Important security research into hackable surveillance cameras has been quashed by a legal threat. Gianni Gnesa, a consultant at the Swiss cyber-security company, Ptrace Security was due to give a lecture on Thursday at Singapore's Hack in the Box conference. And he would have too, if his research didn't reveal that some of IP surveillance cameras have considerable vulnerabilities in them.
Gnesa picked three IP cameras, bought from Amazon, to exhibit. He told SCMagazineUK.com that he chose these models “because they had a good rating, thousands of customer reviews, and they claimed to be secure”. In fact, he said, they were anything but.
While the vendors' descriptions made large claims about how secure their cameras were, Gnesa found undocumented backdoors and remotely exploitable vulnerabilities. Hacking the cameras could allow the attacker to gain admin access and eavesdrop on the video feed.
Speaking to tech news outlet, Vulture South, he said: “I've analysed several IP cameras and they all had some weaknesses that could shut down the camera, freeze the video stream, or get access to the admin panel.”
But how can vendors then claim that their products are secure? Gnesa told SC that “I guess most vendors just assume that their products are secure once they have a login prompt, the support for HTTPS, and do not use WEP.”
He would have presented all of this information at next week's conference until he was threatened with legal action from an unnamed vendor of one of the cameras.
Gnesa couldn't tell SC which vendor had caused him to cancel the lecture, but he worries about threats, not just for himself but for others too: “I am afraid that in the future these kind of threats will discourage many security researchers from releasing the results of their research to the public.”
Responsible disclosure is the willing disclosure of security vulnerabilities in computer systems by companies, security researchers or hackers. It allows people who find exploits to show them to the manufacturer of the exploitable product and allow them to fix it. However, it's not always that simple and the helpful insight is not always warmly received.
“I have engaged in responsible disclosure eight times and I have been sued two times,” says Flavio Garcia, a lecturer in computer security at the University of Birmingham. The first time was in the Netherlands to do with his work on NXP Semiconductors and the second time by Volkswagen. Garcia and a number of other researchers discovered that millions of vehicles were vulnerable to remote hacking and effective immobilisation.
When they presented their research to Volkswagen in 2013, they were promptly smacked with an injunction in the UK high court and their work was suppressed until recently.
Garcia said that the use of legal threats against researchers whose findings worry manufacturers and vendors “happens a lot of the time when you engage in responsible disclosure”. The problem, Flavio said, is that such suppressions are “to the detriment of society because when there is a system that is not secure, it is in the best interests of society to know about it”.
Flavio added, you don't have to be successfully sued to have you work suppressed. The legal recourse can be just as effective for the simple suppression of your work and the draining of your legal defence fund.
Andrew Conway, a security analyst at Cloudmark, spoke to SC earlier this month on a similar topic. He said that vendors are often not as 'responsible' as they should be with these disclosures. “Some companies may simply ignore reports, or worse still, threaten legal action against the security researcher for reverse engineering their code," Conway said. "The legal department should be reserved for black hat hackers who are trying to profit from the vulnerability, not the white hats who are trying to get it fixed."