back to article Hacker pwns police cruiser and lives to tell tale

As a penetration tester hired to pierce the digital fortresses of Fortune 1000 casinos, banks and energy companies, Kevin Finisterre has hacked electronic cash boxes, geologic-survey equipment, and on more than one occasion, a client's heating, ventilation, and air-conditioning system. But one of his most unusual hacks came …

COMMENTS

This topic is closed for new posts.
  1. Jacob Lipman

    Not enough data - investigation required

    There's not enough data to call this one. It could be a shitty, insecure piece of hardware. It could just as easily be incompetent IT workers failing to reconfigure a piece of hardware, or failing to configure it correctly. If the city purchased the product, presumably they had the same documentation the tester was able to find readily on the internet, so they were either aware of the default password and settings, or failed to fully read the documentation to learn of these things. My bet's on shared blame, fuck-ups abound.

    1. Ammaross Danan
      Boffin

      Abound

      "My bet's on shared blame, fuck-ups abound."

      Absolutely. The Rocket system claimed port-forwarded addresses to the unsecured DVR. Which means they likely had VPN capability. They likely had static IPs, since they would have no need to port-forward if they didn't know the IP to connect to. The simple solution was to set up VPN to the station and eliminate the need for port-forwarding from the internet at large. At the very least, they should have only allowed connections from the police station's IP range (yes, spoofing is a possibility, but it's still more secure than what was set up).

      Not changing a default password on the DVR is simply crap pre-testing and validation/configuration. FAIL for that.

    2. BillG
      Thumb Down

      I've seen this before

      > It could just as easily be incompetent IT workers

      I've seen this before and it's called Nephew-ware.

      1. Anonymous Coward
        FAIL

        Re

        I agree with Nephew-ware. I hardly see how it is the vendor's problem if the user doesn't even bother to set a password.

        Government is incompetent. We know this. They should not be handling anything important. Police officers are by and large "gym class all-stars" who weren't good enough for college sports, it is no surprise that neither they, nor their IT staff can handle configuring a router.

        1. John Gamble

          Not Necessarily

          According to the article, the password was hard-coded into the software. You can blame "government" (whatever that is in this case, I don't see any difference between this and any other corporation) for buying equipment with unchangeable passwords, but the basic fault still lies with the company that made this.

          My telco tried to sell me a wifi box as part of the DSL package. Guess why I didn't buy it? Same reason.

  2. John Smith 19 Gold badge
    FAIL

    Sell the product, design it later

    Collect revenue $$

    Think about the security aspects later.

    Now how many *other* PD's have this hardware this badly configured?

    TBF We will have to see if they behave like a *responsible* company (issue advisory notices/upgrades) or play CMA and go "It's all in your mind. I can't year you. Lalalalalalalal"

    But so far....

  3. The BigYin
    Joke

    A Linux box?

    They should have been running embedded Windows. Far more secure.

    1. Danny 14
      Thumb Up

      oddly enough

      in this case it probably would have been as the native firewall ships locked down and needs to be opened for even native FTP services.

      1. AdamWill

        so..

        ...in the sense that it wouldn't have worked, it would have been more secure, yes. I doubt the FTP server was running by accident; it was running to be used for something, and in that case, having it running with the port closed would have been pretty bloody useless.

        the device should never have been on the public internet in the first place if possible (it should have been configured to connect directly to an internal police department network). If that was not possible, it should at least have been on a police department VPN and the server should have been configured to run the server only on the VPN. If all else fails, it should at least not have had the password set at the manual default frickin' value.

        Any general-purpose Linux distro is not going to be running an FTP server with this configuration by default, but that's kinda beside the point - this clearly wasn't a general-purpose Linux distro but some sort of embedded device. When you get into that territory, what's a sensible default configuration depends rather strongly on what your appliance is meant to do.

        I see lots of places up and down the chain where there's potential fail here, but none of it has much to do with the great operating system debate.

    2. sisk

      Not likely

      Sounds to me like the problem lies with the admin. The fact that they were using the default password screams that the admin was incompetent. With that kind of incompetence it doesn't really matter what OS you have.

      1. Anonymous Coward
        Anonymous Coward

        Re

        "Sounds to me like the problem lies with the admin. The fact that they were using the default password screams that the admin was incompetent."

        And I'm sure as a government employee he is part of the union, cannot be fired, and will continue to get raises year after year.

  4. Adrian Challinor
    Coat

    Well thats the end of ...

    Police Camera Action and Cops with Cameras.

    What will Alistair Stewart do now?

    If only we could turn of the siren when police cars regularly go past our house, siren full on, dead of night, AND NOT A DAMN THING ON THE ROAD!

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Annoyed of Tunbridge Wells

      "If only we could turn of the siren when police cars regularly go past our house, siren full on, dead of night, AND NOT A DAMN THING ON THE ROAD!"

      Speaking to our local police inspector two years ago at a community meeting and I asked him why three police cars went past in convoy all with sirens blaring. He told me it couldn't be from the local nick as we "don't have that many vehicles"

  5. Anonymous Coward
    Anonymous Coward

    "penetration tester" or junior hacker?

    It's rather a pity that his "report" looks more like a comic strip, and perhaps significant that it does admit that "The one we penetrated was actually a firmware beta version or pre-release in testing."

    A problem perhaps more with the police department's IT staff management of their test environment, than with the installed equipment itself?

    1. Anonymous Coward
      Anonymous Coward

      @AC

      This is not a copy of the report given to the City authorities. It is clear that this is a piece of advertising material to be handed out at things like exhibitions and marketing events, written up in a populist style to attract attention. I've seen such things before, and it really does not indicate that the person carrying out the work is a junior anything.

      The home page may tell a different picture, however. Looks like he might be a one-man-band (American equivalent of a single person service company - IT contractor) who can't be bothered to finish his company's home page on his Mac server.

      It would be interesting to see what the US equivalent of Companies House lists about digitalmunitions

  6. Anonymous Coward
    Black Helicopters

    Sounds like another case of a designed-in back door

    so that the video of a controversial incident could be "lost" (the loss naturally ascribed to a fault in the equipment) by the time anything came to trial.

    1. The BigYin

      Has already happened...

      ...Boston area I think.

      So why the downvote?

  7. Anonymous Coward
    Anonymous Coward

    Curious

    I'm a simple home user, but I port scan every piece of kit that gets connected to my home network.

    If I find ports that are open that shouldn't be I either find out how to close them or (if possible) send the equipment back. On a couple of occasions I've even been told by the manufacturers support that they intent to close the port(s) in an upcoming firmware release.

    It constantly surprises me how large organisations seem to be quite happy to connect anything to their network without any form of testing.

    1. Peter Gathercole Silver badge
      Thumb Up

      "..simple home user"

      I suspect that the fact that you know how to port-scan all your devices, and bother to do it proves your statement is not completely correct.

      A "simple" home user will get someone in to get everything working, and not understand enough to even know what a port scan is.

      I would suspect that you fall into the "talented amateur who gives a damn" category. A fairly rare person.

    2. JohnG

      Just an appliance

      "It constantly surprises me how large organisations seem to be quite happy to connect anything to their network without any form of testing."

      It doesn't surprise me any more but I am old and cynical. In a few places where I have worked, the choice of words used to describe a device would determine what procedures would be required to gain connectivity in the corporate network: call something a "system" and there would be procedures, forms, etc. Call something "a device" or "an appliance" and nobody cares...

      1. Steve X

        Labels

        True. I used to work in a company which had a large internal library. We couldn't buy "books", they had to be acquired on internal loan from the library (which was at the other end of the country). We could buy all the "manuals" we liked with just a simple purchase order, though...

      2. Stoneshop
        Go

        @JohnG

        Exactly why the devices built by Digital Equipment were called PDP's, Programmable Data Processors. Had there been the word 'Computer' in their name somehow, any attempted purchase would have triggered the beancounters to block it, because computers require large cooled halls, lots of power and lots of staff, not to mention vast piles of money for the actual purchase, and are therefore unacceptable to the balance sheet. A Programmable Data Processor on the other hand was something that could be placed in a lab, next to an assembly line or wherever, without costly infrastructure requirements, and, being comparatively cheap themselves as well, would way less often incur the Accountant's Anger.

    3. Marvin the Martian
      Megaphone

      "Large organisations" like the local PD?

      A three men + dog police station is not really a large organisation. Especially as their daily task is stopping robbers and apprehending littering teenagers; IT management just creeps in.

      You not having a life and spending your time off from WoW by portscanning and feelin' leet doesn't really hold much water.

      1. Stoneshop
        FAIL

        @Marvin

        "seeing this in large organisations" doesn't mean that the author equates your hypothetical 3 man + dog plod station as being "large". Just that it happens in any organisation, even those (and probably especially those) presumably large enough to have adequate staff for matters like these.

        You really should get away from your Angry Birds to try and gain some reading comprehension before trying to pass off another commentard as a no-life.

        Apart from that, even the police organisations have discovered the advantage of "economies of scale" a.k.a. "cheaper by the dozen". All those 3m+d stations have joined together to buy cars, radios, guns, tasers, gatso's, computer gear and donuts by the umpteen dozen instead of separately, which also means that the station next door is using by and large the same stuff as you. And that makes them a large(ish) organisation, with dedicated staff for deploying technical stuff.

    4. The Fuzzy Wotnot
      Happy

      Killing time

      When I'm bored I often port scan my local subnet on the other side of my net connect router. You come across quite a few interesting items, open routers, business webservers ( running IIS ) with ports wide open. However the oddest thing is the quite large number of people who seem to have connected printers directly to their internet connections! Very odd.

  8. Anonymous Coward
    Thumb Up

    Good Thing

    Tampering with the contents of the device - not so good, but being able to stream the feeds from anywhere - brilliant (although for the safety of the officers a delay should probably be introduced, something on the order of 10-30 minutes)

    That way if you have an "encounter" where you think you might later need evidence (or just want to post it to failblog), just note the number of the patrol car, and phone a mate to record its feed for you

  9. Sir Runcible Spoon

    Sir

    Kevin Finisterre is a star, I want to see a movie about him!

  10. DRendar
    FAIL

    LOL

    Someone's going to get their arse FIRED.

    Don't they carry out Pen Testing? I have to arrange pen testing if I put up a flat web server in a pre-secured DMZ... They didn't pen test a new Police Video system that would be used for evidence?

    LMFAO

    1. Fred Flintstone Gold badge

      Sigh - another one..

      OK, here we go again.

      A PEN test proves that a SPECIFIC person with SPECIFIC skills and SPECIFIC tools was able or unable to access a SPECIFIC network or set of devices with a SPECIFIC loadset/firmware and configuration. Any instance of the word "SPECIFIC" introduces a variable that can invalidate your PEN test result.

      What you need first is a policy: what do I want to protect and why, then you go to secure design, and then you use a PEN test as a confirmation or double check. A PEN test should be an audit, a last stage confirmation, not the beginning of your approach.

      You should be required to submit design/build docs before you are allowed anywhere near the DMZ, with a PEN test just to confirm you did as required..

      1. DRendar
        Flame

        Sigh?

        Funny that as I've commissioned dozens of Pen tests, and you are correct that you have to specify what you want them to test.

        In this case it would have been...

        "We've installed this video system in this test police car using this technology, which is accessed using a 3g modem over this network - These are the IP addreses - Please attempt: Unauthorised access to data, Unauthorised Access to configuration, remote manipulation of data, DoS vulnerabilities, attempt to break encryption, brute force passwords, list open ports etc etc etc"

        Any Decent Pen test company will carry out an entire glut of tests on their own too. You don't have to specify everything down to the most minute detail of what they should test, otherwise what the hell is the point of paying an external company to do it for you?

        A Pen test should have been carried out on this setup in a test environment BEFORE being deployed into real police Cars...

        No one suggested that the PEN test would be the first step, or that the normal project flow not be followed... what have you been drinking?

        Also, this can't possibly have been the real Pen test, as information gathered by Pen Testers is confidential - he would have been in breach of his contract to release the information in such a manner. Either that of the Contract written up for him will have been like swiss cheese.

        1. Fred Flintstone Gold badge

          Yes, sure - let them roam wild..

          I hope I never have to pay the bill for your liability insurance if you do not contain the test parameters..

          I was responding to a post, not to the article. The article lacks detail - you indeed allude to some spectacular omissions like how it was possible that this data ended up on the Net. Anonymised or not, there is no excuse for that.

          1. Peter Gathercole Silver badge
            Happy

            PEN tests!

            A major UK bank I worked at had some very good people (since made redundant) designing and building a customer facing environment in accordance with their quite rigorous security standards. One of the steps to getting it approved for use was a PEN test that was tasked to one of the organizations who are regarded as good at such things (if you think of the first name to spring to mind you've probably guessed who they are).

            Halfway through the morning, a message got back to the admins from the PEN testers that went along the lines of "Could you please open up some of the firewalls and server ports to allow us to actually see some of the systems. We're having difficulty getting anything to respond to our probes".

            You can guess what the answer to that was!

    2. The First Dave
      WTF?

      @DRendar

      This _was_ the Pen testing, from what I read...

  11. Henry Wertz 1 Gold badge

    I did notice..

    when I was dicking around with Kismet years ago (long enough ago that there weren't just dozens of networks on every block) that our local PD, every squad car had at least one device continually searching for a some fixed SSID (it had "PD" in it so that made it easy to spot.) I was rather curious how secure they were against a machine with HostAP, a DHCP server, and nmap.

    Honestly, my guess was "not very", that it was probably designed with the assumption that the only network with that SSID would be it's home network.

    By the time wifi came out, I was well past the age for youthful indescretions, so I have not tried to find out.

  12. NightFox
    WTF?

    You Sunk my Battleship

    Cruisers? Have you been watching a bit too much Sky? Just nipping off out in my SUV.

    1. Anonymous Coward
      FAIL

      Did you miss the bit that says

      "By Dan Goodin in San Francisco"?

  13. Gianni Straniero
    Troll

    Live feed

    I am impressed that Verizon's network can support live streaming from a PVR. Would be nice to get that kind of HSUPA bandwidth in London.

    1. Ben Jury
      Thumb Up

      Heh

      Funny, that's exactly what I first thought!

  14. Mister_C
    Black Helicopters

    Be afraid

    "allowing unauthorized people to view and alter video stored on cruisers could torpedo court cases that rely on the DVRs for evidence"

    You mean that some people _are_ authorised to alter DVR evidence?

  15. NogginTheNog
    WTF?

    Another case of lazy app developers

    How many times have I worked at companies (inc. some big ones where you'd think SECURE would be more than a vague "oh yeah" concept?!) who purchase 'off-the-shelf' apps, only to find come install time that it needs root, or sa, or full admin access, and uses hard-coded default passwords, or stores the system login credentials in an xml file, or some such crap?!!

    Too many of these are developed as quickly as possible, as cheaply as possible, using green coders with seemingly little idea of even the basics of secure application design. Sadly it seems that many of these companies spend far more on their marketing departments flogging the stuff, than on the people who create it in the first place...

  16. OkKTY8KK5U

    Not sure this is all bad

    Letting anyone and everyone tamper with the evidence is certainly going to cause some problems.

    But if anyone and everyone can simply tune into the video feeds, surely that's a good thing? Total surveillance of citizens is evil. Total surveillance of public officials entrusted with vast amounts of easily-abused power - and it takes little Googling to reveal an apparent unacceptably statistically high inclination to abuse it - cannot possibly be bad.

    A police officer who knows that someone on the internet might be watching him RIGHT NOW is an awful lot more likely at at least to keep abuses technically legal. (Of course, you'd have to be able to monitor the inside of the car, too...)

  17. Anonymous Coward
    Anonymous Coward

    Business as usual.

    Can anyone point to an example of mixing 'pooters with the Peaked Cap Tendency not ending in either disaster or farce?

    I, for one, can't wait until all squaddies everywhere are festooned with overpriced, gimcrack PDAs that handle all their battlefield 'needs'.

    It could be the end of warfare - Both sides losing, instead of just the USA.

  18. Hckr
    Thumb Down

    Those Police "admins" should be sacked.

    Without any compensation. And dissallowed to work anywhere in IT ever.

    1. Anonymous Coward
      FAIL

      Trainability

      No. Those people may yet be trainable. Yell at them loudly but keep them around to spread the word.

      Sack the boss of the boss of these admins. Loudly and Publicly. That would work better to set the proper tone for the future.

  19. Dave 32
    Coat

    Why settle for just pwning the camera

    Why settle for just pwning the camera in the police cruiser when you could pwn the entire cruiser, as one miscreant did locally. He called in a report of a fight at a local bar. The police sent an officer, who skidded his cruiser to a stop out front of the bar and ran inside to subdue the fight. Upon entering the bar, he asked the bartender where the fight was. The bored bartender replied that there was no fight, heck, there weren't even any patrons in the bar. So, when the police officer left the bar, realizing that it was a false report, he discovered that his cruiser, which he'd left idling out front, with the door open, and with the lights going, was gone. They discovered it about 15 outside of town, out of gas, sitting on the side of the road with the lights still going, and no one anywhere close to it. I don't think they ever did solve that case.

    Dave

    P.S. I'll get my coat, because my ride is here, complete with the flashing lights and siren.

  20. Sonny Jim

    It's CSI becoming real....

    If I was watching a Hollywood film from the 90's which featured a hypothetical scene where a hacker was streaming live video from a cop car dash camera to their desktop, I would of waved my fist and muttered something about bandwidth.

    Now it's *actually* happening....

    1. Anonymous Coward
      Anonymous Coward

      Not quite

      This time there isn't a big alert box popping up before the video starts streaming saying

      "HACKING PATROL CAR ELECTRONIC BRAIN"

      "HACKING COMPLETE"

      "STREAMING VIDEO FEED FROM CAR ..."

      But then I wasn't there so maybe that did happen.

  21. Anonymous Coward
    Alert

    Title

    Having public IPs on 3G boxes/SIMs is not only much more vulnerable to internet-based entry hacks than private IPs reachable only via tunneling. If they're on anything other than an unlimited data plan, it would be fairly easy to run up their bill for bandwidth. Even if the device is firewalled properly and drops every inbound packet, the traffic is still being sent to it from the local tower and thus billed.

  22. Hckr
    IT Angle

    Nobody else understands that this is serious?

    Imagine what would happen if bankrobbers would know exactly where all the police cars are?

    This is serious shit and those assholes who made that possible should be punished. Too much incompetent assholes are getting jobs. And after those assholes people like me must rebuild and repair everything.

    P.S. I have "hacked", yes. Know I face criminal charges, just because I WARNED about incompetence and possible industrial espionage. What a great world we live in. I should have copied data and sold to competing companies, not saying anything.

    1. Anonymous Coward
      Unhappy

      Same old, same old.

      Same old story, the managers demand the staff cut corners. The IT techs complain saying this is not right and should be done properly but managers tell them to STFU and get it done or else find another job.

      Lost count of the number of times some prick has asked me to dump DB data to a flat file and simply FTP to some third-party vendor's public FTP site, not even a vague attempt at security with SFTP, pure open FTP! I also lost count the number of times I have refused on the grounds of company security only to have some upper management twat tell me to just do it and stop being difficult. I simply refuse and ask them to ask one of my colleagues to perform the operation so when it does go wrong I can prove full denial.

  23. Yet Another Anonymous coward Silver badge

    @Police admins

    The admins at the police dept probably had nothing to do with this. The systems were bought by some official and installed in the cars - probably by the vehicle maintenance dept.

    Think about how much computer kit there is in your building that the sysadmins aren't in charge of. Do you security audit the phone system, CCTV, fire alarm, photocopiers, HVAC?

    What about your CEO's cell phone, or the hands free kit in his company car?

    1. Hckr

      Yes

      I can configure HVAC, if you mean frequency converters. And I can check if the alarmsystem has a master password. Yes I do check firealarms 1 time a year.

      And it doesn't matter who made the purchase. If the admins would care, they would check it, and report such heavy mistakes. A reason to get some moneyback, don't you think?

      The problem is that lamersdont care. They lie, simulate and get salary.

  24. Anonymous Coward
    Anonymous Coward

    Until the good guys out number the bad guys, we're all in trouble

    There is so much electronics vulnerability these days that we're all in big trouble if the good guys don't start to out number the bad guys.

  25. Anonymous Coward
    Go

    When will we get these in the uk?

    Will make speeding offences a thing of the past....

    "Yes officer, i know what speed i was doing, sure id love to see the <clickety> video in the back of your nice unmarked car.... you can't find it?"

  26. Henry Wertz 1 Gold badge

    uplink speeds

    "I am impressed that Verizon's network can support live streaming from a PVR. Would be nice to get that kind of HSUPA bandwidth in London."

    Well, Verizon's not a GSM carrier, they are using CDMA (for voice, and EDGE-style low speed data fallback) and EVDO (for 3G, data only). EVDO looks antiquated on paper -- 3.1mbps down, 1.8mbps up peak. But, it's pretty common to actually CONSISTENTLY get 50% of this peak.

    Partially VZW spends huge wads of cash on their network (adding backhaul, adding additional capacity, they are pretty careful about network tuning).

    Partially, since the CDMA and EVDO channels are only 1.25mhz down and 1.25mhz up, they can fire up another EVDO channel more easily.. for instance, with 20mhz of spectrum, they have room for 8 channels total. Since HSPA uses a 5mhz width, a GSM carrier with 20mhz has a choice of all GSM/EDGE, 1 channel of HSPA and the rest GSM, or 2 channels of HSPA but having to shut down GSM/EDGE entirely. (In reality, the likes of VZW or AT&T have more like 60mhz of 850mhz + 1900mhz in big cities, but it still makes things easier).

    And partially, to be honest, Qualcomm has crack engineers, they are good about considering real-world RF conditions and not just ideal lab conditions.

    VZW's now rolling out LTE in the 700mhz band. Peak speeds of 60mb/sec; of course nobody gets that speed, but I've seen a couple speed tests of 35-40mbps (uncommon though), some at about 25mbps, and plenty at 15-20mbps. Worst case seems to be 6-10mbps. VZW did tests under load, and say to expect 5-12mbps. Since this is pretty new I seriously doubt the PD is using LTE already. Obviously, that'd stream a DVR pretty easily.

    1. John Smith 19 Gold badge
      Thumb Up

      @Henry Wertz 1

      So 1st rate procurement of data services supplier, 5th procurement of secure hardware to *use* data service?

      Reliable 15mbs on a mobile channel. Impressive.

  27. Anteaus

    Config mistakes?

    Way I would read this is that the equipment wasn't at fault, it was the guys who set it up didn't know what they were doing. Any IT guy worth his or her salt knows that:

    Routers and other devices have default passwords. They have to, or you wouldn't be able to set them up in the first place. You don't, however, leave them like that.

    If you forward an inbound port, you also create a firewall rule to restrict the IPs that port can be seen from. Or, if you want the port to be globally accessible you implement some form of strong encryption.

    Since the router or DVR equipment manufacturer can't predict exactly how the kit will be used, it would be unreasonable to expect them to warn that a certain combination of kit, with unsuitable settings, will create a security risk.

    1. John Gamble

      Re: Config mistakes?

      But you're assuming that the defaults were changeable. We don't know that. I turned down an offer of equipment from my telephone company because the password was set in stone and not changeable (it's possible that the the equipment had unique passwords per box; I didn't ask; but it's still not something I'm willing to accept). And frankly, it was sheer luck that I asked the right questions first and found out about it.

      The PD IT people probably didn't get to have that level of interaction with the sales reps.

  28. kain preacher

    Um Folks

    The device had the pass word hard coded . What can the admins do at that point ? The kit is bought by higher ups .

This topic is closed for new posts.

Other stories you might like