From Wired:
If you’ve seen a Hollywood caper movie in the last 20 years you know the old video-camera-spoofing trick. That’s where the criminal mastermind taps into a surveillance camera system and substitutes his own video stream, leaving hapless security guards watching an endless loop of absolutely-nothing-happening while the bank robber empties the vault.
Now white-hat hackers have demonstrated a technique that neatly replicates that old standby.
Amir Azam and Adrian Pastor, researchers at London-based security firm ProCheckUp, discovered that they can redirect what video file is played back by an AXIS 2100 surveillance camera, a common industrial security camera that boasts a web interface, allowing guards to monitor a building from anywhere in the world.
Internet voyeurs have already discovered how to use search engines to find and view video of surveillance cameras that are ostensibly private, but this attack seems to be the first that actually lets an outsider control a camera’s playback.
This hack (.pdf) works by combining a few vulnerabilities in how the camera’s accompanying software accepts input — a type of security hole known as cross site scripting, or XSS.
Tags: XSS, Web Cam XSS Hack
