Hacking Video Surveillance Systems

June 23rd, 2008 | by s3riph |

How fun would it be to hack one of these puppies?

Introduction

Most of us have seen movies where the thief takes control of a video cameras and shuts it down or switches it to a fake feed with his laptop. It’s not just fiction, and this article will show you how to do it.

By video surveillance systems I refer to the routed digital cameras such as Axis Netcams etc. They are common and a lot easier to implement than an analog camera system with recording devices. They also have the added bonus of remote monitoring.

The first step in the process is obviously gaining access to the internal network of the business that the system is located on. This isn’t as hard as it might seem. It is trivial to break in to a wireless network with a laptop. In many cases walking into the lobby of the building and finding an open network jack is good enough. If you want to be able to do the job after hours you could plug in a small Wifi access point and label it “Tech Dept DO NOT REMOVE,” (this depends on the size of the business). Once that is in place you can access the network anytime from the parking lot. While you’re in there have a look at the cameras around and see what brand of camera they are.

Prep Work

Now that you are able to access the network the fun begins. You need to go online to google images for example and type in the brand of camera and you will find picture of the “web page” the camera’s web daemon generates when viewed with a web browser which is the primary method of controlling them. Now use some basic html or find example sources online to create an identical page and stick in an embed tag pulling in some video of your choice (maybe one that looks like an office environment). You should end up with a page that could easily be mistaken for the camera’s control page. Host the page on some free hosting site or fire up Apache and host it from your laptop.

Breaking In

Fire up Cain and Able(tm) or another DNS spoofing application that you prefer (if you are not familiar with dns spoofing Google up a tutorial first). Before starting the spoof run a scan of the ip range and find the cameras MAC addresses (the camera’s should show up with their brand name when you perform the scan). You also need to find the router. You can locate the router with a traceroute to one of the camera’s ip’s. Now begin arp poisoning (man-in-the-middle) between the camera’s and the router and, if you want to, all the ip’s in the range. Next fire up the dns spoofing setting the address for all the camera’s to resolve to the fake page you set up on either your ip or on a remote server (free hosting etc.). Now you can test whether it works by opening a browser and trying to go the the ip of one of the cameras. If it worked you should see the fake camera page. Have fun.

Authors Disclaimer: I take no responsibility for any use of the techniques described below and an do not in any way encourage criminal use of this material.