BOSTON (Reuters) - A U.S. security expert says he has identified ways to remotely attack high-end surveillance cameras used by industrial plants, prisons, banks and the military, something that potentially would allow hackers to spy on facilities or gain access to sensitive computer networks.
Craig Heffner, a former software developer with the National Security Administration who now works for a private security firm, said he discovered the previously unreported bugs in digital video surveillance equipment from firms including Cisco Systems Inc, D-Link Corp and TRENDnet.
“It’s a significant threat,” he said in an interview. “Somebody could potentially access a camera and view it. Or they could also use it as a pivot point, an initial foothold, to get into the network and start attacking internal systems.”
He plans to demonstrate techniques for exploiting these bugs at the Black Hat hacking conference, which starts July 31 in Las Vegas.
Heffner, who now works as a vulnerability researcher with a firm known as Tactical Network Solutions in Columbia, Maryland, said that he has discovered hundreds of thousands of surveillance cameras that can be accessed via the public Internet.
He said he has figured out a real-life version of the familiar “Hollywood-style” attack that has become a fixture in action films. He can freeze a picture on a surveillance camera to help thieves break into facilities without detection.
Heffner said that he has not discussed his research with the camera makers and does not plan to do so ahead of his presentation at the hacking conference.
Cisco, D-Link and TRENDnet said they would take any appropriate action that might be needed to secure their equipment after the Black Hat presentation.
Heffner’s presentation is one of more than 100 talks at the annual gathering, which is expected to attract some 6,500 security professionals who will learn about the growing threat that hackers pose to businesses, consumers and national security.
Other talks will explore threats to Microsoft Windows and Apple systems, mobile phone networks, medical devices and systems that control industrial plants.
All research presented at the conference is vetted by a review board of 22 security experts.
Reporting by Jim Finkle; Editing by Richard Valdmanis and Leslie Adler