66% or better

Linksys IP cam hacking

admin_password_extraction_2-300x216

GNUCITIZEN has posted information on linksys wireless IP camera hacking. It turns out that some models send the administrator user name and password to the computer when the setup wizard requests a connection. In theory, someone could send the request and harvest your passwords wirelessly. This seems like a pretty careless oversight. We would think that linksys will probably remedy this before too long.

Update: Part 2 has been posted.

Update: Part 3 has been posted.

Comments

  1. Clay says:

    Fail. Good job Linksys.

  2. will2 says:

    There’s no way this was accidental. You don’t send uname/pwd unencrypted over a network. This is nothing more than laziness on the developers part, knowing that they’re working on a “consumer” product.

    Is there a way to shut off the response to this wizard?

  3. Clay says:

    Someone will come out with an aftermarket firmware for them like DD-Wrt. It’s tops. I run it on all my equipment. Even at work I talked our I.T. guys into using it.

  4. adam says:

    one word: fail

  5. cde says:

    And that update will only help people who are security minded enough to look for and install updates.

  6. Tim says:

    Well his initial fear wasn’t based on logic – the camera could have been simply sending the password hash. Not a very good idea, but not inherently insecure.

    Of course if the wizard has the password in memory before you’ve even entered it then that’s another matter!

  7. Daley says:

    In my experience, it takes a higher-caliber programmer to think security. Coders (that I’ve worked with) *generally* don’t have security on the top of their list of things to be concerned with – to them, as long as the application works it’s golden. That’s why guys like me still have a job ;)

  8. barry99705 says:

    @Clay

    I used to have one, they suck anyway. I think the dd-wrt guys looked into it and there’s just not enough openness in the hardware to get it to work.

  9. Marine says:

    Oh my lord. We have these at college. LOL

  10. Peter says:

    The developers probably just ‘got it working’ for a deadline and didn’t get the time, or forgot about the security part by the end.

  11. Jacky says:

    I actually have Linksys wireless at home, i heard they are safe, but i am kind of being cautious now.

  12. Clay says:

    Used to be if your neighbor was a perv he had to break into your house to plant a camera, Now all he needs is some minor hacking skills.

  13. blizzarddemon says:

    This reminds me of the first version of windows 2000, where you could easily and remotely access a person’s user information via the reedit.

  14. el_walto says:

    I have this camera and it is not a very solid linksys product. The motion detection can only be fine tuned using Active X with IE.

    Also there is no way to turn off the auto light adjustment, so it gives about 20 false positives for motion detection in a day (if it’s in a room that allows any sunlight)

  15. eMpTy says:

    i was only laughing at hollywood the other day as well… but they were switching between just about everybodys… and for some reason they all had controllable directioning as well!

    life >= art ? /s

  16. joe says:

    hackers (good/bad) look for stuff like this. The bad guys love glitches and use to advantage. This most certainly will be exploitable by the moderate or maybe some inexperirnced hackers.

    At least it’s not a cell with a broadcasting bluetooth that sends out a hashed SS #.

  17. thanks admin

  18. Azgin says:

    sex

  19. sex

  20. r4 card says:

    Ha complete fail !

  21. a says:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s