There are at least a dozen, most likely many more, Embedded Facial Recognition Systems online on the World Wide Web with a basic software flaw that allows anyone without credentials to browse the /images directory, download log files, and view enrolled images.
I was able to locate the systems on Shodan searching for - html:facial html:recognition html:embedded country:"US" - and once on the log-in pages, simply inspecting the page source revealed the path to the background image.
Navigating one directory up revealed the directory listing, and I was able to navigate to the folder "logs" and download .bmp files of faces enrolled in the system, as well as system files.
I've been able to identify the system just by searching for "embedded facial recognition" software (embedded in this case means the sensor and the analytics are combined, as opposed to the alternative of a system that conducts analysis of user-submitted probe images taken by independent cameras). It's AccuFACE by PSPSecurity, and believe it or not, PSP's website is down.
At least a dozen, probably many more, such systems using the same software have this common flaw, so it's a good example of what's really a general exposure of this kind of surveillance technology to dilettantes like myself browsing Shodan.
With inexpert trawling of I've been able to access recorded drone footage, a Highway Patrol surveillance trailer, dialed number recorders, many automated license plate reader servers, as well as more facial recognition portals than I've been able to check for possible access.
But it gets much worse.
They're still looking for Hitler.
I was able to locate the systems on Shodan searching for - html:facial html:recognition html:embedded country:"US" - and once on the log-in pages, simply inspecting the page source revealed the path to the background image.
Navigating one directory up revealed the directory listing, and I was able to navigate to the folder "logs" and download .bmp files of faces enrolled in the system, as well as system files.
Many of the systems seem to be on dedicated IP blocks (inferred from searching Shodan for the IP's ASN, net:"xx.xx.xx.0/24"), and the owner of some systems can be gleaned from other devices on the network. These are not law enforcement systems, from what I can discern, rather access control devices at commercial and industrial sites.It's probably none of my business but I'm one of those people who needs to know what the fuck pic.twitter.com/F453dsf67x— Kenneth Lipp (@kennethlipp) May 6, 2017
I've been able to identify the system just by searching for "embedded facial recognition" software (embedded in this case means the sensor and the analytics are combined, as opposed to the alternative of a system that conducts analysis of user-submitted probe images taken by independent cameras). It's AccuFACE by PSPSecurity, and believe it or not, PSP's website is down.
 |
| Log in screen I found through Shodan |
 |
| AccuFACE software design, with the same background graphic. |
At least a dozen, probably many more, such systems using the same software have this common flaw, so it's a good example of what's really a general exposure of this kind of surveillance technology to dilettantes like myself browsing Shodan.
With inexpert trawling of I've been able to access recorded drone footage, a Highway Patrol surveillance trailer, dialed number recorders, many automated license plate reader servers, as well as more facial recognition portals than I've been able to check for possible access.
Just from the few facial recognition servers I've tried so far, I've been able to view and download footage and its metadata.Live right now, Highway Patrol in a Great Plains state, full pan tilt and zoom, reckon in a bit I'll be driving this around pic.twitter.com/3gS3DUe6p7— Kenneth Lipp (@kennethlipp) April 5, 2017
But it gets much worse.
They're still looking for Hitler.
Hii friends, I wanted to write a little Info related to Visa. Are you interested in traveling to any country? Yes, you can apply visa online. You can fill out your visa application form online within 5 to 10 minutes via our Visacent website. We offer visas to citizens of over 190 countries. You can read more info about visas via our website.
ReplyDeleteYour article is easy to read and understand. I would like to read more articles like this. Getting a Turkey e visa online is a hassle free process. It saves time and money as well.
ReplyDelete