CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
September 20th, 2008

CCTV Firm Threatens The Researcher Who Found Vulnerable Products That Reveal Cam Images Without Authentication

A flaw discovered by security researcher Mike Stephens, affects The LookC 4×4 server and Pro IX server, which allows anyone to view static images from any camera connected to its servers. This product is installed in some primary and secondary schools. The flaw requires no authentication to exploit and vulnerable servers might be found via a simple Google search. Live streaming feeds could be obtained from vulnerable CCTV installation simply by repeatedly pressing refresh.

Stephens said he informed LookC about the flaw on 9 September and went public with the vulnerability on 12 September, via a security advisory on his website. He promoted the post on the Free PC Help Forums via Digg.

LookC issued a statement on Friday admitting there was an issue with older versions of its product line-up but disputing the timeline of events detailed by Stephens. According to LookC, a problem concerning the live image acquisition by unauthorised internet users was reported on 12 September 2008. They located the bug and currently in the process of sending out notices and fixes to the customers. This is the first such vulnerability to be found in the LookC CCTV server products and relates to older discontinued products. These products however are still fully supported by LookC Ltd.

According to LookC managing director Bob Golightly, the person who highlighted the vulnerability also saw fit to publicise the means of hacking the LookC servers on the internet and then to log on to other blogs to point other internet users and hackers to the article.

LookC Ltd have asked the police to look into the matter and the individual concerned. Mike pulled the posts, at least temporarily, after threats of police involvement.

Concerned users who are not registered and have not been issued with a fix automatically can contact LookC main switchboard 0191 229 5720 immediately for advice and support.

Credit: John Leyden, The Register

Share this item with others:

More on CyberInsecure:
  • Oracle Patches Critical Database Vulnerabilities
  • Microsoft Internet Explorer Script Injection Vulnerability
  • Malware Infected Spam Threatens To Suspend Internet Access
  • Unpatched 0-day PDF Flaw Harnessed To Launch Targeted Attacks
  • Zero-day Microsoft Windows NSlookup.exe Vulnerability Exploited In The Wild

    • Posted in Hardware, Privacy, Software, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Saturday, September 20th, 2008 at 1:22 am and is filed under Hardware, Privacy, Software, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: CCTV Firm Threatens The Researcher Who Found Vulnerable Products That Reveal Cam Images Without Authentication

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »