By Ryan Singel
If you've seen a Hollywood caper movie in the last 20 years you know the
old video-camera-spoofing trick. That's where the criminal mastermind
taps into a surveillance camera system and substitutes his own video
stream, leaving hapless security guards watching an endless loop of
absolutely-nothing-happening while the bank robber empties the vault.
Now white-hat hackers have demonstrated a technique that neatly
replicates that old standby.
Amir Azam and Adrian Pastor, researchers at London-based security firm
ProCheckUp , discovered that they can redirect what video file is
played back by an AXIS 2100 surveillance camera, a common industrial
security camera that boasts a web interface, allowing guards to monitor
a building from anywhere in the world.
Internet voyeurs have already discovered how to use search engines to
find and view  video of surveillance cameras that are ostensibly
private, but this attack seems to be the first that actually lets an
outsider control a camera's playback.
This hack (.pdf)  works by combining a few vulnerabilities in how the
camera's accompanying software accepts input -- a type of security hole
known as cross site scripting, or XSS.
In this case, the attacker first sends some malformed information --
writes that information to the log files. When the camera's
user account and e-mailing the attacker that the new account has been
>From there the attacker can simply change the HTML on the camera viewing
page to secretly point the playback screen to another video file -- one
that can even be hosted on another web site.
The snag in this scenario is getting the person who administers the
camera to check the log files, but Azam and Pastor suggest that could be
done by first targeting the camera with a flood of traffic to briefly
impede its service. The camera's administrator would then likely check
the logs to look for error codes, thus inadvertently triggering the
The sophisticated switcheroo can be seen in this video , where an
Axis 2100 camera's playback is replaced by a small spinning globe (you
must watch closely to see the change).
Web-enabled cameras, such as those sold by Axis, are increasingly
popular for security applications since they can be accessed by the
administrator from any internet connection, which distinguishes them
from more traditional, analog cameras which operate on their own wires
and have fewer features.
The AXIS 2100 is an older model that is no longer supported by the
maker. But Azam and Pastor say the vulnerability points to the kind of
flaws that can show up on any device attached to a computer network, and
that holes in older software may find their way into newer software
since companies routinely reuse code.
A spokesperson for Axis  was not immediately available for comment.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com