Security Insecurity

By Curt Priest

Connectivity and Security are always two opposites

• Internet accessible devices hard to secure– Computers– Ip cameras– Complete security systems (dashboards)

• Open transmission systems– Wireless access points– Radio / television communications– Network connections

• Easier to secure– Closed circuit television– Twisted pair telecom– Secured intranet (no outside connection to internet)

Vulnerability is the intersection of three elements

• System susceptibility or flaw• Attacker access to the flaw• Attacker capability to exploit the flaw

http://en.wikipedia.org/wiki/Vulnerability_(computing)

Onity Security Systems

• Manufacturer of door security lock systems for government buildings and major hotel chains.

• About 4 to 5 million Onity locks are installed on hotel room doors around the world.

• A service port allows a technician to power a dead lock and use a master code to unlock.

Onity’s flawed Security lock

Cody Brocious demonstrating his unlocking tool on an Onity lock in a New York City hotel.

http://www.forbes.com/sites/andygreenberg/2012/07/23/hacker-will-expose-potential-security-flaw-in-more-than-four-million-hotel-room-keycard-locks/

“According to Brocious, who should be scolded for not disclosing the hack to Onity before going public, there is no easy fix: There isn’t a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed.”

Trendnet Security Cams

• Manufacturer of security cameras for home and business use.

• Security flaw found in camera firmware• Company issued firmware update• Discontinued products not able to be updated• Many people do not register products (not

aware of problem)

Security flaw allows unauthorized access to security system

• Access to CGI (common gateway interface) folder at ROOT.• Access to camera video by simply adding cgi request with the IP address.• IP location can be found using whatismyipaddress.com/ip-lookup

Security systems are not always secure.

• Questions?