South Korea’s military has been forced to remove over 1,300 surveillance cameras from its bases after learning that they could be used to transmit signals to China, South Korean news agency Yonhap reported.
The cameras, which were supplied by a South Korean company, “were found to be designed to be able to transmit recorded footage externally by connecting to a specific Chinese server,” the outlet reported an unnamed military official as saying.
Korean intelligence agencies discovered the cameras’ Chinese origins in July during an examination of military equipment, the outlet said.
Stuff like this is why I have to tell our Chinese CFO why we don’t want Huawei network devices. Yes Jeff, I know they are cheap as shit, you cheapskate, but you don’t put the cheapest solution in place to run your critical systems on!
Yes Jeff, I know they are cheap as shit, you cheapskate
Remind me again why you’d want an Apple (made in China) or OnePlus (made in China) or any of the other 70% of all cell phones available in the US? Are you just a big fan of paying extra for the same technology?
Or are you more wedded to phones made in Malaysia, India, or Vietnam for some peculiar reason?
you don’t put the cheapest solution in place
No shortage of high end Huawei models. They’ve been competitive with Samsung for nearly a decade.
How the fuck did that happen?
Dear south korean government
please hire me instead. I promise I’m so paranoid, this will never happen.
Like every military operation, the job always goes to the lowest bidder, that is still overpriced, because it’s just tax money. That’s what always cracks me up about stuff that is marketed as military grade.
It’s expensive because it has to go through a dozen layers of private contractors.
The US military was remarkably good at rapidly churning out cheap, effective armorments during the WW and early Cold War era. But the LBJ/Nixon pivot to private industry eroded all the efficiency. Then Reagan kicked military spending into overdrive in the 80s, and it’s been a snowball of waste, fraud, and embezzlement ever since.
Now the model for military procurement is just a jobs program for Congressional districts. The epitome of the Do Nothing profession.
Capitalism. They just bought the cheapest reliable enough option they could find and didn’t give two craps about infosec, because that’s too expensive to actually properly do. Minimize the financial losses of an upfront purchase. (I worked more than enough jobs in hardware design to know what management cares about and what it doesn’t)
Also, big yikes for the Israel flag in your username.
Don’t all cheap IP cameras feed back to at least one server in China?
I bought two different no-name brands from Amazon several years back, and both models of them were trying to call home. I ran them on an isolated network, so they couldn’t get anywhere, but they were persistent little buggers. Oh, and the root password to one of them was hardcoded to “1234567” lol
Tangent, but if anyone can recommend a good IP camera that just craps out an RTSP stream locally and doesn’t phone home anywhere, DM me lol.
I don’t currently have them, but there is (or was?) a NoIR version of the Pi cameras that didn’t have IR filters. That should let the IR LED illuminators work same as most other cameras advertised with night vision.
I’m really surprised that military in such a technologically advanced country just connected random IP cams to the internet
From the Yonhap article,
The company that supplied the cameras is suspected to have falsified the equipment’s country of origin, and the military is considering taking legal action against it.
And also,
military and intelligence authorities found out the surveillance cameras supplied by a South Korean company were produced in China during military equipment examinations
The TLDR is that these cameras were supposed to be sourced domestically but the company behind it committed fraud to make a quick buck.
Reolink, amcrest. Amcrest dont get anything starting with ASH in the model name.
If you want ONVIF, be sure to check the specs, many cheaper models drop support, but not all.
Some YI cameras have easily replaced firmware and can do rtsp too, but you have to do your homework on those models to be sure you’re getting one that can be modded.
You’ll still want to (IMO) toss any of them in a vlan without internet access, and rather than provide that vlan access to an NVR on another vlan, I’d lean toward your NVR having a second connection to that vlan. I’m a huge fan of segmentation though, so YMMV.
Yeah, that was my old setup: dedicated VLAN with the NVR and cameras in it. Had a firewall rule so I could access the NVR from regular LAN but nothing “got out” of the camera VLAN without being requested from the LAN first.
At first I had the NVR in the LAN with FW rules to reach the cameras in their VLAN, but my FW at the time struggled with all the simultaneous streams going through it so I moved the NVR in with the cams.
Maybe I’ll just stick with my current setup of just getting old analog camera housings and sticking Raspberry Pi + camera module inside lol
Dual nic NVR then? You could even just throw a simple switch with no uplink (but preferably managed so you can tag the traffic) and for extra safety just allow only the LAN traffic you want on the NIC/Port connected to your regular LAN from the NVR.
Nothing wrong with a DIY can though! As long as it works of course
Same with russian ‘grandma phones’ with big buttons. Some researches found thst although they don’t provide any functionality besides basic phone\sms stuff, they do try to call their motherbase, sending all credentials and geoloc. IIRC there was no argument about them sending the content of smses and voicecalls, but it’s troubling as it is.
+ Russian as in sold there, they are chinese, sometimes with a local branding.
Not a plug and play solution. But if you aren’t averse to tinkering. RPI zero with a CSI camera and v4lrtsp server. can get you done rather cheap. Depending on your needs.
That’s actually my current setup :)
Got some old analog cameras at an estate sale, gutted them, and put some Pi + camera modules inside. Couldn’t get the original optics to work with it, and they lack PoE, but they’re otherwise doing well (3 years and going). Just occasionally have to reboot them more than I’d like.
Haven’t messed with v4lrtsp server, but zoneminder has been good to me. Will check that out.
Yes you don’t get things like Poe Etc. At least not on the zero models. There are hats for the full size pi. But you have full control and they are upgradable. I have a zero w in the official enclosure. Double-sided tape to a wall with a micro b cord plugged into power it. Can access the stream over Wi-Fi and get 30 frames per second 720P easy. Could easily do much better than that even. But the original Raspberry Pi camera module I think is the limitation. Because the cores on the Zero are barely being touched at all. In the low double digits if that.
It’s so light on resources that if someone had an old USB hub. And some old web cameras laying around. You could run multiple cameras off of a single Raspberry Pi zero. I think you would hit Port bandwidth saturation before you would hit a CPU limit. Unless of course you’re trying to reincode.
What happens when infosec is an afterthought, brought to you by management, almost always by management. Most of my gigs throughout my career have been because of this (infosec guy).
The rest of my career has been when management is throwing money at the problem(s), usually right after an incident. Sometimes you get lucky and it’s in response to some other entities incident.
Last minute improbable solutions to other people’s long term impossible problems.
I remember when, I think, Sony was hacked because of the movie « the interview ». It created enough of a news cycle shitstorm that our corporate overlords became excessively generous with our infosec budget and made it a tier 1 priority.
It went for measly .5% to a whooping 25% of IT expenditure.
On the other hand to really show they didn’t understand anything about it they recruited an experienced CISO and fired him a month later because an accountant’s workstation was hit by a ransomware. The guy barely had the time to start building a plan and launch a bunch of audit but still got the full blame for decades of neglects. (He eventually sued them and settled).
Not if they were configured correctly. I.e. on their own, non-Internet connected VLANs.
If you have access to hardware level design, just about anything can happen.
If the network the cameras connect to has no way to reach the Internet, then the cameras can’t reach the Internet.
I can think of many ways to transmit data. Doesn’t even nessesarily have to be the Internet. Internal SIM card? Satelite connection? VLAN is definitely not a solution to a state-level hardware threat.