Forgot your password?
typodupeerror
The Internet The Almighty Buck News

Thieves Hacking Security Cameras? 181

Posted by samzenpus
from the steal-from-home dept.
The FBI is investigating fifteen store robberies in eleven states, committed via phone and internet. The perpetrators hack the store's security system so they can observe their victims. They then make customers take their clothes off and get the store to wire money. From the article, "A telephone caller making a bomb threat to a Hutchinson, Kan., grocery store kept more than 100 people hostage, demanding they disrobe and that the store wire money to his bank account. ... officials were investigating whether the caller was out of state and may have hacked into the store's security system. "If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened.""
This discussion has been archived. No new comments can be posted.

Thieves Hacking Security Cameras?

Comments Filter:
  • Dumber than dumb (Score:5, Insightful)

    by BobTheLawyer (692026) on Thursday August 30, 2007 @08:06AM (#20409759)
    Has there ever been a more stupid quote than:

    "If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened."
    • Re: (Score:3, Insightful)

      by Anonymous Coward
      Not TOO far from the truth. Often the security cameras are accessible to anyone with a browser and without password protection or with a password that's ridiculously easy to guess.
    • by bcmm (768152)
      We need to get that on T-shirts. Black T-shirts. Just to scare non-techs.
    • Re:Dumber than dumb (Score:5, Interesting)

      by KudyardRipling (1063612) on Thursday August 30, 2007 @08:36AM (#20409961)
      This is called a JURY POOL TAINTING STATEMENT. It is designed to predispose those eligible for jury service in the jurisdictions involved to convict by using the element of fear and terror. Whenever a statement made by law enforcement officials about an alleged criminal act is broadcast, it should be quoted in the voir dire process to screen out the rubberstampers. These are defined as those who (are carefully instructed to) worry about wives, kids, homes, SUV's entertainment systems, 401k's vacations, etc. Since the media as an institution is presumed diligent in publishing such statements, there is a presumption of contamination on the part of the jury pool. That is why one of the boilerplate questions asked by the parties in court deals with this issue of media contaminating his/her worldview or view of the defendant.

      Those who have a place in the system have no place in a jury.
      • by Applekid (993327)

        Whenever a statement made by law enforcement officials about an alleged criminal act is broadcast, it should be quoted in the voir dire process to screen out the rubberstampers.

        Even if LE watched their tongues, the media would fill in the gaps for them. They bury an "allegedly" in the text and now it's free reign to spout whatever they want, really.

        "Innocent until proven guilty" has long been gone from the mob vigilante justice world of public opinion. God help you if you're ever accused of anything.

    • by IBBoard (1128019)
      Exactly what I thought. It's complete scare-mongering if you take it as it is written. It either reads as "if hackers can access the Internet then they can get to anything" which is scare-mongering over what hackers can do, or "if these cameras have a link to the Internet then the cameras can get to anything", which is complete garbage.

      What he really means is that "if the cameras have a an insecure link to the Internet then people can exploit them, just like how if a house has an insecure link to the street
    • by LarsWestergren (9033) on Thursday August 30, 2007 @08:53AM (#20410117) Homepage Journal
      Has there ever been a more stupid quote than:
      "If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened."


      Yes. I think "No, it's not loaded! Here, I'll prove it to you!" beats it.
      • Re: (Score:3, Informative)

        by adona1 (1078711)

        "No, it's not loaded! Here, I'll prove it to you!"


        If only we could get Police Chief Dick Heitschmidt to say that as well ;)
    • by WhatAmIDoingHere (742870) * <sexwithanimals@gmail.com> on Thursday August 30, 2007 @08:55AM (#20410151) Homepage
      "hackers on steroids"
      "internet hate machine"
      Wait until these stores get dogs and curtains, than we'll be REALLY fucked.
    • by DrVomact (726065)

      If they can access the Internet, they can get to anything

      Great Caesar's ghost! I'm Superman!

  • by EveryNickIsTaken (1054794) on Thursday August 30, 2007 @08:10AM (#20409777)
    I'm sure Jack Thompson will blame this on BioShock.
  • by TheLink (130905) on Thursday August 30, 2007 @08:13AM (#20409799) Journal
    Can't they follow the money trail from there?

    Strange.
    • by morgan_greywolf (835522) on Thursday August 30, 2007 @08:24AM (#20409877) Homepage Journal
      That depends on what country the bank account is in. In some countries, bank accounts can't necessarily be tracked back to the owner, they are secured only by a really, really fscking long account number.
  • by threaded (89367) on Thursday August 30, 2007 @08:14AM (#20409807) Homepage
    Why don't these stores copyright their video feed and then let loose the RIAA on the perps. That'll stop 'em!
    • Re: (Score:3, Funny)

      by djones101 (1021277)
      That would be the MPAA. RIAA would be if the store's music that is constantly interrupted by screaming cashiers showed up on the Internet.
  • by 140Mandak262Jamuna (970587) on Thursday August 30, 2007 @08:14AM (#20409815) Journal
    He did not record the security camera footage and upload it to You Tube? Dumb idiot. This is what dumbing down of America has done to the respectable profession of robbery.
  • CCTV (Score:5, Interesting)

    by Recovering Hater (833107) on Thursday August 30, 2007 @08:18AM (#20409833)
    Why are the security cameras on anything other than a closed circuit? It makes no sense for their cameras to be connected to the internet.
    • Re:CCTV (Score:5, Funny)

      by MyLongNickName (822545) on Thursday August 30, 2007 @08:28AM (#20409895) Journal
      How else do you outsource your security work to India?
      • That works as long as you don't have a real incident. The response time for the teams to arrive are awefully long, and now they started to charge by the mile.
    • Re:CCTV (Score:5, Interesting)

      by Skapare (16644) on Thursday August 30, 2007 @08:28AM (#20409899) Homepage

      Why are the security cameras on anything other than a closed circuit? It makes no sense for their cameras to be connected to the internet.

      Many companies are cutting back on security staff by eliminating in-store people that watch the TV screens. The stores still have some roving security people, but the TV screen watching is now more automated, more centralized, and in some cases even pushed out to homes where people with broadband can be paid even less than the in-store people to sit and watch a bunch of TV camera images for hours, looking for suspect people.

      It might be interesting if someone developed a way to fool those systems into thinking someone is watching (frequently clicking to see the next camera).

    • Re:CCTV (Score:5, Interesting)

      by Egonis (155154) on Thursday August 30, 2007 @08:29AM (#20409905)
      I run a security consulting business, and one of the things we do is CCTV Camera Systems.

      Most of our clients are hell-bent on having internet access so that they can remotely view and control their cameras, card access systems, and PA systems.

      Although it is possible to hack these systems, it is a remote chance if configured properly like anything else.

      My guess is that these incidents are with default usernames and passwords on the DVR and other equipment.

      However, my question is: how did they find the IP of a target store?
      It's one thing to want to rob a store, but it's another to know this type of sensitive information.
      And in many cases, even large stores are using DSL or Cable where they get a dynamic IP.

      Sounds like an inside job to me.
      • It's easy - most of the cameras have a default control page. You just Google for that keyword and it' will often return lots of hits of cameras with webservers that are exposed to the internet- say that $CAMERAMAKER has a default webpage of http://camerasite/view?control=mode-on [camerasite]

        Just google for the keyword control=mode-on and you will get tons of hits for that camera from all over the page.
      • However, my question is: how did they find the IP of a target store?

        In the olden days of modem-connected monitoring equipment, we called it "war dialing". What do the kids call it now, "war surfing"? Start at 0.0.0.0 and increment through FF.FF.FF.FF, excluding local nets if you like, and see if anything responds like a "Brand X" security camera.

        But if they did that, how would they have determined the actual store location to get a phone number? Perhaps instead of an inside job, it was a bluff, and th

        • by Altus (1034)

          Well websites often figure out what town I am in based on my IP address. If you knew that and you knew it was, say, a 7-11 based on the promo materials visible, you could just call around to all the 7-11s in that town (one, maybe two) until you see the clerk on the camera answer your call. Then your in business.

          Even if you didn't know it was a 7-11 a Google search of continence stores would provide a fairly short list.
      • However, my question is: how did they find the IP of a target store? It's one thing to want to rob a store, but it's another to know this type of sensitive information.

        IPs are about as sensitive as a street address. Send an email to the store's staff about any stupid thing that would warrant a reply, get an IP back in the headers. Or just give them a web link to click, or an email that takes advantage of crappy Outlook and auto-loads something from your own webspace, and wait for the hit. Either way, you end up with a nice IP range to scan out in exchange for minimal effort.

      • Wireless (Score:5, Interesting)

        by Anonymous Coward on Thursday August 30, 2007 @09:10AM (#20410309)

        However, my question is: how did they find the IP of a target store?
        It's one thing to want to rob a store, but it's another to know this type of sensitive information.


        In my WarDriving travels, I've come apon many SSID-hidden wireless networks around stores. Sometimes they aren't even encrypted. My recent curiosity with these nets reveals a few wifi networked cameras in some locations, and sometimes if you log into these networks, you can find a nat. From there it's simply accessing a site that gives you a IP.

        But why bother when you already have access to there cameras via a unsecured access point?

        Anonymous for obvious reasons.
      • Re: (Score:3, Insightful)

        by Lumpy (12016)
        Although it is possible to hack these systems, it is a remote chance if configured properly like anything else.

        They rarely are. as a Technology specialist company that also does cameras, we find that 9 times out fo ten the default passwords are set for the administration access of the DVR and even the IP cameras.

        Out of the last 35 jobsites over 30 of them still had defaults set that would allow access in one way or another. Yes these were installed by "professional companies". some of them had adminis
      • Re: (Score:2, Informative)

        According to current reports, the claim that the cameras were compromised was withdrawn.
        • Re:CCTV (Score:4, Informative)

          by Fox_1 (128616) on Thursday August 30, 2007 @11:44AM (#20412191)
          Mod Parent up - this was actually withdrawn yesterday - the cops spread at little FUD with their Internet Hackers working the Security Camera Comments - but now they have backed off on this statement, particularly since the Hutchinson Incident was caused by locals who have been taken into custody.
          see here [kansas.com]
          Oh and no bombs have ever been found, there are a lot of embarrassed people out there who have really overreacted to these 'menacing & scary' phone calls.
          • by StikyPad (445176)
            On the other hand, if they *had* found a bomb...

            Does it really make sense to risk the lives of tens or hundreds of customers just to call a bluff? I would draw the line at violence against another person (or myself for that matter), but ten grand of corporate funds? Who cares? "Here's the money, have a nice day," then call the cops when it's over. It's nothing to be embarrassed about; they did the right thing.
      • FTA:

        FBI spokesman Rich Kolko said the threat appears to be related to a plot in recent days focusing on banks and stores in places like Detroit, Phoenix, Salt Lake City, Philadelphia and Newport, R.I.

        It sounds like they are randomly finding these cameras all over the place. They aren't hitting just one chain or anything like that. It's different types of businesses in completely different cities.

        I think it's highly unlikely that they have an inside connection in 11+ states spread across the US. It'
    • by G4from128k (686170) on Thursday August 30, 2007 @08:30AM (#20409907)
      It's a valid question. Companies put security cameras on the internet to enable remote recording and control. It lets the central office or outsourced security firm handle all the digital video and dispatch police/fire services from a cost-efficient central location. If you owned 100 convenience stores in 10 states, where would you put the security office and how would you link them?

      Rather than build a dedicated hardwired telecom network, companies are using the internet to connect everything together (security systems, financial systems, medical records, industrial control, etc.) As we can see from this example, they think they've created their own virtual network (of some degree of privacy), but in practice, the system is extremely vulnerable. I'd bet that more than a few internet-connected security cameras run with factory-default passwords.
      • I'd bet that more than a few internet-connected security cameras run with factory-default passwords.

        And even if they change it, there's still the "Joshua" back door.

    • Why are the security cameras on anything other than a closed circuit? It makes no sense for their cameras to be connected to the internet.

      I don't know that they actually are interwebbed, but if they were, it would be to save money over having a dedicated line for every store. The Dillons stores are owned by Kroger now, so home office is hundreds of miles away.

    • Re:CCTV (Score:5, Interesting)

      by canUbeleiveIT (787307) on Thursday August 30, 2007 @08:36AM (#20409959)
      Last year we put a security camera system into a auto recycling yard using IP cameras. They had been suffering a rash of after-hours breakins to steal the platinum that is in old catalytic converters. The system recorded to a DVR, but also was hooked to motion sensors that, when activated, would call the manager's cell phone, as well as start pitching still shots across the internet to a remote ftp server.

      Two weeks after installation, the thieves broke in. When they saw the cameras and the DVR, they set fire to the place to destroy the evidence, but the still photos were enough to identify and convict them. They haven't had a problem since.
    • Re:CCTV (Score:4, Informative)

      by ptbarnett (159784) on Thursday August 30, 2007 @08:56AM (#20410169)
      Why are the security cameras on anything other than a closed circuit? It makes no sense for their cameras to be connected to the internet.

      Read further in TFA:

      Initially, the caller led employees to believe he was observing them.

      "After a while, it sounded like he was just taking a shot in the dark at what they might be doing, or what they looked like or how they were reacting to his call," Prescott police Lt. Ken Morley said.

    • by Joebert (946227)
      The cameras in the Subway (sandwich stores) my brother worked at years ago are wired to the internet.
      Knowing that his boss could see what he was doing at any given moment, my brother didn't slack off much at that store.
  • by clovis (4684) * on Thursday August 30, 2007 @08:29AM (#20409903)
    My wife came in a found me sitting on the floor in my underwear. I had only skimmed the slashdot article and thought that it was a disrobe-or-get-bombed threat against me. It seems that the Slashdot is only _reporting_ a bomb threat and isn't actually going to blow us up.
    Also, would CowboyNeal please send back my $3,000?
  • This could be one of the first, and certainly not the last, case of people using security devices against the people whom they were designed to protect.

    How are those net-enabled security cameras working out for you?
  • by rs232 (849320) on Thursday August 30, 2007 @08:32AM (#20409927)
    "officials were investigating whether the caller was out of state and may have hacked [kpho.com] into the store's security system"

    "If they can access the Internet, they can get to anything"

    "Anyone in the whole world could have access, if that's what really happened"

    What kind of idiot would connect the security system to the Internet so that 'they' could get to anything. Didn't they put it on a private VPN or use a password even?

    "The FBI was looking into whether the calls to the banks and stores were being placed from overseas"

    I thought DCSNet [slashdot.org] was designed to provide instant access to such information. Provides absolutly no evidence of any such hacking. Sounds to me like a low level extortion plot apart from the mention of the (scary) Internet and hackers (even more scary). Since when do sophisticated thieves use Western Union and wire themselves $3,000 with a $150 service charge. Who paid the charge I wonder.

    We get bomb threats here all the time, so don't take any notice ...
    • Since when do sophisticated thieves use Western Union and wire themselves $3,000 with a $150 service charge.

      That practice is old, tried and proven. It's been used by banking trojan users for at the very least two years now. You have a trojan'd computer, hire gullible people to provide their accounts, use the trojan to transfer money to the account, the account holder then uses WU to send you the money.

      Easy, anonymous and hard to track. Works like a dream.
    • by zakezuke (229119)

      What kind of idiot would connect the security system to the Internet so that 'they' could get to anything. Didn't they put it on a private VPN or use a password even?
      Your average ordinary idiot. People don't understand when they connect that wire... they are connected to "planet earth". They really don't. Even Axis cameras don't come with a default robot.txt on their cameras.
  • by Speare (84249) on Thursday August 30, 2007 @08:47AM (#20410041) Homepage Journal

    There are many store monitor camera systems that are installed with poor defaults and wide open access. Several makers' web interfaces have easy formulaic URLs to select different store views, and these commonly can be searched with plain old web search engines. This was a fun thing to do a few years back, with whole sites dedicated to lists of web cams that were likely not intended for global viewership. Without any real evidence that the web cameras were "hacked" I think it's a big stretch to assume any skill was involved here.

  • by Ukab the Great (87152) on Thursday August 30, 2007 @08:51AM (#20410091)
    I'm sure that in some states, 100 naked people in a store legally counts as an orgy.
    • I'm sure that in some states, 100 naked people in a store legally counts as an orgy.
      And in Texas, possessing more than three dildos gets you arrested for "intent to distribute." Bill O'Reilly had better watch his ass in Texas.
  • In other news... (Score:4, Informative)

    by dark-br (473115) on Thursday August 30, 2007 @09:10AM (#20410307) Homepage
    People are stupid. Google for: inurl:"ViewerFrame?Mode="

    And have fun...

    • Sweet, I now get the public plaza channel and the auto shop channel!
    • Report to your nearest police office and turn yourself in for publishing hacking tools.
    • I like the remote control cameras. I once played with googling for them and finding unsecured control webapps. One time I kept scanning a camera around but it would start to move back. I was wondering if the owner was trying to keep it from moving ("This thing has a mind of its own!") or if other people had found it and were also screwing around.
  • I usually have Security Expert I & II equipped, so I have significantly less alarm and overload tiles. Every camera I see I take a few pictures of because then I can see the 'weaknesses' of the camera.

    Of course when I have positioned myself directly under the camera I can't see me anymore and if it hangs too high I can just jump up and finish my hack in mid air.

    Unfortunatly, the guards are a bitch. For them it always seems to be "bring your daugther to work day".

    Other then that, hacking cameras is a
  • The commentary makes no sense at all. A bunch of disconnected factoids, that may or may not be true. I would need to hear a more convincing means, opportunity and motive before I swallowed a word of it.
  • Well, not the crime part but the poking around with cameras. :) I was taking a computer class and one of the guys there mentioned this. I hit the google and had a string of candidates to look at within seconds. After about five minutes of searching, I found an unsecured and controllable camera. Its purpose was to monitor the construction of a new building at a California college. However, the camera had such a range of motion that I could easily turn it to observe the intersection across from it.

    If any of y
  • It should be legal to appear naked in public places if one has been ordered to do so over the Internet. That way, naked customers can exit hacked stores without fear of prosecution.
  • One of the things that "The Laughing Man" did in the GITS TV series was that he could hack video feeds in near-real-time. On one occasion he ghost-hacked someone's cybernetic eyes and became effectively invisible. More commonly, he would simultaneously hack all of the security cameras in a public place and overlay this funny "animated gif" over the top of his head to conceal his identity.

    Nobody could figure out who he was because nobody had ever actually "seen" him.

    Many video cameras now transmit mjpeg or
  • by Master of Transhuman (597628) on Thursday August 30, 2007 @02:06PM (#20414289) Homepage
    Yeah, wire me the money - I'll get it someday when the police aren't looking...

    This was a hoax, a prank. Somebody was just having fun jerking people around.

    And see how easy it was. Anybody remember the Chinese Fire Drill in the book "Illuminatus?" Act authoritative - or threatening in this case - and spew out some orders, and everybody falls right into line like lemmings.

    The first response to the bomb threat should have been, "Fine - set it off. We'll settle up later, asshole."

  • An obliquely related story; I bought a security webcam, wasn't happy with it, thought I did a factory reset, but I guess I didn't. When it was purchased, suddenly I was bombarded with emailed images from a strangers house :S The only ones who could track it down was the ISP Eastlink, who ignored my pleading for months.

    Then CTV ran a story on it, and they magically found the customer, informed them, and the problem was solved. Amazing (and sad) how a bit of media attention will get the job done.

    Link here [www.ctv.ca]

We are experiencing system trouble -- do not adjust your terminal.

Working...