Skip to main content

Directory disclosure vulnerability in facial recognition software

There are at least a dozen, most likely many more, Embedded Facial Recognition Systems online on the World Wide Web with a basic software flaw that allows anyone without credentials to browse the /images directory, download log files, and view enrolled images.

I was able to locate the systems on Shodan searching for - html:facial html:recognition html:embedded country:"US" - and once on the log-in pages, simply inspecting the page source revealed the path to the background image.








Navigating one directory up revealed the directory listing, and I was able to navigate to the folder "logs" and download .bmp files of faces enrolled in the system, as well as system files.



Many of the systems seem to be on dedicated IP blocks (inferred from searching Shodan for the IP's ASN, net:"xx.xx.xx.0/24"), and the owner of some systems can be gleaned from other devices on the network. These are not law enforcement systems, from what I can discern, rather access control devices at commercial and industrial sites.

I've been able to identify the system just by searching for "embedded facial recognition" software (embedded in this case means the sensor and the analytics are combined, as opposed to the alternative of a system that conducts analysis of user-submitted probe images taken by independent cameras). It's AccuFACE by PSPSecurity, and believe it or not, PSP's website is down.


Log in screen I found through Shodan
AccuFACE software design, with the same background graphic.

At least a dozen, probably many more, such systems using the same software have this common flaw, so it's a good example of what's really a general exposure of this kind of surveillance technology to dilettantes like myself browsing Shodan.

With inexpert trawling of I've been able to access recorded drone footage, a Highway Patrol surveillance trailer, dialed number recorders, many automated license plate reader servers, as well as more facial recognition portals than I've been able to check for possible access.

Just from the few facial recognition servers I've tried so far, I've been able to view and download footage and its metadata.



But it gets much worse.


They're still looking for Hitler.

Comments

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. In conclusion, discover an http://www.top10spyapps.es/ that is inside your buying power. Numerous incredible apps can work well for you at financially savvy rates despite the fact that they don't make it to the best five.

    ReplyDelete

  6. Very Good Information...

    SAS Training in Pune

    Thank You Very Much For Sharing These Nice Tips..

    ReplyDelete

  7. Your very own commitment to getting the message throughout came to be rather powerful and have consistently enabled employees just like me to arrive at their desired goals.

    Best Angularjs Training in Chennai
    Best Java Training in Chennai
    Best Bigdata Hadoop Training in Chennai
    Best SAS Training in Chennai
    Best Python Training in Chennai
    Best Software Testing Training in Chennai

    ReplyDelete
  8. I came to this blog and it helped me to add few new points to my knowledge. Actually, I am trying to learn new thing wherever I find. Impressive written blog and valuable information shared here. Oxygen Facial Treatment

    ReplyDelete
  9. simplest your non-stop work lets you get specification on your writing capability. hold eyes to your errors and take corrective activation right away. decorate yourself on every occasion you discover any mistakes for your written essay whether or not it's far a minor mistake. Skin Rejuvenation Treatment

    ReplyDelete
  10. I like the helpful info you provide in your articles. I’ll bookmark your weblog and check again here regularly. I am quite sure I will learn much new stuff right here! Good luck for the next!





    Dot Net Training in Chennai | Dot Net Training in anna nagar | Dot Net Training in omr | Dot Net Training in porur | Dot Net Training in tambaram | Dot Net Training in velachery






    ReplyDelete
  11. Freelance maintenance technicians also benefit from establishing relationships with multiple clients. Working as a freelancer, you’ll gain employment experience with a variety of businesses, boosting your overall skill set and providing you with more work opportunities in the future.

    maintenance technician

    ReplyDelete
  12. Very interesting blog. Many blogs I see these days do not really provide anything that attracts others, but believe me the way you interact is literally awesome.You can also check my articles as well.

    Security Guard License
    Ontario Security License
    Security License Ontario
    Security License

    Thank you..

    ReplyDelete
  13. With so many books and articles appearing to usher in the field of making money online and further confusing the reader on the real way to make money.

    Business Analytics Course in Bangalore

    ReplyDelete
  14. I am sure it will help many people. Keep up the good work. It's very compelling and I enjoyed browsing the entire blog.

    Data Analytics Course in Bangalore

    ReplyDelete

Post a Comment