Retail POS System compromised through Video Security System

teal credit card digits close-up

I have been harping on the dangers of insecure embedded systems and physical security systems posing a huge security risk for your internal network. Recently I was talking with a Retail Point of Sale (POS) software expert and was told how a POS system was hacked by an attacker that had gained access to the network through a video security system!

It is so simple now, in the name of convenience, to put various devices online by using extremely cheap embedded systems that act as web servers and remote access devices. With the rush to put everything online, called the “Internet of Things”, security is massively taking a back seat.

I particularly find it hard to believe that physical security devices meant to protect your building or premises from a physical attacker are being made with old, outdated or even wide open online services that will allow an electronic attacker full access.

Even heating and air conditioning system could be targeted by hackers. The Target hack from recent memory was made possible by hackers stealing login information from an HVAC system.

HP recently released a study on the Internet of things and found:

HP Internet of Things

Analyzed device included:
  • Televisions
  • Webcams
  • Home thermostats
  • Remote power outlets
  • Sprinkler controllers
  • Hubs for controlling multiple devices
  • Door locks
  • Home alarms
  • Scales and garage door openers

Sadly many of these insecure devices can be found worldwide using Google and Shodan searches.

I personally have seen a video security system that used a short lower case letter password for admin access to it’s Telnet interface! With further research I found that the company had been notified of the issue years ago and never rectified the situation. New devices are still being made by this manufacturer with the weak password that is publicly posted on the internet!

It is time that the Internet of Things is held to the same security standards as the rest of the computer world. But until manufacturers begin to care about YOUR security or regulations are put into place, I don’t see this problem going away anytime soon, in fact it is going to get much, much worse.

In the mean time, business owners need to add physical security and “Internet of Things” type devices to their list of systems that need to be scanned for security issues.


Web Enabled Printer (In)Security

Printer Insecurities

In the name of simplicity, it seems like every device is “Web Enabled” now. But the question is, where is the security? I was always stunned on how many Printers you can find completely open on the web through Shodan. I never understood why, until now.

I was setting up a brand new “web enabled” printer. It went great, the quick start guide walked me through installing the ink cartridges, had a great video on connecting the paper trays to the printer and how to correctly insert paper.

It even walked me through turning on networking and getting it connected to my Wireless network.

In no time I was up and running!

It wanted to turn on printing from the internet, it got an e-mail address from the web all by itself and then wanted to turn on additional apps. It was so helpful!

But then I wondered, how is this thing secured?!?

So, I surf to the IP address that the printer was assigned and it had a beautiful web control interface for the printer. That was completely unsecured…

I dug through the menus and finally found the option to turn Web Based security to “On” and put in an administrator password. It informed me that it would not block internet users from seeing everything, but would limit them informational pages only.

Then I realized, it never prompted me to turn control panel security on, and never asked me for a password. So I dug through the included manual (instead of just browsing the quick start guide) thinking I missed something.

Everything was in the manual, including troubleshooting network connectivity. But nowhere did it mention turning security on or how to even do it!

It’s just a printer you say – But printers can leak some very important information, like internal network settings, logs, files and in some cases, even user accounts.

And a few quick keyword searched on Shodan turns up Tens of thousands of insecure printers.


Last month the author of “Shodan Blog” wrote a great article on printers bleeding information publicly.

Titled, “I know You Need Toner“, it lists the printers worldwide that currently are in need of toner:

Need Toner

It also shows the number of printers that need toner by country, and a list of the top organizations that need to change their toner.

Cute, I know, but it should really be a warning to people about what information is being bled publicly through the horde of web enabled devices that we are putting throughout our organizations.

It took several years, but most router manufacturers now ship new routers with some level of security turned on. It looks like other web enabled devices (like printers) need to start doing this too!