Security

Real-life Watch Dogs: Hacking the city cameras that spy on you

LAS VEGAS — The wireless networks that cities use to link surveillance cameras are vulnerable to hacking, according to two security researchers who spoke at the Defcon hacker conference here.

Firetide-based mesh network camera

Above: Firetide mesh network camera

Image Credit: Firetide

Police rely on these surveillance cameras and public loudspeakers to keep watch on areas of cities where they can’t always send patrols. But the mesh network cameras that the security researchers investigated had little or no security, and they found that virtually anyone could access them, including hackers pulling pranks or criminals who can inject them with fake videos. It is one more example of how vulnerable the “Internet of things” is to hacking.

The hacking is like something out of the video game Watch Dogs, which could sell more than 10 million copies this year. In that game, a hacker uses his smartphone to take control of an entire city’s electronic infrastructure, including its video surveillance cameras. It’s also akin to the Ocean’s 11 film, where a gang of robbers inserts a fake video into a casino’s vault camera to hide their heist.

Dustin Hoffman, the president of tech-support firm Exigent Systems, and Thomas Kinsey, senior engineer at Exigent, said they were able to hack into a police wireless mesh network in a small town. A contractor, LeverageIS, had set up the network, and it that had put together similar systems in other cities.

“We could do all sorts of tomfoolery — hey, let’s have Godzilla walk down the street,” Hoffman said. “Or we could do the opposite and send police resources elsewhere.”

Mesh networks connect via Wi-Fi 802.11 technology, but each node in the network makes a connection to another node, rather than to a central network. A network can range over miles. They’re much less expensive than digging a trench and laying cable. They operate in the 2.4 GHz or 5 GHz unlicensed spectrum.

They’re installed by contractors like LeverageIS that aren’t necessarily known for their technical expertise. A typical network has Bosch cameras connected to a Firetide mesh network, which sends the data to a headquarters where the video is sent to a monitor and recorded on a digital video recorder.

Thomas Kinsey and Dustin Hoffman of Exigent Systems talking at Defcon

Above: Thomas Kinsey and Dustin Hoffman of Exigent Systems talking at Defcon

Image Credit: Dean Takahashi

Cities have been installing these systems with grants from the Department of Homeland Security. For some departments, this helps deal with budget cuts that reduce the number police on the street. They can set them up in parks, business areas, and other places with a lot of pedestrians. This means the cameras are like a “force multiplier” that enables one officer with a monitor to watch over many places at once. Such systems are pervasive throughout the United Kingdom, and they were used to help identify suspects in a subway bombing.

“The police can use it to monitor parks after hours,” Hoffman said. “They can use it for two-way audio.”

Kinsey said that he got the idea when he was goofing around at a public fountain with friends.

“I suddenly hear a voice saying, ‘This is the police. Please get off the fountain,'” Kinsey said. “The voice sound like he said it a thousand times before.”

Ocean's 11 scene with surveillance video cameras.

Above: Ocean’s 11 scene with surveillance video cameras.

Image Credit: Ocean's 11

Kinsey and Hoffman looked into the networks and reverse-engineered some systems. In their city, they mapped out 122 cameras and their precise locations.

They found that a lot of what they needed to hack a camera was freely available. The networks had almost no security, as the Wi-Fi signals were unencrypted (until three days before they gave the Defcon talk).

“They’re moving the ball forward to 1999,” Hoffman said.

The names of the equipment vendors were printed on the network boxes. That makes it easier to hack.

The network, based on Firetide technology (Firetide Mesh wireless mesh protocol), allowed each node to be named with one of 256 numbers, making each camera easy to identify. But the network is supposed to be dynamic. That introduces a vulnerability, as the hackers can introduce a new node that poses as a regular one, but can screw up the surveillance. Firetide is now owned by Unicom.

“We’re not knocking Firetide,” Kinsey said. “We’re putting the blame on the implementation vendor. It’s a botched implementation.”

The Wi-Fi networks are directional, so that the antennae only point in a certain direction. That may give some level of protection, but the researchers figured that out.

The new encryption system introduced three days ago uses the WEP protocol, which is pretty old and is easy to compromise.

There are many ways to mess with the network. Once you gain access to it, you could flood it with traffic. Kinsey and Hoffman said it is easy to tune in to live feeds from the various cameras, or inject their own video into the streams.

“This is easily tampered with,” Hoffman said.