By Jim Finkle
| BOSTON, June 17
BOSTON, June 17 A U.S. security expert says he
has identified ways to remotely attack high-end surveillance
cameras used by industrial plants, prisons, banks and the
military, something that potentially would allow hackers to spy
on facilities or gain access to sensitive computer networks.
Craig Heffner, a former software developer with the National
Security Administration who now works for a private security
firm, said he discovered the previously unreported bugs in
digital video surveillance equipment from firms including Cisco
Systems Inc, D-Link Corp and TRENDnet.
"It's a significant threat," he said in an interview.
"Somebody could potentially access a camera and view it. Or they
could also use it as a pivot point, an initial foothold, to get
into the network and start attacking internal systems."
He plans to demonstrate techniques for exploiting these bugs
at the Black Hat hacking conference, which starts July 31 in Las
Vegas. (here)
Heffner, who now works as a vulnerability researcher with a
firm known as Tactical Network Solutions in Columbia, Maryland,
said that he has discovered hundreds of thousands of
surveillance cameras that can be accessed via the public
Internet.
He said he has figured out a real-life version of the
familiar "Hollywood-style" attack that has become a fixture in
action films. He can freeze a picture on a surveillance camera
to help thieves break into facilities without detection.
Heffner said that he has not discussed his research with the
camera makers and does not plan to do so ahead of his
presentation at the hacking conference.
Cisco, D-Link and TRENDnet said they would take any
appropriate action that might be needed to secure their
equipment after the Black Hat presentation.
Heffner's presentation is one of more than 100 talks at the
annual gathering, which is expected to attract some 6,500
security professionals who will learn about the growing threat
that hackers pose to businesses, consumers and national
security.
Other talks will explore threats to Microsoft
Windows and Apple systems, mobile phone networks,
medical devices and systems that control industrial plants.
All research presented at the conference is vetted by a
review board of 22 security experts.