Firmware bug in CCTV software may have given POS hackers a foothold

Surveillance cameras could provide hackers with a foothold into networks

A researcher with RSA says faulty firmware found in security cameras sold by at least 70 vendors may be a contributor to many of the credit card breaches that have proved costly to retailers.

Rotem Kerner based his research on a paper RSA published in December 2014 into a malware nicknamed Backoff, which steals payment card details processed by point-of-sale systems.

The U.S. Secret Service and Department of Homeland Security warned in August 2014 that upwards of 1,000 U.S. businesses may have been infected with Backoff.

The advisory came after a hard year in which many major retailers became victims of large payment card breaches, including Target, Neiman Marcus, Michaels and UPS Store.

Kerner looked at the technical data RSA had collected from computers that were infected with Backoff. Strangely, many were running small Web servers with open ports on 81, 82 and 8000.

The software, named "Cross Web Server," proved to be for CCTV DVR (digital video recorder) equipment, which is widely used by retailers for physical monitoring. But the server software was left running and open to the Internet, which is a potential security risk.

Shodan, a search engine for finding networked devices open to the Internet, turned up 30,000 machines running the same software, according to Kerner's writeup.

Kerner figured out the Web server software was made by a Chinese company called TVT. He downloaded a version of the firmware for the CCTV DVR devices from the company's website.

Probing the firmware, he found a weakness in the code that would allow him to get remote access to the device through a malicious URI.

The big security problem is that this kind of software shouldn't be accessible from the public Internet. The mere presence of camera software left open to the Internet can help attackers identify a particular network and figure out if one belongs to a retailer.

Access to the device itself could help in gaining entry to the broader network, which could eventually lead to payment processing systems.

"When the old fashion thieves used to physically break into stores, on their way to the cashier they had to try and avoid or neutralize any surveillance equipment," Kerner wrote. "The digital thieves are entering the store through them. Truly Hollywood material."

His investigation turned up at least 70 manufacturers that use the same firmware, which he listed in a writeup. Kerner tried but failed to reach officials at TVT to warn them of the vulnerability, so he decided to publicly disclose the problem.

TVT officials could not be immediately contacted via email on Thursday.

It's not uncommon for firmware -- which is low-level code -- to be licensed and used by many vendors for products such as routers, IP cameras and some consumer electronics.

But it's well-known that vendors are notoriously lax about creating patches. As Werner put it: it's hard to rely on a vendor's patch "to arrive at your doorstep." Adding to the complexity is that each vendor may use the firmware in many different models.

Werner's recommended defense for those running these types of cameras is to "deny any connection from an unknown IP address to the DVR services."

Join the CSO newsletter!

Error: Please check your email address.

More about RSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place