Infosec fail thread: So, in the last couple of weeks I've been looking into a product we were thinking of offering to our customers. This time, we were looking into the FootfallCam 3D plus. A counter system to measure how many people are in a building. 1/n

11:54 AM ยท Feb 4, 2021

102
2,313
699
5,509
As per usual, I usually do some basic security / sanity checks on a product before offering it to our customers. So, we powered it on, and followed the instructions to set it up. It gets powered over Ethernet, but also has WiFi to count the number of devices passing it. 2/n
3
14
0
431
The first thing that caught our eye, is that it sets up a network, with a broadcasted SSID and a default password. Bit strange, since it's also connected over Ethernet, but fine. Whatever. Except: you can't change the SSID or the password! Ouch! 3/n
5
15
3
568
Also, you can't change the admin password (it's 123456 by the way) and the interface looks like a quickly pulled together HTML5 Bootstrap app that includes several open source libraries to achieve what it does (count blobs of color passing the camera). 4/n
5
19
2
529
The interface is accessible both over ethernet and over WiFi. Hmh, that sounds a bit suspect, but let's carry on. Let's open it up. Yes, it's a Raspberry Pi Compute Module. 5/n
2
23
3
582
Well, that's easy, we can dump the firmware quite easily. Let's plug it in to a Raspberry Pi CM IO board and dump it. Looks like a normal Raspbian installation, with a lot of opensource packages and some very suspicious files. 6/n
1
12
2
469
Hmh, the pi user is still active. This is the home directory... (It has a different user here, as the UID is the same as my account, that's my name ;)) Those are some very strange files for a production device... Is that... A Bruno Mars MP3? 7/n
29
113
33
1,108
Yes, yes it is. It almost looks like they just took the home directory from the developers machine and plopped it on the eMMC of the camera! Ofcourse the BASH and SQLite history files were filled to the brim with instructions. Let's take a look at the web server directory. 8/n
6
29
15
782
Aaah, a random assortment of compiled and uncompiled python files. Just what you need to get a certain "eeewwww" feeling from a production device. Ofcourse, NONE of the files does any authentication. They can be called by anyone at any time. 9/n
3
10
2
598
So, let's inform the vendor. I don't want to sell this product to my customers, unless there's some serious reworking of the software. That was 5 weeks ago. Didn't hear anything back... So let's dig a little deeper. 10/n
3
10
0
614
Look at what their website says. "Triple Built-In OS" This is clearly OBVIOUSLY bullshit. It's running standard Raspbian. With a standard pi user. WITH SSH ENABLED. Oh yes, it gets even worse! 11/n
9
19
4
690
The pi user is still active and allowed on a running SSH server. They did change the password, but that shadow file certainly comes in handy. I will not post the password here, but it's not exactly difficult to crack OR guess. 12/n
6
10
0
552
So, now we have a device. In a customers corporate network. Broadcasting an SSID with an unchangeable password, running SSH, with a user that uses a standard unchangeable password, that has sudo ability. You can see why this is bad. 13/n
3
61
11
799
If you know the default SSID password, and default user password, you have full access to the network that it's connected to. Yeah. Great product guys. 14/n
5
26
2
672
So what more do they say about their product on their website? AI image processing? No, you must mean an opensource library, conveniently called "Footfall". It uses machine learning (Tensorflow) and LITERALLY uses the same example code as the library. 15/n
9
24
4
610
Wow, this is going great. Certainly a product I want to offer to my customers. They haven't responded to me or any of my colleagues in 5 weeks now. They don't really seem to care and since I don't have an NDA, I'm posting it on Twitter. :) 16/n
2
19
1
893
I don't want to really dig into any more gory details (there are many), but it hasn't happened often that I come across such an unfinished product that they claim is installed in tens of thousands of offices. If you see one, please notify the owner it is unsafe. 17/n
6
32
1
702
This thread wasn't sponsored, I wasn't paid to do this. It's just... So bad. Has anyone come across something this bad before? It's not unsafe because of bugs. It's just extreme oversight and lack of security. 18/18
27
20
1
809
Hey @cybergibbons , I'm allowed to talk about it now. ;)
13
6
0
506
Hey look, a second partition containing only data... WHAT IS THIS?!?!?!
13
34
15
405
I mean, it looks like it's just counter logging data, but why are the files called SpermBankRaw?! And do they also have SpermBankWellDone? Asking the important questions here.
16
19
2
375