Hackers could remotely attack security cameras commonly used in banks and prisons - and either spy on secure facilities or replace “real” video feeds with fakes, according to a U.S. security expert.
Craig Heffner, formerly of the National Security Administration, says that he has found zero-day vulnerabilities which would allow attackers to control cameras made by D-Link, Trendnet, Cisco, IQInvision, Alinking and 3SVision. These are used in homes as well as businesses, Heffner says. His findings will be presented at the Black Hat security conference in Las Vegas.
Heffner describes the scope of the vulnerabilities as allowing “Hollywood-style” attacks - referring to the manipulation of video feeds commonly seen in heist movies.
“Thousands of these cameras are Internet accessible, and known to be deployed in homes, businesses, hotels, casinos, banks and prisons, as well as military and industrial facilities,” says Heffner.
“Additionally, a proof-of-concept attack will be demonstrated in which a remote attacker can leverage the described vulnerabilities to freeze and modify legitimate video streams from these cameras, in true Hollywood fashion.”
"It's a significant threat," Heffner said in an interview with Reuters. "Somebody could potentially access a camera and view it. Or they could also use it as a pivot point, an initial foothold, to get into the network and start attacking internal systems."
Heffner works for security analysts Tactical Network Solutions says that hundreds of thousands of security cameras can be accessed via the public internet.
Heffner’s talk will be one of more than 100 at the conference - including a demonstration of a “malicious charger” which can hack an iPhone in 60 seconds, as reported by WeLiveSecurity.