Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Sudden and unexplained webcam traffic

  1. #1
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    13

    Question Sudden and unexplained webcam traffic

    I don't know if this topic belongs here, you can flame me if it doesn't. Anyways, I have a question regarding webcams.
    About two weeks ago all the surveillance webcams in my university received traffic reaching over more then 20MB/s,
    which stayed that high for about a week. Now if thats not alarming enough, the same week we got port scans which led
    back to Korea. Does anybody have an idea what hackers could possible send to a webcam that needs such a connection?

  2. #2
    Junior Member unix_r00ter's Avatar
    Join Date
    Feb 2007
    Posts
    64

    Default

    do a quick search on google using the webcam model number to see if theres an exploit.

  3. #3
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by Adar Ree View Post
    I don't know if this topic belongs here, you can flame me if it doesn't. Anyways, I have a question regarding webcams.
    About two weeks ago all the surveillance webcams in my university received traffic reaching over more then 20MB/s,
    which stayed that high for about a week. Now if thats not alarming enough, the same week we got port scans which led
    back to Korea. Does anybody have an idea what hackers could possible send to a webcam that needs such a connection?
    Every so often, someone in the media rehashes the Google "hacks" that allow access to the web-based consoles that control some video cameras. In fact, just recently another such news story was published. It could be likely that this was the case.

    My guess is that if a site allows console access to their webcams, someone will look for other such weaknesses through port scans and other enumeration techniques. In other words, the reasoning would be that if your site has one weakness it is likely to have others that could be exploited.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Adar Ree View Post
    I don't know if this topic belongs here, you can flame me if it doesn't. Anyways, I have a question regarding webcams.
    About two weeks ago all the surveillance webcams in my university received traffic reaching over more then 20MB/s,
    which stayed that high for about a week. Now if thats not alarming enough, the same week we got port scans which led
    back to Korea. Does anybody have an idea what hackers could possible send to a webcam that needs such a connection?
    If your webcams were not meant for public usage, then they either be on their own VLAN, segregated from the internet, or be behind their own firewall, where only those that are meant to see them can see them. Mixing public and private devices on the same network is just asking for trouble.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    13

    Default

    Quote Originally Posted by theprez98 View Post
    Every so often, someone in the media rehashes the Google "hacks" that allow access to the web-based consoles that control some video cameras. In fact, just recently another such news story was published. It could be likely that this was the case.

    My guess is that if a site allows console access to their webcams, someone will look for other such weaknesses through port scans and other enumeration techniques. In other words, the reasoning would be that if your site has one weakness it is likely to have others that could be exploited.
    And what if the webcams can't be accessed through a browser? You need special software installed on your computer to acces the cameras. I don't know the exact model name, so I dont know if it allows both browser and software control, I'l go check that tomorrow.

  6. #6
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Adar Ree View Post
    And what if the webcams can't be accessed through a browser? You need special software installed on your computer to acces the cameras. I don't know the exact model name, so I dont know if it allows both browser and software control, I'l go check that tomorrow.
    Even if it isn't accessible through a WebBrowser, as long as it's on the network it's receiving commands via TCP traffic. If the cameras require no authentication to receive commands, then the traffic could be spoofed and made to appear to come from control software.

    As I said before, if these cameras were not meant to be viewed by the public, they should be segregated from the rest of the network. Proper network design should be implemented.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #7
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by Adar Ree View Post
    I don't know if this topic belongs here, you can flame me if it doesn't. Anyways, I have a question regarding webcams.
    About two weeks ago all the surveillance webcams in my university received traffic reaching over more then 20MB/s,
    which stayed that high for about a week. Now if thats not alarming enough, the same week we got port scans which led
    back to Korea. Does anybody have an idea what hackers could possible send to a webcam that needs such a connection?
    If it is "receiving" 20MB/s that's pretty messed up. My guesses would be:
    1) Someone is trying to do some kind of over-ride/spoof on the actual video feed.
    2) Someone (or some group) is trying to DoS the camera.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  8. #8
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    13

    Default

    Quote Originally Posted by thorin View Post
    If it is "receiving" 20MB/s that's pretty messed up. My guesses would be:
    1) Someone is trying to do some kind of over-ride/spoof on the actual video feed.
    2) Someone (or some group) is trying to DoS the camera.
    (Sorry for the late response)

    These network cameras do not provide browser support. You need special software installed to use it.
    My guess is that it's probably malicious, and that somebody is trying to use them as some kind of backdoor.
    I don't know what Thorin means with override/spoof, but a scenario where hackers are trying to mask
    some kind of virus as video footage from those cameras so that it gets stored on the main server doesn't
    seem that far fetched (correct me if I'm wrong), especially because the scanned ports concerned VNC ones.

  9. #9
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    I meant perhaps someone is trying to replace the actual video feed with different video. Perhaps a previously attained loop (so that they can playback footage with no activity while they do something they should), perhaps some completely different video (to make you think your system is totally FUBAR), or perhaps they're trying to insert something into the live footage (like: http://news.bbc.co.uk/2/hi/europe/7171374.stm) into the live feed.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  10. #10
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    13

    Default

    Do you have any idea if theres something to read up on about this?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •