What are the security risks (from being hacked)?

Greeting Friends,

We just got this camera.  It takes snapshots ever few seconds, and has uclinux embedded.

The documentation in numerous places strongly recommends using FTP (or numerous other methods) to get the files off of the camera's embedded linux server, to your own server(s) and eventually your enterprise web server.

We are a primarily windows shop, but we are (paradoxically) very security conscious for regulatory reasons.  Even though the vendor provides a nice java applet to serve up the images after you get them to your server, and they also provide documentation on how to FTP or otherwise get the images, there is talk of just using the "guest" account and allowing visitors to access the camera directly, I think mainly because that would be easier, but also because people here don't like FTP, and the SMTP (method 2) and Linux scriptiing (method 3) routes to getting the files over to our windows IIS web server are too complicated for us.

So, it's FTP or else let visitors access the camera embedded server directly.
I think this server has very low memory capability (no idea performance handling capability really), so I'm personally worried about letting visitors get to it directly.
In addition, the native HTML page on the embedded server is ugly and clashes big-time with our CSS for our main website.
It may be that the only way that this is going to happen the "best and correct" way, is if there is a significant security risk to allowing visitors to access the camera directly (aka., the little HTML page with the view window and the config link that requests your password for admin).

So what are the security risks?  If I am using the Firebug pluggin in FF3, can I determine what type of authentication this is using?  (I can tell you it's not HTTPS, and I'm worried it might be simple clear text basic auth?).

Thanks much,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A couple questions:

What do you mean by "visitors"? Is this people coming to your physical location, or people accessing your website over the Internet?

Where is this camera placed on your network? In a DMZ? On your private LAN? On a public IP outside your firewall?

What are the threats you want to protect against? Is it stopping some people from getting access to the pictures? Is it stopping someone from hacking into the camera device and then using that as a point of entry to attack/scan the rest of your network?

ksuchyAuthor Commented:

These visitors are people visiting my organization's website over the public internet.  No they are not physically inspecting anything.  No this is not CCTV.  It's an IP camera with an embedded linux web server named CULinux (no, not Apache).  

It's not on a logical or physical DMZ, but it is on the private side of our routers/firewalls.  Likely, if setup for direct viewing I would use an iFrame for the HTML page streaming the images.  Anyone with a brain could then easily determine the source IP and possibly do a port scan depending on their sophistication.  Normally most traffic other than 80 or 22 is blocked at the firewall.

I don't know what the threats are, but if you can list a few POTENTIAL one's, along with assumptions and/or preventive techniques, that would be helpful.  

ksuchyAuthor Commented:
Sorry, I mistyped the name the second time (it was correct in my original post).

If you do an IFrame or similar (for exampe  <img src="http://camera/currentimage.jpg">), you will have to open at least port 80 on the camera for access from the outside. Doing this would mean:

1)  You risk that a security vulnerability in the embedded uClinux might allow an attacker to use it as a point of entry, and circumvent any firewall rules you might have. How serious this is depends on where on your network the camera is connected; if it is on your local LAN, potentially very bad. Putting the camera in a DMZ with firewall rules that does not allow the camera to access the lan would lower this risk considerably.

2) Someone might be able to gain access to the administrative web interface of the camera. How serious this is depends on what can be done in the administrative interface. It could range from disabling/turning the camera off to replacing the picture with something that would be inappropriate to show on your website. To mitigate you would need a firewall that is able to control which URLs on the camera that can be accessed from the outside.

3) Someone might issue a DoS on the camera. Tiny embedded devices like this are typically short on both RAM and CPU; making it crash or hang would probably not be very hard. Even normal operation might cause problems if your website gets a lot of traffic. How serious this is depends on how important it is that visitors can see pictures from the camera. Mitigation would probably be to put a caching web proxy in front of the camera web server.

In short, embedded devices like this are rarely sturdy and secure enough to handle being exposed to the raw Internet. The steps you would have to take to mitigate risks would likely be more work than setting up an automated ftp script that pulls the images from the camera. Scripting the command line Windows ftp client is quite easy, btw - http://www.brettb.com/ScriptingWindowsFTP.asp

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.