White Hat Hacker Contacted a Man Through His Security Camera

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
AZCentral reports that a hacker broke into a man's Nest security camera at his Phoenix home. But, instead of abusing the system, the hacker contacted the camera's owner, informing him that the system was compromised with fairly obvious proof. If you aren't already paranoid about cameras in always-on devices, this is all the evidence you need to start nurturing a healthy fear. Thanks to Motherboard for spotting the article.

Check out the video here.

The man speaking to him through the camera said he was a "white hat" hacker in Canada with the group Anonymous. He told Gregg his private information had been compromised. The hacker couldn't see images through the camera and didn't know where Gregg lived, he said. But he told Gregg such information wouldn't be hard to find. The man then recited a password Gregg had used for multiple websites. "I'm really sorry if I startled you or anything. I realize this is super unprofessional, and I'm sorry that it's a little late in the day to do this," the hacker can be heard telling Gregg on a recording of the interaction provided to The Arizona Republic/azcentral.
 

Wiffle

Limp Gawd
Joined
Oct 2, 2011
Messages
292
Well I guess trees aren't the only thing Canadians can hack.

I think we need to worry less about China and Russia, and focus more on the other red army...
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,611
AZCentral reports that a hacker broke into a man's Nest security camera at his Phoenix home. But, instead of abusing the system,.......

And he was wrong from the very start.

When will these guys learn that this is fundamentally wrong from the start.

Someone will argue, but let's change the words up;

AZCentral reports that a burgler broke into a man's Phoenix home. But, instead of stealing something, the man left a note telling the owner how weak his door locks are.......

It's the same thing and there is no defense for this. If someone wants to test locks or security cam vulnerabilities, get a job working for the manufacturer or go to work for Consumer Reports.
 

Aireoth

Supreme [H]ardness
Joined
Oct 12, 2005
Messages
4,983
And he was wrong from the very start.

When will these guys learn that this is fundamentally wrong from the start.

Someone will argue, but let's change the words up;



It's the same thing and there is no defense for this. If someone wants to test locks or security cam vulnerabilities, get a job working for the manufacturer or go to work for Consumer Reports.

The manufacturer doesn't give a shit, and you know it. Neither does Consumer Reports.

Don't be butthurt over some people performing a public service just because it interrupts your life, I would much rather have someone break into my house and leave a note saying how they did it so I can fix it, than have someone break into my house and steal shit, or threaten anyone that maybe there at the time. Life isn't as black and white as you want it to be.
 

jfreund

[H]ard|Gawd
Joined
Sep 3, 2006
Messages
1,234
"I'm really sorry if I startled you or anything. I realize this is super unprofessional, and I'm sorry that it's a little late in the day to do this,"

Definitely originating from Canuckistan.
 

kju1

2[H]4U
Joined
Mar 27, 2002
Messages
3,452
You can tell the guy is Canadian because he keeps apologizing lol.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
The manufacturer doesn't give a shit, and you know it. Neither does Consumer Reports.

Don't be butthurt over some people performing a public service just because it interrupts your life, I would much rather have someone break into my house and leave a note saying how they did it so I can fix it, than have someone break into my house and steal shit, or threaten anyone that maybe there at the time. Life isn't as black and white as you want it to be.

Or that person can get the device, set it up in the lab, break into it, and then post online how he did it all. And that would most likely be perfectly legal, far more legal than hacking into a device someone owns, which is strictly illegal.

So no, he wasn't truly doing a good service.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
And he was wrong from the very start.

When will these guys learn that this is fundamentally wrong from the start.

Someone will argue, but let's change the words up;



It's the same thing and there is no defense for this. If someone wants to test locks or security cam vulnerabilities, get a job working for the manufacturer or go to work for Consumer Reports.

I'd say it's more like he opened the unlocked door and yelled inside that it wasn't locked. It's better he exploited the vulnerability to let the owner know about it over a blackhat silently exploiting it for who knows how long.....





And this is why I will not purchase any cloud based shit for the house. If I can't block it from all internet access and reach it via VPN, it will never be used in my house.
 

Tak Ne

[H]ard|Gawd
Joined
Jan 28, 2008
Messages
1,233
Or that person can get the device, set it up in the lab, break into it, and then post online how he did it all. And that would most likely be perfectly legal, far more legal than hacking into a device someone owns, which is strictly illegal.

So no, he wasn't truly doing a good service.

That would work but it would also be ignored by most people. I've told people many times about the dangers of internet connected devices and their lack of security. People just dont care.
Do what these guys are doing and people WILL care. The companies making these devices wont change unless we force them to. To me this seems like a good way to achieve that.
 
  • Like
Reactions: DocNo
like this

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
That would work but it would also be ignored by most people. I've told people many times about the dangers of internet connected devices and their lack of security. People just dont care.
Do what these guys are doing and people WILL care. The companies making these devices wont change unless we force them to. To me this seems like a good way to achieve that.

So we should rob people so that they know to be weary of people robbing them... No, sorry that is not a valid method. Also the guy in this scenario is not a white hacker. The fact he broke into someone's system without their knowledge automatically disqualifies them of that description. That individual is still considered a black hat hacker.

The way you convince companies to change is you do as I suggested. You break into their stuff in a lab, then you report your findings to them. If they don't make a change, you report publicly. There is already a system in place to do these things. Often times problems are not with the Company and are with how people use the devices. Most people are not using their devices in a properly secure manner.
 

kju1

2[H]4U
Joined
Mar 27, 2002
Messages
3,452
That would work but it would also be ignored by most people. I've told people many times about the dangers of internet connected devices and their lack of security. People just dont care.
Do what these guys are doing and people WILL care. The companies making these devices wont change unless we force them to. To me this seems like a good way to achieve that.


Seems to me Spectre & Meltdown were identified in a lab and reported publicly. Dont recall many people ignoring them...
 

thebufenator

[H]ard|Gawd
Joined
Dec 8, 2004
Messages
1,356
A bunch of you need to realize that an ideal world is not the one we live in.

I'd prefer a nice guy let me know what's up rather than only having black hats sell my info online.
 

cyclone3d

[H]F Junkie
Joined
Aug 16, 2004
Messages
14,234
I was looking for a some help with a Xerox copier a few years back and one of the google search results was a link to the IP address of an internet facing Xerox copier.

I added some entries to the email contacts list in the form of a message saying that they needed to secure their copier.

Also tried emailing the contacts already on the copier but got no response. I also looked up the company name and tried emailing the contacts on their web site.

I kept the link for months and would try it out every once in a while to see if they had fixed it.

Around the same time the same model copiers we had had their lease come up and we got new copiers, which was about 6-8 months later, that copier was finally no longer accessible.

Moral of the story... a lot of people couldn't care less about securing their crap.
 

Aireoth

Supreme [H]ardness
Joined
Oct 12, 2005
Messages
4,983
Or that person can get the device, set it up in the lab, break into it, and then post online how he did it all. And that would most likely be perfectly legal, far more legal than hacking into a device someone owns, which is strictly illegal.

So no, he wasn't truly doing a good service.

They can, and have, but that doesn't get anyone's attention onto the problem, particularly in a world where your attention is the number one commodity.

Him doing this created a video that has the potential to reach many more people, it has reached all of us, maybe it can go full viral and reach millions.

Life isn't as black and white as you want it to be, at least one person is now aware they are vulnerable, when they weren't yesterday. This was a good service, and that is where you and I will disagree.
 

kirbyrj

Fully [H]
Joined
Feb 1, 2005
Messages
27,968
I'm surprised that nobody realizes that Nest cameras are functionally illegal wiretapping devices. Unless you have a sign telling anyone (including family members) that enter your residence that they are subject to video and audio recording, you are committing a felony by using one in many states (even in your own home). Federal law says that at least one party needs to know that the audio recording is taking place. State laws vary by state and it could be illegal for anyone to be audio recorded against their knowledge. Dual consent is required in CA, CT, FL, HI, IL, MD, MA, NV, NH, PA, and WA.

#TheMoreYouKnow
 

steakman1971

2[H]4U
Joined
Nov 22, 2005
Messages
2,433
I have cameras on the outside of my house that I know are not too secure (Samsung - known issues and they no longer support it). I am in the process of replacing the DVR they came with - but realize my new system could very well have security issues. It could be bad if someone used the cams to know when we arrive/leave/packages show up/etc. So, its behind the firewall for now with no exposure to the internet. It would be nice to have access from my mobile device - but that opens it up...
 

steakman1971

2[H]4U
Joined
Nov 22, 2005
Messages
2,433
I'm surprised that nobody realizes that Nest cameras are functionally illegal wiretapping devices. Unless you have a sign telling anyone (including family members) that enter your residence that they are subject to video and audio recording, you are committing a felony by using one in many states (even in your own home). Federal law says that at least one party needs to know that the audio recording is taking place. State laws vary by state and it could be illegal for anyone to be audio recorded against their knowledge. Dual consent is required in CA, CT, FL, HI, IL, MD, MA, NV, NH, PA, and WA.

#TheMoreYouKnow
Interesting. One of my cameras in my backyard captures part of my neighbors yard. I told them about it and also set it up so it doesn't detect motion in that zone. They were ok with it. I can't really position the camera in a way to avoid it. A privacy fence would not work either.
Another camera of mine (front door) captures people on the sidewalk in front of my house and also part of the street. I caught some vandals this past summer on the street using it (it was blurry, but my wife posted to Facebook and one of their mothers recognized their kid.) I wonder if their have been any law suits yet?
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,611
The manufacturer doesn't give a shit, and you know it. Neither does Consumer Reports.

Don't be butthurt over some people performing a public service just because it interrupts your life, I would much rather have someone break into my house and leave a note saying how they did it so I can fix it, than have someone break into my house and steal shit, or threaten anyone that maybe there at the time. Life isn't as black and white as you want it to be.

try this on for black and white;

The Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that made it a federal crime to access a protected computer without proper authorization.
https://searchcompliance.techtarget.com/definition/The-Computer-Fraud-and-Abuse-Act-CFAA

Don't even try it.
https://en.wikipedia.org/wiki/Personal_Data_Privacy_and_Security_Act_of_2009
Amends the federal criminal code to add intentionally accessing a computer without authorization to the definition of racketeering activity.

You say the manufacturer doesn't care, but manufacturer's that produce good products do intrusion testing. Consumer Reports and other groups do evaluate products and doing a security review is right in line with what they do.

Don't try calling me butt hurt, it's not being butt hurt to call someone out for their bullshit.

Exactly how did this guy help the victim?

The victim had a security camera that was performing a duty for him. This white hat violated his camera's security, easy as it may have been, and convinced him that the man's personal information had been compromised and he should disconnect it, change his passwords. But how does the hacker know how the information was obtained? Maybe a virus, maybe a malicious web site, maybe he installed AVG Free from somewhere other than Avast.Com. But what is not a maybe, is now this man does not have a security camera watching his home.

Are you going to back the hacker up? Are you vouching for him, that he actually found this guy's information on the darkweb or something like that? Or did he just capture some internet traffic off an unprotected router and find a Nest Camera to hack and it just was some random guy and was the claim about the compromised data was just bullshit made up to soften the blow. It doesn't hurt anything to scare this guy into changing his passwords right?

So you go ahead and keep thinking this isn't black and white, but do it with the knowledge that the US Government has other ideas;
https://www.wired.com/2015/10/cfaa-...ct-most-controversial-computer-hacking-cases/

Play stupid games, win stupid prizes.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
He's not a white hat if he did this without permission

Greyhat technically.....



@icpiper You do realize there is a search engine specifically made to list IOT devices exposed to the web right? It's very easy to go through the list and find hardware with default passwords or runnign all sorts of unpatched vulnerabilities from the manufacturer. Calling this shit hacking is an insult to actual hackers. At most this is pathetic script kiddie shit, if that.

Did the guy break the law? Yes. Any true whitehat will tell you not to touch anything without written permission. Hell we have Jim Manafort do our annual secure code training, and he must have repeated that 10+ times (for good reason). But, it also could have been worse for the guy with the camera if a blackhat decided to have some fun..... I can see both sides, and while I would never do something like this, I can understand the guys poor reasoning for doing so.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
They can, and have, but that doesn't get anyone's attention onto the problem, particularly in a world where your attention is the number one commodity.

Actually it has caused a lot to change how company's approach security.

Him doing this created a video that has the potential to reach many more people, it has reached all of us, maybe it can go full viral and reach millions.

As does traditional bug hunting and other stories related to security issues which we see all the time and no one had to break the law. Spectre? Meltdown? Apple/Android bugs? Browser bugs? They have all held headlines before. There are even competitions to hack into things and the findings from those competitions also go public and reach many people, and the results go straight to the companies. The companies then have to patch the bug within a certain period of time before the information goes public. In fact the Nest, Ring, and other appliances like them have had tons of stories about how insecure they are. This story is less likely to change anything as there is no significant information included with it as security notification releases typically have.

Life isn't as black and white as you want it to be, at least one person is now aware they are vulnerable, when they weren't yesterday. This was a good service, and that is where you and I will disagree.

Life isn't as black and white, but the definition of a white hat hacker is. And how do you know it was a good service? How do you know that guy didn't do anything else illegal? All you have is the word of someone you don't even know...think about that.
 

Pieter3dnow

Supreme [H]ardness
Joined
Jul 29, 2009
Messages
6,784
The problem is that people don't realize what is going on on the internet.
You can have a safe setup until someone uses a zero day exploit.
 

ChoGGi

[H]ard|Gawd
Joined
May 7, 2005
Messages
1,571
Not really news, there's a whole bunch of these videos on youtube (webcam trolling), as you could guess from the keywords most people aren't that nice.
 

doublejack

Limp Gawd
Joined
Apr 13, 2015
Messages
485
It sounded to me like it was just a compromised password, using the same password on multiple websites without 2FA.

I agree. I suspect the hack started with a compromised router where a password was obtained in the clear, or some other method that correlated the password with an IP. From there the cameras were targeted.

He's not a white hat if he did this without permission

I understand where you are coming from on this. However, I think the hacker is still a white hat. I mean, they are a hacker. It is in the name, so what they are doing is by nature not exactly ethical. As long as they use their abilities for good, which I think is pretty clear in this case, then I consider them a white hat. This hacker may have prevented the homeowner from suffering some kind of loss. That's a good deed.
 

DocNo

Gawd
Joined
Apr 23, 2012
Messages
654
Code:
iptables -A INPUT -m mac --mac-source <insert MAC address> -j DROP

Did this for all devices that have no business seeing the internet.

Unfortunately his camera doesn't work without Internet.

As with most things, it starts with proper product selection...
 

DocNo

Gawd
Joined
Apr 23, 2012
Messages
654
So we should rob people so that they know to be weary of people robbing them...

Oh please, enough of the drama. Nothing physical was touched. No value was lost. His shit was exposed, and at least now he knows it. Someone else could have been in their without him knowing.

Someone who couldn't care less about your moral/ethical arguments. Shit is still broke.
 

Brian_B

2[H]4U
Joined
Mar 23, 2012
Messages
3,356
After reading this article, I went out and specifically bought Blink cameras to install in my bathroom.

I can't wait to see who drops in on me...
 

DrBorg

Gawd
Joined
Jan 22, 2005
Messages
555
Critical thinking is not a large commodity here. :(

These cameras break privacy, and broadcast all your shit to whoever. This is well known by now; I knew years ago.

The most stupid responses here talk about how illegal it is to hack them; no one will be prosecuted for hacking your camera to make you Their entertainment; you will never know about it unless your old lady's bitching about how small your dick is goes viral.

People are idiots these days...
 
Joined
May 6, 2017
Messages
3
I'm surprised that nobody realizes that Nest cameras are functionally illegal wiretapping devices. Unless you have a sign telling anyone (including family members) that enter your residence that they are subject to video and audio recording, you are committing a felony by using one in many states (even in your own home). Federal law says that at least one party needs to know that the audio recording is taking place. State laws vary by state and it could be illegal for anyone to be audio recorded against their knowledge. Dual consent is required in CA, CT, FL, HI, IL, MD, MA, NV, NH, PA, and WA.

#TheMoreYouKnow

I think most state it legal to have surveillance camera in your own home except for where reasonable expectation of privacy (bathroom).
 

kirbyrj

Fully [H]
Joined
Feb 1, 2005
Messages
27,968
I think most state it legal to have surveillance camera in your own home except for where reasonable expectation of privacy (bathroom).

Not with audio recording also. I've asked lawyers specifically about this in reference to ones own house and family members. Not only is it illegal, it's a felony in most cases. The case I asked about was a husband recording wife when she was unaware of the recording (dual consent state). He thought she was cheating and was looking to catch her.

Full disclosure: it wasn't me doing this :).

Another local case was a business who had video cameras with audio in public places of his business. He was arrested for a wiretap violation.
 

Eickst

[H]ard|Gawd
Joined
Aug 24, 2005
Messages
1,873
I think most state it legal to have surveillance camera in your own home except for where reasonable expectation of privacy (bathroom).

Yes it's like nanny cams, legal in every state to record video in your own home EXCEPT places like bathrooms.

Where it's trickier is with audio because some states it's illegal to record someone's voice without notifying them, even if it's your house
 
Top