Penetration tester Kevin Finisterre has found all kinds of exploits and has been hired to hack all kinds of companies and peculiar devices. But after Finisterre was hired to pen test a city's infrastructure, he discovered just how easily he could compromise a police cruiser's computer gear. He tapped into a digital video recorder in a cop car and soon saw the live feed on his computer screen.
Cameras mounted on dashboards are meant to insure police accountability about any possible abuse of authority as well as to collect evidence. These dash-cams can provide situational awareness in real-time of perps and of officers for law enforcement back at the police station.
By the end of the hack, Finisterre accessed the DVR hard drive and could see with cams and hear through the microphones in the police cruiser. By using default passwords, he was able to upload, download and even delete video feed files which had be collected from cop cars. Those stored files from DVRs might be meant for evidence in court cases.
The research proves that many risks come along with tech designed to provide real-time "situational awareness" of what is happening with police during traffic stops. Finisterre pointed out that anyone with Internet connectivity could tap into that intelligence; civilians could secretly spy on cops.
I asked Kevin Finisterre, What would you most like people to take away from your research and discovery? Finisterre replied, "The biggest thing for people to take from this is that they need to make informed decisions. Understanding that your IT design choices have a large impact on things beyond the budget and bottomline can go a long way. The days of blindly trusting a vendor based on a handshake are gone. Due diligence is simply necessary."
Finisterre published his findings, Owning a Cop Car [PDF] on Digital Munition. The target was a "20xx Dodge Charger with Police Package, Safety Vision PatrolRecorder DVR/Camera, Verizon Business Cellular Internet connection, and Utility.com Rocket Mobile Communication Appliance." The "first bit of low hanging fruit" came from FTP and telnet commands which gave him "shocking" results of connecting to an audio/video device in the cop car. He used Google to search for the contents in the telnet banner and found the user manual "Safety Vision RouteRecorder 4C Police In-Car Camera" which came complete with a Telnet Commands section.
A little more testing showed the telnet research was a waste of time since the "FTP service had a default password that is located in the user manual." After a little more reading of the manual, they found "Video data is sent every frame. Audio data is buffered and sent five times a second, or every 200 milliseconds." Another search and they found "'Costar Video Player' software in the /CUSTOMER-FTP area on the American Bus Video website. With this player we were actually able to stream a real time GPS tagged live audio and video from the cruiser."
In an interview with The Register's Dan Goodin, Finisterre said, "We had very adequately proved the point that we could access the hard drive on the DVR unit and clearly see through the eyes of the camera and hear through the microphones in the car, which was more than enough to let them know that, hey, there are things we need to look at on their end to get this stuff cleaned up." He added, "If you're making use of a cellular connection to provide services for what you consider to be a closed operation, you need to make sure you're on a closed network. I don't know that everybody is aware that your services are wide open when you're making use of this Verizon service."
Digital Munition advised, "be diligent with your installed gear and with your chosen vendors." It is not wisdom for police to use advertised buzzwords to decide upon what equipment or services to purchase, since those solution providers may not deliver the security as promised. The tested DVR was marketed to police and to school buses, under many different names on many different websites. Although Utility.com was contacted by the team, they were told by vendor support services that their hack was "impossible" as if the Utility Rocket gateway device had no vulnerabilities.
In a statement to The Register, Utility CEO and cofounder Robert McKeeman said:
What the paper refers to is not a security breach of the Rocket. Our Rocket, like any router, whether manufactured by Cisco, Juniper Networks or any others, will do port forwarding if configured to do so. In contrast to what the paper says, our client has total control over the Rocket configuration. There is no internal bridging between the cellular and LAN interfaces. The ports listed were likely port forwarded to an unsecured DVR. While we agree the DVR should have been better secured, this does not represent a security vulnerability in the Rocket.
I highly recommend reading Digital Munition's Owning a Cop Car. Finisterre's research is as much about the risk to officers' safety as it is about the importance in "maintaining confidential data in a compartmentalized and fully vetted environment."