a good option?

      I'm trying Hikvision, but I'm blocking them from the internet. I'm using ZoneMinder on a Linux box as the front end, so the only thing I've got accessible over the internet is the server.

    2. Sandtitz Silver badge

      Re: Junk IoT

      "Each new camera that I purchased was either exactly the same model or a clone of another that I'd tried and returned."

      Axis cameras are great. Expensive but great.

  13. Just Enough
    Facepalm

    Who writes this crap?

    while ((ptr[i] != NULL) && (ptr[i] != '&'))

    Seriously? What clueless buffoon thought this was an acceptable way to read into an array? This is a basic learners error that any professional coder should be ashamed of.

    1. Ogi

      Re: Who writes this crap?

      > Seriously? What clueless buffoon thought this was an acceptable way to read into an array?

      The kind which cost you £3.50 an hour to hire.

      That is fundamentally the problem. When anybody can pick up "programming for dummies" and get hired as a programmer, you end up with a race to the bottom, until companies are scraping the bottom of the barrel for the cheapest software that works long enough to be able to sell the product, and not much else.

      There is no bare minimum "fit for purpose" standards for software, just like there is no accreditation for "software engineering". It does mean software is a far easier industry to get involved in, and maybe get your big break. It also means intelligent people can get a job even if they don't have a fancy degree and expensive accreditation, or even a formal education.

      However the flip side is that anyone can call themselves a programmer, and get hired. As long as they are a lot cheaper than others, they will see work. This is especially true for software, which really can be done anywhere in the world (as long as there is a computer and Internet connection), allowing for outsourcing to the cheapest country/people possible.

      1. Charles 9 Silver badge

        Re: Who writes this crap?

        The worst part is that, due to the built-up, complicated nature of software, there is virtually no way to establish such a standard. It's like trying to certify a knife: it's inherently dual-use due to its nature, so the very thing that makes it useful ALSO makes it dangerous: part and parcel.

        Same with most software. Something that would "fit for purpose" would also inherently be problematic because the real world doesn't stay in the box. Even formal software proofs can only apply in very narrow circumstances (like seL4's only applying with no close-to-metal code--useless for high-performance applications).

    2. ecofeco Silver badge

      Re: Who writes this crap?

      Who? The programmer who cost the least.

      Was this a trick question?

      (I know it was rhetorical, just making the point that good programmers, ITsec and IT folks in general struggle to find work because shitty programmers and techs are a dime a dozen. There is going to be serious consequences for this and we haven't seen anything yet and it's pretty fucking bad now.)

    3. You aint sin me, roit Silver badge
      FAIL

      Re: Who writes this crap?

      And yet... I bet they thought they did a good job!

      Look at the comments (assuming they are in the source and not added for our amusement). Someone clearly thought:

      "Better identify the source so people know where the data is coming from. And must leave a comment saying that the data is written to a 256 byte array on the stack or someone might wonder where it's going. Sorted. Quality code!"

  14. Stevie

    Bah!

    All your housedoor overwatch are belong to lightbulb.

    1. ecofeco Silver badge

      Re: Bah!

      Well played. Well played.

  15. titathink

    Thank you for pointing out this fearful bug --Titathink

    Hi there,

    Thank you for your discussion and let us know how a serious mistake we had made! We're so sorry for any inconveniene caused by such bugs! We're now putting this issue in the superlatively level, our programmers are trying their best to troubleshoot such bugs in entire code. We also want to inform everyone that such bug is found in old platform(We'll fix it and release a new firmware soon). In the new platform (New main chip + New firmware), such bug will not exist. So please remain confident for Titathink cameras.

    Sorry again.

    Titathink.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021