Body cameras used by police departments across the US are being shipped with the notorious Conficker worm malware pre-installed.
The discovery was made last week by networking firm iPower Technologies, which found multiple Martel Electronics Frontline cameras it was testing were loaded with the Win32/Conficker.B!inf virus.
iPower warned Martel on 11 November but says the supplier “has yet to provide iPower with an official acknowledgement of the security vulnerability”.
As a result, iPower president Jarrett Pavao has gone public on the problem, claiming it has “huge security implications” because the cameras are being shipped to government agencies and police departments throughout the US.
In an online post, iPower said that when it connected the test cameras to a computer, it caught and quarantined the virus. But when iPower ran packet captures on the infected PC to view the virus's activity, Conficker immediately tried to spread to other machines on its lab network, and attempted several ‘phone-home' calls to internet sites.
The company created a video of the infection in action.
iPower has not said where Conficker was first loaded onto the Martel cameras, but Pavao warned: “As the Internet of Things continues to grow into every device we use, it becomes even more important that manufactures have stringent security protocols. If products are being produced in offshore locations, what responsibilities lie with the manufacturer to guarantee our safety?”
Conficker, also known as Downadup, is the world's biggest malware threat, according to F-Secure's 2014 Threat Report. The virus, first discovered in 2008, still represents 37% of all reported threats globally.
But despite its prevalence, F-Secure security advisor Sean Sullivan said Conficker's impact is likely to be limited.
He told SCMagazineUK.com via email: “While Conficker can spread… that's all it does. That can still cause issues. Even a small number of infected computers can make a LOT of noise as can be seen from our customer data. And that eats up IT security resources.
“What happens is that one infected machine will allow the worm to drop copies of itself on network shares. And some of those network shares may contain body camera software. It gets copied, but not necessarily executed. This sort of problem exists because factories in China are running pirated copied of XP that haven't been patched in forever!”
Asked what lessons can be learned from iPower's report, Sullivan joked: “Hardware vendors really should vet their Chinese partners carefully or else folks such as Martel Electronics will end up dealing with unwanted press.
“Additionally, it's important not to neglect rarely used machines. In my experience, day-to-day computers will be as up-to-date as possible even if they are still running XP. The problems tend to be the forgotten computers which are only occasionally used for presentations or something. Nobody ‘owns' them and they can be sorely neglected.”
Threat expert Fran Howarth, a senior analyst at Bloor Research, broadly agreed with Sullivan's assessment. She told SC via email: “Conficker is largely contained, except where outdated systems are still being used. Most AV programs can stop it so the chances of the worm spreading are not great. But the greater impact would be tainted evidence from the cameras.”
Jarrett Pavao said: “The problem is that business units today are still working with antiquated technologies. Many businesses still run Windows XP and use dated, traditional firewalls to protect their networks.”
On this, Howarth commented: “There are reports that XP is still widespread, even amongst the US law enforcement and military, and the US Navy, for one, is said to be paying Microsoft to continue providing updates. If it is still being used, there are compensating controls available to make it safer. The UK and the Netherlands are also reported to be paying Microsoft similarly and I know that the use of XP, along with compensating controls, is still widespread in the public sector in the UK.
“One of the greatest potential vulnerabilities of the IoT is that security is generally not baked into the development stage and cannot, in many cases, be added retrospectively. Many devices also run on proprietary firmware that cannot be patched or for which no patches are available. This highlights the potential security vulnerabilities that we are likely to see.”
While California-based Martel has not issued a statement on iPower's findings, web pages linking to its Frontline body camera appear to have been taken down. Martel's products include body cameras used by the US police and military, police dashboard cameras and covert microphones to record suspects.