The Internet of malware-infected things

Body cameras are having a bumpy introduction. Most people on both sides seem to agree, in varying degrees, that such systems provide more transparency in incidents where law enforcement officials interact with the public as well as in training and evidence gathering. Technically, however, there are quite a few issues to still iron out.

Customs and Border Protection recently published findings of a feasibility study it had conducted to see how cameras could help its agents with their operations. Though the potential advantages were great, CPB said it found “significant challenges” to a rollout of the cameras because of cybersecurity, data processing and other issues.

The cameras generally lack adequate security features, the study found, and vulnerabilities could be introduced by streaming video or the interface between the cameras and non-approved devices. The cameras’ signals were also susceptible to hacking.

There also seems to be a question about whether some of the camera manufacturers understand any of this -- or even know what’s embedded in the devices they make. One recent case involved a company called Martel Frontline Camera, which makes $500 body cameras whose systems were found to be infected with the Conficker worm right out of the box.

Bear in mind that Conficker was state of the art back in 2008. These days, it’s a well-known threat that should be fairly easily caught by standard antivirus and firewall software. Any government security professionals who allow the Conficker worm into agency systems would rightly have their competency questioned.

Florida integrator iPower Technology had bought several of Martel’s cameras with which to test a cloud-based video system it was developing for government agencies and police departments. During testing and evaluation of the Martel product, the company discovered that the body cameras had been preloaded with the Win32/Conficker.Blinf worm.

iPower’s own antivirus software immediately discovered the worm but, as the company pointed out, any computer that didn’t have antivirus installed would have immediately been infected and could have spread the worm to other systems and across the network.

When iPower reached out to Martel, which has been in business for three decades, Martel technicians were incredulous, according to iPower’s owner and president. In fact, Jarrett Pavao told Threatpost, Martel didn’t even think there was software in the camera.

In iPower’s own release on its findings, Pavao made several good points.

“…as the Internet of Things continues to grow into every device we use in our businesses and home lives each day, it becomes even more important that manufacturers have stringent security protocols,” he said. “If products are being produced in offshore locations, what responsibilities lie with the manufacturer to guarantee our safety?”

Supply chain security has become a major worry for government. With so many IT components now made outside the United States, there’s a clear path for criminals and foreign states to plant malware that could infect U.S. systems and provide a way for people to steal information or commit espionage against U.S. government and private-sector organizations.

A Justice Department statement, for example, recently revealed that two Defense Information Systems Agency contractors had been fined for using unauthorized programmers to write software for Defense Department communications systems, which a separate Public Integrity investigation found actually involved Russian programmers. The code they provided — surprise — included numerous viruses.

Any company with modern security systems can easily deal with threats such as Conficker. As Pavao pointed out, however, there are many organizations that have much older, legacy systems and software that will have far more difficulty in detecting and dealing with threats. That’s a problem in many government agencies -- one that can’t be easily solved because many of those legacy systems are still running mission-critical applications.

With the most deadly threats today far more sophisticated than Conficker, however, the potential for havoc is absolute. Could it be that future breaches could stem from such non-obvious sources as police body cameras or similar devices?