Excellent article on The Register this morning, regarding a pentester who was asked to examine the security of a US-based municipal government. He spent some time scanning IP addresses used by the police department, and found that they connected directly into Linux devices mounted in police cruisers. Using little more than FTP and telnet commands, he was able to tap into a digital video recorder used to record and stream audio and video captured from a dash-cam. He could monitor the actions of the patrolling officer as the officer responded to calls.
The pentester published his account on Tuesday after having little success getting anyone at the Georgia based manufacturer, Utilty Inc, to respond to his findings. While audio and video can often provide police with crucial information about what’s happening during traffic stops, the devices can also make that intelligence available to unauthorized consumers. He was able not only to view the live feeds coming from the two separate cameras mounted on the cruiser, but also to control the hard drive of the DVR. Using default passwords that were hardcoded into the DVR’s FTP server and disclosed in support manuals, he was able to upload, download, and delete files that stored months’ worth of video feeds.
Allowing unauthorized people to view and alter video stored on cruisers could torpedo court cases that rely on the DVRs for evidence, and could also pose threats to active investigations, responses and the responder’s safety.