CCTV Server Major Security Flaw - LookC 4x4 and LookC Pro IX Servers

[mike]

Schools CCTV camera are viewable by the general public! - So it seems.

 

My intention of this article is to simply make the general public aware of a security risk in the LookC products, by no means should this be used in an unethical way. LookC have been informed of this security issue (before this article was published) and it has been brought to the attention of their “software team who are working on the software in order to fix this ASAP”.

 

The Story:

 

I have recently found a serious vulnerability in a CCTV (LookC.co.uk) server, which appears to be spread across their main two product ranges. The LookC 4x4 server and LookC Pro IX server.

 

After a phone call to LookC on Tuesday 9th September 2008 morning, explaining my findings and the security issues involved, I was greatly disappointed when I was told “just email me with what you have”. They came across as if they couldn’t be bothered with me – and this wasn’t the only time. When I tried to highlight the issue to the directors, LookC where not particularly interested. However their poor customer service is not the issue in hand after all! -

 

After emailing them on the Tuesday, I received no response from them at all. I decided to give them a few days in order to 1) Reply back to me and 2) Address and fix the problem.

 

It was not until Friday 12th September when I emailed them yet again, requesting information did I finally receive an email with the following contents:

 

“Hi Mike

Just to clarify our situation.. we are fixing this security issue and testing for others

 

once the new build of software has been tested it will be released.

This will be done ASAP

 

Cheers Peter”

Anyway, back to the issue at hand. The vulnerability allows any unauthorized user to connect to a “secure” LookC server (ones stated above) and view live static images from any camera connected to the server. This can easily be made an almost streaming live video by refreshing the page every second.

 

After searching on Google for 2 minuets I managed to find 20+ LookC servers, of which every single one had this vulnerability.

 

I was horrified to find that many of the server’s that LookC has installed are in Primary and Secondary schools, not to mention a company called “Boddingtons LTD” – It certainly looks how it sounds.

 

 

The Vulnerability:

 

The vulnerability is so simple, I bet LookC kicked themselves when they found out they missed something as obvious as this.

 

Find a LookC server. This can accomplished very easily by typing in either of the following into Google.com “LookC 4x4” or “LookC Pro IX”.

 

In this example, we will use a made up server with the IP address of 123.456.789.10

 

Using your web browser navigate to this address.

http://123.456.789.10/

 

Simply by adding the following after the last slash, we can open a backdoor and view a static image of the requested camera. Note the two queries in the URL.. "&card" and "&camera". As it would suggest, "&card" is which card in the server we are accessing, and "&camera" is the CCTV camera we are accessing. There are 4 cameras to each card, so once we have reached camera 4 we would change the card value to “2” and the camera value back to “1”.. This would display the 5th camera on the server.

 

media/getimage_sid.php?card=1&camera=1

 

The URL should read,

 

http://123.456.789.10/media/getimage_sid.php?card=1&camera=1

 

If you hit Refresh on your browser you can easily produce an almost streaming image of the CCTV Camera.

 

At the time of writing this article the vulnerability has not been fixed and I will provide any updates as and when I hear of them – unlikely they will be from LookC however! –

 

On a final note, I cannot and will not be help responsible for anyone’s actions. I am simply informing the general public of this issue with the hope that LookC will take the issue seriously and fix it in the coming day(s).

[Guest Wolfeymole]

This is outrageous.

 

I hope that LookC get back to you with more information, in the meantime it appears that they are not concerned about any individuals security with their blase manner.

 

The news is rife with regard to incidents involving schools and it seems to me that certain criteria's need to be brought to bear here, one, is that a school needs to know what kind of security advisory service it is employing and two, government legislation need to be put in place so that security contractors can be trusted.

[Dalo Harkin]

just one word - ''Shocking'' :eek: