White Hat Hacker Contacted a Man Through His Security Camera

Discussion in 'HardForum Tech News' started by AlphaAtlas, Dec 18, 2018.

  1. AlphaAtlas

    AlphaAtlas [H]ard|Gawd Staff Member

    Messages:
    1,713
    Joined:
    Mar 3, 2018
    AZCentral reports that a hacker broke into a man's Nest security camera at his Phoenix home. But, instead of abusing the system, the hacker contacted the camera's owner, informing him that the system was compromised with fairly obvious proof. If you aren't already paranoid about cameras in always-on devices, this is all the evidence you need to start nurturing a healthy fear. Thanks to Motherboard for spotting the article.

    Check out the video here.

    The man speaking to him through the camera said he was a "white hat" hacker in Canada with the group Anonymous. He told Gregg his private information had been compromised. The hacker couldn't see images through the camera and didn't know where Gregg lived, he said. But he told Gregg such information wouldn't be hard to find. The man then recited a password Gregg had used for multiple websites. "I'm really sorry if I startled you or anything. I realize this is super unprofessional, and I'm sorry that it's a little late in the day to do this," the hacker can be heard telling Gregg on a recording of the interaction provided to The Arizona Republic/azcentral.
     
    nEo717 likes this.
  2. gamerk2

    gamerk2 [H]ard|Gawd

    Messages:
    1,626
    Joined:
    Jul 9, 2012
    If it's connected to the Internet, it's not safe.

    /thread
     
    BSmith, F.E.A.R., xmadror and 20 others like this.
  3. piscian18

    piscian18 [H]ardForum Junkie

    Messages:
    11,021
    Joined:
    Jul 26, 2005
    live in the woods, drink your own pee. only way to be safe.
     
    ssnyder28, Sickb0y, Nebell and 10 others like this.
  4. Gatecrasher3000

    Gatecrasher3000 Limp Gawd

    Messages:
    295
    Joined:
    Mar 18, 2013
  5. U-238

    U-238 Limp Gawd

    Messages:
    252
    Joined:
    Aug 14, 2008
    Hacking your shit in the nicest way possible and then apologizing for it.
     
    Roberty, xmadror, MrTroy03 and 30 others like this.
  6. Gatecrasher3000

    Gatecrasher3000 Limp Gawd

    Messages:
    295
    Joined:
    Mar 18, 2013
    haha yeh true
     
  7. Wiffle

    Wiffle Limp Gawd

    Messages:
    292
    Joined:
    Oct 2, 2011
    Well I guess trees aren't the only thing Canadians can hack.

    I think we need to worry less about China and Russia, and focus more on the other red army...
     
  8. lcpiper

    lcpiper [H]ardForum Junkie

    Messages:
    10,541
    Joined:
    Jul 16, 2008
    And he was wrong from the very start.

    When will these guys learn that this is fundamentally wrong from the start.

    Someone will argue, but let's change the words up;

    It's the same thing and there is no defense for this. If someone wants to test locks or security cam vulnerabilities, get a job working for the manufacturer or go to work for Consumer Reports.
     
    Denjoy and Crackinjahcs like this.
  9. necrosis

    necrosis Gawd

    Messages:
    758
    Joined:
    Oct 21, 2004
    Code:
    iptables -A INPUT -m mac --mac-source <insert MAC address> -j DROP
    Did this for all devices that have no business seeing the internet.
     
  10. Aireoth

    Aireoth 2[H]4U

    Messages:
    2,915
    Joined:
    Oct 12, 2005
    The manufacturer doesn't give a shit, and you know it. Neither does Consumer Reports.

    Don't be butthurt over some people performing a public service just because it interrupts your life, I would much rather have someone break into my house and leave a note saying how they did it so I can fix it, than have someone break into my house and steal shit, or threaten anyone that maybe there at the time. Life isn't as black and white as you want it to be.
     
  11. jfreund

    jfreund Gawd

    Messages:
    953
    Joined:
    Sep 3, 2006
    "I'm really sorry if I startled you or anything. I realize this is super unprofessional, and I'm sorry that it's a little late in the day to do this,"

    Definitely originating from Canuckistan.
     
    /dev/null and GhostCow like this.
  12. kju1

    kju1 2[H]4U

    Messages:
    3,032
    Joined:
    Mar 27, 2002
    You can tell the guy is Canadian because he keeps apologizing lol.
     
  13. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,477
    Joined:
    May 14, 2008
    Or that person can get the device, set it up in the lab, break into it, and then post online how he did it all. And that would most likely be perfectly legal, far more legal than hacking into a device someone owns, which is strictly illegal.

    So no, he wasn't truly doing a good service.
     
    Denjoy, Darunion and Crackinjahcs like this.
  14. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,224
    Joined:
    Nov 16, 2009
    I'd say it's more like he opened the unlocked door and yelled inside that it wasn't locked. It's better he exploited the vulnerability to let the owner know about it over a blackhat silently exploiting it for who knows how long.....





    And this is why I will not purchase any cloud based shit for the house. If I can't block it from all internet access and reach it via VPN, it will never be used in my house.
     
    Incontentia Buttocks likes this.
  15. Tak Ne

    Tak Ne [H]ard|Gawd

    Messages:
    1,233
    Joined:
    Jan 28, 2008
    That would work but it would also be ignored by most people. I've told people many times about the dangers of internet connected devices and their lack of security. People just dont care.
    Do what these guys are doing and people WILL care. The companies making these devices wont change unless we force them to. To me this seems like a good way to achieve that.
     
    DocNo likes this.
  16. -PK-

    -PK- [H]ard|Gawd

    Messages:
    1,798
    Joined:
    Aug 6, 2004
    It sounded to me like it was just a compromised password, using the same password on multiple websites without 2FA.
     
    Denjoy and SolarisGuru like this.
  17. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,477
    Joined:
    May 14, 2008
    So we should rob people so that they know to be weary of people robbing them... No, sorry that is not a valid method. Also the guy in this scenario is not a white hacker. The fact he broke into someone's system without their knowledge automatically disqualifies them of that description. That individual is still considered a black hat hacker.

    The way you convince companies to change is you do as I suggested. You break into their stuff in a lab, then you report your findings to them. If they don't make a change, you report publicly. There is already a system in place to do these things. Often times problems are not with the Company and are with how people use the devices. Most people are not using their devices in a properly secure manner.
     
  18. kju1

    kju1 2[H]4U

    Messages:
    3,032
    Joined:
    Mar 27, 2002

    Seems to me Spectre & Meltdown were identified in a lab and reported publicly. Dont recall many people ignoring them...
     
  19. thebufenator

    thebufenator [H]ard|Gawd

    Messages:
    1,208
    Joined:
    Dec 8, 2004
    A bunch of you need to realize that an ideal world is not the one we live in.

    I'd prefer a nice guy let me know what's up rather than only having black hats sell my info online.
     
    c3k and Jim Kim like this.
  20. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    13,063
    Joined:
    Aug 16, 2004
    I was looking for a some help with a Xerox copier a few years back and one of the google search results was a link to the IP address of an internet facing Xerox copier.

    I added some entries to the email contacts list in the form of a message saying that they needed to secure their copier.

    Also tried emailing the contacts already on the copier but got no response. I also looked up the company name and tried emailing the contacts on their web site.

    I kept the link for months and would try it out every once in a while to see if they had fixed it.

    Around the same time the same model copiers we had had their lease come up and we got new copiers, which was about 6-8 months later, that copier was finally no longer accessible.

    Moral of the story... a lot of people couldn't care less about securing their crap.
     
  21. Aireoth

    Aireoth 2[H]4U

    Messages:
    2,915
    Joined:
    Oct 12, 2005
    They can, and have, but that doesn't get anyone's attention onto the problem, particularly in a world where your attention is the number one commodity.

    Him doing this created a video that has the potential to reach many more people, it has reached all of us, maybe it can go full viral and reach millions.

    Life isn't as black and white as you want it to be, at least one person is now aware they are vulnerable, when they weren't yesterday. This was a good service, and that is where you and I will disagree.
     
    Jim Kim likes this.
  22. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,865
    Joined:
    Aug 24, 2005
    He's not a white hat if he did this without permission
     
  23. kirbyrj

    kirbyrj [H]ard as it Gets

    Messages:
    24,458
    Joined:
    Feb 1, 2005
    I'm surprised that nobody realizes that Nest cameras are functionally illegal wiretapping devices. Unless you have a sign telling anyone (including family members) that enter your residence that they are subject to video and audio recording, you are committing a felony by using one in many states (even in your own home). Federal law says that at least one party needs to know that the audio recording is taking place. State laws vary by state and it could be illegal for anyone to be audio recorded against their knowledge. Dual consent is required in CA, CT, FL, HI, IL, MD, MA, NV, NH, PA, and WA.

    #TheMoreYouKnow
     
  24. steakman1971

    steakman1971 2[H]4U

    Messages:
    2,433
    Joined:
    Nov 22, 2005
    I have cameras on the outside of my house that I know are not too secure (Samsung - known issues and they no longer support it). I am in the process of replacing the DVR they came with - but realize my new system could very well have security issues. It could be bad if someone used the cams to know when we arrive/leave/packages show up/etc. So, its behind the firewall for now with no exposure to the internet. It would be nice to have access from my mobile device - but that opens it up...
     
  25. steakman1971

    steakman1971 2[H]4U

    Messages:
    2,433
    Joined:
    Nov 22, 2005
    Interesting. One of my cameras in my backyard captures part of my neighbors yard. I told them about it and also set it up so it doesn't detect motion in that zone. They were ok with it. I can't really position the camera in a way to avoid it. A privacy fence would not work either.
    Another camera of mine (front door) captures people on the sidewalk in front of my house and also part of the street. I caught some vandals this past summer on the street using it (it was blurry, but my wife posted to Facebook and one of their mothers recognized their kid.) I wonder if their have been any law suits yet?
     
  26. lcpiper

    lcpiper [H]ardForum Junkie

    Messages:
    10,541
    Joined:
    Jul 16, 2008
    try this on for black and white;

    https://searchcompliance.techtarget.com/definition/The-Computer-Fraud-and-Abuse-Act-CFAA

    Don't even try it.
    https://en.wikipedia.org/wiki/Personal_Data_Privacy_and_Security_Act_of_2009
    You say the manufacturer doesn't care, but manufacturer's that produce good products do intrusion testing. Consumer Reports and other groups do evaluate products and doing a security review is right in line with what they do.

    Don't try calling me butt hurt, it's not being butt hurt to call someone out for their bullshit.

    Exactly how did this guy help the victim?

    The victim had a security camera that was performing a duty for him. This white hat violated his camera's security, easy as it may have been, and convinced him that the man's personal information had been compromised and he should disconnect it, change his passwords. But how does the hacker know how the information was obtained? Maybe a virus, maybe a malicious web site, maybe he installed AVG Free from somewhere other than Avast.Com. But what is not a maybe, is now this man does not have a security camera watching his home.

    Are you going to back the hacker up? Are you vouching for him, that he actually found this guy's information on the darkweb or something like that? Or did he just capture some internet traffic off an unprotected router and find a Nest Camera to hack and it just was some random guy and was the claim about the compromised data was just bullshit made up to soften the blow. It doesn't hurt anything to scare this guy into changing his passwords right?

    So you go ahead and keep thinking this isn't black and white, but do it with the knowledge that the US Government has other ideas;
    https://www.wired.com/2015/10/cfaa-...ct-most-controversial-computer-hacking-cases/

    Play stupid games, win stupid prizes.
     
  27. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,224
    Joined:
    Nov 16, 2009
    Greyhat technically.....



    @icpiper You do realize there is a search engine specifically made to list IOT devices exposed to the web right? It's very easy to go through the list and find hardware with default passwords or runnign all sorts of unpatched vulnerabilities from the manufacturer. Calling this shit hacking is an insult to actual hackers. At most this is pathetic script kiddie shit, if that.

    Did the guy break the law? Yes. Any true whitehat will tell you not to touch anything without written permission. Hell we have Jim Manafort do our annual secure code training, and he must have repeated that 10+ times (for good reason). But, it also could have been worse for the guy with the camera if a blackhat decided to have some fun..... I can see both sides, and while I would never do something like this, I can understand the guys poor reasoning for doing so.
     
    SolarisGuru and Jim Kim like this.
  28. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,477
    Joined:
    May 14, 2008
    Actually it has caused a lot to change how company's approach security.

    As does traditional bug hunting and other stories related to security issues which we see all the time and no one had to break the law. Spectre? Meltdown? Apple/Android bugs? Browser bugs? They have all held headlines before. There are even competitions to hack into things and the findings from those competitions also go public and reach many people, and the results go straight to the companies. The companies then have to patch the bug within a certain period of time before the information goes public. In fact the Nest, Ring, and other appliances like them have had tons of stories about how insecure they are. This story is less likely to change anything as there is no significant information included with it as security notification releases typically have.

    Life isn't as black and white, but the definition of a white hat hacker is. And how do you know it was a good service? How do you know that guy didn't do anything else illegal? All you have is the word of someone you don't even know...think about that.
     
  29. Pieter3dnow

    Pieter3dnow [H]ardness Supreme

    Messages:
    6,789
    Joined:
    Jul 29, 2009
    The problem is that people don't realize what is going on on the internet.
    You can have a safe setup until someone uses a zero day exploit.
     
  30. ChoGGi

    ChoGGi [H]ard|Gawd

    Messages:
    1,462
    Joined:
    May 7, 2005
    Not really news, there's a whole bunch of these videos on youtube (webcam trolling), as you could guess from the keywords most people aren't that nice.
     
  31. doublejack

    doublejack Limp Gawd

    Messages:
    446
    Joined:
    Apr 13, 2015
    I agree. I suspect the hack started with a compromised router where a password was obtained in the clear, or some other method that correlated the password with an IP. From there the cameras were targeted.

    I understand where you are coming from on this. However, I think the hacker is still a white hat. I mean, they are a hacker. It is in the name, so what they are doing is by nature not exactly ethical. As long as they use their abilities for good, which I think is pretty clear in this case, then I consider them a white hat. This hacker may have prevented the homeowner from suffering some kind of loss. That's a good deed.
     
    dangerouseddy and DocNo like this.
  32. ChoGGi

    ChoGGi [H]ard|Gawd

    Messages:
    1,462
    Joined:
    May 7, 2005
    gray hat not white hat.
     
  33. DocNo

    DocNo Gawd

    Messages:
    654
    Joined:
    Apr 23, 2012
    Unfortunately his camera doesn't work without Internet.

    As with most things, it starts with proper product selection...
     
    Darunion and velusip like this.
  34. DocNo

    DocNo Gawd

    Messages:
    654
    Joined:
    Apr 23, 2012
    Oh please, enough of the drama. Nothing physical was touched. No value was lost. His shit was exposed, and at least now he knows it. Someone else could have been in their without him knowing.

    Someone who couldn't care less about your moral/ethical arguments. Shit is still broke.
     
    SolarisGuru likes this.
  35. Brian_B

    Brian_B 2[H]4U

    Messages:
    3,310
    Joined:
    Mar 23, 2012
    After reading this article, I went out and specifically bought Blink cameras to install in my bathroom.

    I can't wait to see who drops in on me...
     
    SolarisGuru likes this.
  36. DrBorg

    DrBorg Gawd

    Messages:
    555
    Joined:
    Jan 22, 2005
    Critical thinking is not a large commodity here. :(

    These cameras break privacy, and broadcast all your shit to whoever. This is well known by now; I knew years ago.

    The most stupid responses here talk about how illegal it is to hack them; no one will be prosecuted for hacking your camera to make you Their entertainment; you will never know about it unless your old lady's bitching about how small your dick is goes viral.

    People are idiots these days...
     
  37. ObsceneIgnorance

    ObsceneIgnorance n00b

    Messages:
    3
    Joined:
    May 6, 2017
    I think most state it legal to have surveillance camera in your own home except for where reasonable expectation of privacy (bathroom).
     
  38. kirbyrj

    kirbyrj [H]ard as it Gets

    Messages:
    24,458
    Joined:
    Feb 1, 2005
    Not with audio recording also. I've asked lawyers specifically about this in reference to ones own house and family members. Not only is it illegal, it's a felony in most cases. The case I asked about was a husband recording wife when she was unaware of the recording (dual consent state). He thought she was cheating and was looking to catch her.

    Full disclosure: it wasn't me doing this :).

    Another local case was a business who had video cameras with audio in public places of his business. He was arrested for a wiretap violation.
     
  39. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,865
    Joined:
    Aug 24, 2005
    Yes it's like nanny cams, legal in every state to record video in your own home EXCEPT places like bathrooms.

    Where it's trickier is with audio because some states it's illegal to record someone's voice without notifying them, even if it's your house
     
  40. B00nie

    B00nie [H]ardness Supreme

    Messages:
    7,955
    Joined:
    Nov 1, 2012
    Not as unprofessional as Nest leaving that thing open to the web. Totally amateur stuff.