Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

What are the security risks (from being hacked)?

Posted on 2008-10-17
4
Medium Priority
?
474 Views
Last Modified: 2012-05-05
Greeting Friends,

We just got this camera.  It takes snapshots ever few seconds, and has uclinux embedded.

The documentation in numerous places strongly recommends using FTP (or numerous other methods) to get the files off of the camera's embedded linux server, to your own server(s) and eventually your enterprise web server.

We are a primarily windows shop, but we are (paradoxically) very security conscious for regulatory reasons.  Even though the vendor provides a nice java applet to serve up the images after you get them to your server, and they also provide documentation on how to FTP or otherwise get the images, there is talk of just using the "guest" account and allowing visitors to access the camera directly, I think mainly because that would be easier, but also because people here don't like FTP, and the SMTP (method 2) and Linux scriptiing (method 3) routes to getting the files over to our windows IIS web server are too complicated for us.

So, it's FTP or else let visitors access the camera embedded server directly.
I think this server has very low memory capability (no idea performance handling capability really), so I'm personally worried about letting visitors get to it directly.
In addition, the native HTML page on the embedded server is ugly and clashes big-time with our CSS for our main website.
It may be that the only way that this is going to happen the "best and correct" way, is if there is a significant security risk to allowing visitors to access the camera directly (aka., the little HTML page with the view window and the config link that requests your password for admin).

So what are the security risks?  If I am using the Firebug pluggin in FF3, can I determine what type of authentication this is using?  (I can tell you it's not HTTPS, and I'm worried it might be simple clear text basic auth?).


Thanks much,
~k
0
Comment
Question by:ksuchy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:larsga
ID: 22742841
A couple questions:

What do you mean by "visitors"? Is this people coming to your physical location, or people accessing your website over the Internet?

Where is this camera placed on your network? In a DMZ? On your private LAN? On a public IP outside your firewall?

What are the threats you want to protect against? Is it stopping some people from getting access to the pictures? Is it stopping someone from hacking into the camera device and then using that as a point of entry to attack/scan the rest of your network?

0
 

Author Comment

by:ksuchy
ID: 22744093
Iarsqa,

These visitors are people visiting my organization's website over the public internet.  No they are not physically inspecting anything.  No this is not CCTV.  It's an IP camera with an embedded linux web server named CULinux (no, not Apache).  

It's not on a logical or physical DMZ, but it is on the private side of our routers/firewalls.  Likely, if setup for direct viewing I would use an iFrame for the HTML page streaming the images.  Anyone with a brain could then easily determine the source IP and possibly do a port scan depending on their sophistication.  Normally most traffic other than 80 or 22 is blocked at the firewall.

I don't know what the threats are, but if you can list a few POTENTIAL one's, along with assumptions and/or preventive techniques, that would be helpful.  

Thanks,
~k
0
 

Author Comment

by:ksuchy
ID: 22744288
Sorry, I mistyped the name the second time (it was correct in my original post).

http://www.uclinux.org/
http://en.wikipedia.org/wiki/%CE%9CClinux/
http://www.linuxdevices.com/links/LK8053710489.html
0
 
LVL 4

Accepted Solution

by:
larsga earned 1500 total points
ID: 22744866
If you do an IFrame or similar (for exampe  <img src="http://camera/currentimage.jpg">), you will have to open at least port 80 on the camera for access from the outside. Doing this would mean:

1)  You risk that a security vulnerability in the embedded uClinux might allow an attacker to use it as a point of entry, and circumvent any firewall rules you might have. How serious this is depends on where on your network the camera is connected; if it is on your local LAN, potentially very bad. Putting the camera in a DMZ with firewall rules that does not allow the camera to access the lan would lower this risk considerably.

2) Someone might be able to gain access to the administrative web interface of the camera. How serious this is depends on what can be done in the administrative interface. It could range from disabling/turning the camera off to replacing the picture with something that would be inappropriate to show on your website. To mitigate you would need a firewall that is able to control which URLs on the camera that can be accessed from the outside.

3) Someone might issue a DoS on the camera. Tiny embedded devices like this are typically short on both RAM and CPU; making it crash or hang would probably not be very hard. Even normal operation might cause problems if your website gets a lot of traffic. How serious this is depends on how important it is that visitors can see pictures from the camera. Mitigation would probably be to put a caching web proxy in front of the camera web server.

In short, embedded devices like this are rarely sturdy and secure enough to handle being exposed to the raw Internet. The steps you would have to take to mitigate risks would likely be more work than setting up an automated ftp script that pulls the images from the camera. Scripting the command line Windows ftp client is quite easy, btw - http://www.brettb.com/ScriptingWindowsFTP.asp
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out the latest tech news, community articles, and expert highlights in August's newsletter.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question