Bad guys are always trying to cover their tracks, and now there's a way for them to hide from the security camera, too: A pair of U.K. researchers recently demonstrated how you can exploit cross-site-scripting (XSS) vulnerabilities in a Web-based video surveillance system's software to control what it plays back.
ProCheckUp's Amir Azam and Adrian Pastor were able to hack the Web-based AXIS 2100 camera system using several XSS bugs as well as cross-site request forgery (CSRF) flaws. They have posted a video of the hack online, according to a published report.
A couple of caveats to this: The Axis 2100 camera is no longer supported by the vendor, although it's still widely installed in many organizations, according to the researchers. They argue in their white paper that despite this, and the fact that Axis has patched some of the bugs, the flaws are likely widespread. "We need to remember that vendors reuse code all the time. This means that whenever we find vulnerabilities, these vulnerabilities might exist within other models as well."
And for the attack to work, the victim (security guard) would have to check the log files of the video system to trigger the exploit. The researchers say this could be accomplished by launching a denial-of-service attack or some sort of social engineering ploy.
Kelly Jackson Higgins, Senior Editor, Dark Reading