Skip to main content

Directory disclosure vulnerability in facial recognition software

There are at least a dozen, most likely many more, Embedded Facial Recognition Systems online on the World Wide Web with a basic software flaw that allows anyone without credentials to browse the /images directory, download log files, and view enrolled images.

I was able to locate the systems on Shodan searching for - html:facial html:recognition html:embedded country:"US" - and once on the log-in pages, simply inspecting the page source revealed the path to the background image.

Navigating one directory up revealed the directory listing, and I was able to navigate to the folder "logs" and download .bmp files of faces enrolled in the system, as well as system files.

Many of the systems seem to be on dedicated IP blocks (inferred from searching Shodan for the IP's ASN, net:"xx.xx.xx.0/24"), and the owner of some systems can be gleaned from other devices on the network. These are not law enforcement systems, from what I can discern, rather access control devices at commercial and industrial sites.

I've been able to identify the system just by searching for "embedded facial recognition" software (embedded in this case means the sensor and the analytics are combined, as opposed to the alternative of a system that conducts analysis of user-submitted probe images taken by independent cameras). It's AccuFACE by PSPSecurity, and believe it or not, PSP's website is down.

Log in screen I found through Shodan
AccuFACE software design, with the same background graphic.

At least a dozen, probably many more, such systems using the same software have this common flaw, so it's a good example of what's really a general exposure of this kind of surveillance technology to dilettantes like myself browsing Shodan.

With inexpert trawling of I've been able to access recorded drone footage, a Highway Patrol surveillance trailer, dialed number recorders, many automated license plate reader servers, as well as more facial recognition portals than I've been able to check for possible access.

Just from the few facial recognition servers I've tried so far, I've been able to view and download footage and its metadata.

But it gets much worse.

They're still looking for Hitler.