If you've seen a Hollywood caper movie in the last 20 years you know the old video-camera-spoofing trick. That's where the criminal mastermind taps into a surveillance camera system and substitutes his own video stream, leaving hapless security guards watching an endless loop of absolutely-nothing-happening while the bank robber empties the vault.

Now white-hat hackers have demonstrated a technique that neatly replicates that old standby.

Amir Azam and Adrian Pastor, researchers at London-based security firm ProCheckUp, discovered that they can redirect what video file is played back by an AXIS 2100 surveillance camera, a common industrial security camera that boasts a web interface, allowing guards to monitor a building from anywhere in the world.

Internet voyeurs have already discovered how to use search engines to find and view video of surveillance cameras that are ostensibly private, but this attack seems to be the first that actually lets an outsider control a camera's playback.

This hack (.pdf) works by combining a few vulnerabilities in how the camera's accompanying software accepts input – a type of security hole known as cross site scripting, or XSS.

In this case, the attacker first sends some malformed information – which is actually JavaScript – to the camera's web server, which then writes that information to the log files. When the camera's administrator checks the logs, the JavaScript executes, creating a new user account and e-mailing the attacker that the new account has been created.

From there the attacker can simply change the HTML on the camera viewing page to secretly point the playback screen to another video file – one that can even be hosted on another web site.

The snag in this scenario is getting the person who administers the camera to check the log files, but Azam and Pastor suggest that could be done by first targeting the camera with a flood of traffic to briefly impede its service. The camera's administrator would then likely check the logs to look for error codes, thus inadvertently triggering the exploit.

The sophisticated switcheroo can be seen in this – video, where an Axis 2100 camera's playback is replaced by a small spinning globe (you must watch closely to see the change).

Web-enabled cameras, such as those sold by Axis, are increasingly popular for security applications since they can be accessed by the administrator from any internet connection, which distinguishes them from more traditional, analog cameras which operate on their own wires and have fewer features.

The AXIS 2100 is an older model that is no longer supported by the maker. But Azam and Pastor say the vulnerability points to the kind of flaws that can show up on any device attached to a computer network, and that holes in older software may find their way into newer software since companies routinely reuse code.

Fredrik Nilsson, Axis's general manager in the U.S., stressed that the Axis 2100 was phased out three years ago and that newer cameras include more advanced security features, such as IP filtering that prevents outside access to cameras.

Nilsson also says that anyone using the cameras for critical tasks should be very aware of their networks.

"If products are being used for true surveillance and security, they should be sitting in a very secure network," Nilsson said.

The company does not plan to plug the holes in the 2100, mainly because the camera's storage space for code is a meager 8 MB, compared to 256 MB in the company's current line, Nilsson said.