What are the security risks (from being hacked)?

Posted on 2008-10-17
Last Modified: 2012-05-05
Greeting Friends,

We just got this camera.  It takes snapshots ever few seconds, and has uclinux embedded.

The documentation in numerous places strongly recommends using FTP (or numerous other methods) to get the files off of the camera's embedded linux server, to your own server(s) and eventually your enterprise web server.

We are a primarily windows shop, but we are (paradoxically) very security conscious for regulatory reasons.  Even though the vendor provides a nice java applet to serve up the images after you get them to your server, and they also provide documentation on how to FTP or otherwise get the images, there is talk of just using the "guest" account and allowing visitors to access the camera directly, I think mainly because that would be easier, but also because people here don't like FTP, and the SMTP (method 2) and Linux scriptiing (method 3) routes to getting the files over to our windows IIS web server are too complicated for us.

So, it's FTP or else let visitors access the camera embedded server directly.
I think this server has very low memory capability (no idea performance handling capability really), so I'm personally worried about letting visitors get to it directly.
In addition, the native HTML page on the embedded server is ugly and clashes big-time with our CSS for our main website.
It may be that the only way that this is going to happen the "best and correct" way, is if there is a significant security risk to allowing visitors to access the camera directly (aka., the little HTML page with the view window and the config link that requests your password for admin).

So what are the security risks?  If I am using the Firebug pluggin in FF3, can I determine what type of authentication this is using?  (I can tell you it's not HTTPS, and I'm worried it might be simple clear text basic auth?).

Thanks much,
Question by:ksuchy
  • 2
  • 2

Expert Comment

ID: 22742841
A couple questions:

What do you mean by "visitors"? Is this people coming to your physical location, or people accessing your website over the Internet?

Where is this camera placed on your network? In a DMZ? On your private LAN? On a public IP outside your firewall?

What are the threats you want to protect against? Is it stopping some people from getting access to the pictures? Is it stopping someone from hacking into the camera device and then using that as a point of entry to attack/scan the rest of your network?


Author Comment

ID: 22744093

These visitors are people visiting my organization's website over the public internet.  No they are not physically inspecting anything.  No this is not CCTV.  It's an IP camera with an embedded linux web server named CULinux (no, not Apache).  

It's not on a logical or physical DMZ, but it is on the private side of our routers/firewalls.  Likely, if setup for direct viewing I would use an iFrame for the HTML page streaming the images.  Anyone with a brain could then easily determine the source IP and possibly do a port scan depending on their sophistication.  Normally most traffic other than 80 or 22 is blocked at the firewall.

I don't know what the threats are, but if you can list a few POTENTIAL one's, along with assumptions and/or preventive techniques, that would be helpful.  


Author Comment

ID: 22744288
Sorry, I mistyped the name the second time (it was correct in my original post).

Accepted Solution

larsga earned 500 total points
ID: 22744866
If you do an IFrame or similar (for exampe  <img src="http://camera/currentimage.jpg">), you will have to open at least port 80 on the camera for access from the outside. Doing this would mean:

1)  You risk that a security vulnerability in the embedded uClinux might allow an attacker to use it as a point of entry, and circumvent any firewall rules you might have. How serious this is depends on where on your network the camera is connected; if it is on your local LAN, potentially very bad. Putting the camera in a DMZ with firewall rules that does not allow the camera to access the lan would lower this risk considerably.

2) Someone might be able to gain access to the administrative web interface of the camera. How serious this is depends on what can be done in the administrative interface. It could range from disabling/turning the camera off to replacing the picture with something that would be inappropriate to show on your website. To mitigate you would need a firewall that is able to control which URLs on the camera that can be accessed from the outside.

3) Someone might issue a DoS on the camera. Tiny embedded devices like this are typically short on both RAM and CPU; making it crash or hang would probably not be very hard. Even normal operation might cause problems if your website gets a lot of traffic. How serious this is depends on how important it is that visitors can see pictures from the camera. Mitigation would probably be to put a caching web proxy in front of the camera web server.

In short, embedded devices like this are rarely sturdy and secure enough to handle being exposed to the raw Internet. The steps you would have to take to mitigate risks would likely be more work than setting up an automated ftp script that pulls the images from the camera. Scripting the command line Windows ftp client is quite easy, btw -

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DNS @ Naked Domain Record 5 84
Rate limit for DNS queries 7 75
non-domain members are not prompted for credentials 18 43
How do You Stop a DDoS Attack 7 28
As a business owner, there are many things that keep you up at night. Profit margins, employee retention, human resource protocols, whether your product or service will remain competitive. When you own or manage a technology company that operates la…
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter ( that massive stores of data have been leaked by CloudFlare, a company that provide…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question