ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    QBX, Priorietary Dashcams and Hacked Police Departments

    IT Discussion
    security qbx video dashcam chain of custody rootkit virus trojan flashback
    2
    4
    457
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      So I've just learned that it is standard practice for police departments to obfuscate dashcams and other recordings by using proprietary formats, like QBX (that is supposed to be a Quickbooks file, but there is a screen recording format for that too.) To make this functional, they burn the QBX file to an ISO image (or maybe an actual CD / DVD) and on the disk include an AutoRun configuration with a set of instructions to open the file, and an application to view the file.

      So importantly, this process is used to make things difficult, but protects nothing. Anyone with physical access to the ISO (copy or whatever) can view the file, there's no security whatsoever. Anyone can open the AutoRun text file and see the necessary parameters (or alter them.) There's no encryption, no chain of custody stuff, no MD checksums to verify if things have been tampered with. Nothing here is for security. The only function seems to be to attempt to make it as difficult as possible for the public to obtain and use public records (which can then also make things difficult for the police departments, too, of course.)

      But here are the real issues. Using a completely proprietary format (a format not even designed for this use case, it should be noted) causes a few key problems:

      1. It forces people to download loads of data instead of just the video. It's an unnecessary waste of both police and public resources.
      2. It forces everyone to view files only on Windows devices, the least secure option. You can secure Windows, but this is a situation where that would rarely happen.
      3. It requires a relatively large amount of files, configuration and compatibility that is very easy to break and extremely easy to have become legacy and become unreadable over time. What works today doesn't necessarily work tomorrow.
      4. It requires anyone that is going to use the video to run an unverified and absolutely untrustworthy application that cannot be tested or patched (which breaks many security rules.)

      This means that by the use of this system both the police and the public (who have no choice) are forced into buying Windows systems just for this purpose and to run untrustworthy software on that Windows machine. This should break any number of fundamental security processes. No police officer should ever fall for a social engineering trick like this. This would be a very simple way to inject a root kit or trojan into the police department because they are running a completely unverified application. You could provide a download, or just hand out a DVD. The police (and the public) have been trained to blindly run the application on the DVD. They have to do it every day, so fundamental security that we trust that there will be in any government office is totally bypassed.

      This is so blatantly impractical, serves no legitimate purpose, undermines basic security to a point that no one technical or not has a real excuse to fall for it, is a clear violation of public trust, and pushes the agenda of private companies at the expense of the public good and police efficiency that it is hard to see the use case as anything less than social engineering on a grand scale. How many police departments have been conditioned to accept something that is literally the textbook example of social engineering for installing a root kit? The police are promoting the very thing they are tasked with protecting us against.

      1 Reply Last reply Reply Quote 2
      • scottalanmillerS
        scottalanmiller
        last edited by scottalanmiller

        So this creates a very obvious attack vector for police departments (or members of the public.) Anyone can trivially create a DVD ISO image, put QBX files on it of appropriate size (they don't need to contain anything.) Put on a rootkit. Create a splash image of something that looks vaguely like a fifteen year old video player. And throw up some obscure, and fake, error.

        What do you get? Root level remote access to police systems (or public systems, depending on to whom you send it) in such a way as that the police officers in one case, or computer owners in the other, authorize manually the running of the application under conditions where they have been conditioned to do so without thinking twice, and because these applications are fragile and generally unsupported and undocumented, without taking notice of the inability to decipher a fake error. It is an unremarkable and likely forgotten moment in a busy day, but one that easily opens access to spy, steal, or ransom public data held by the police - a very high profile target.

        DustinB3403D 1 Reply Last reply Reply Quote 2
        • DustinB3403D
          DustinB3403 @scottalanmiller
          last edited by

          @scottalanmiller Yea I've had to deal with this in the past, the software is just awful to deal with, and literally makes nothing more secure, for either the prosecution, defendant(s) or the public attempting to view the material.

          Simple answer is, that it just proves how vulnerable police departments are with such horrible software requirements.

          scottalanmillerS 1 Reply Last reply Reply Quote 2
          • scottalanmillerS
            scottalanmiller @DustinB3403
            last edited by

            @DustinB3403 said in QBX, Priorietary Dashcams and Hacked Police Departments:

            @scottalanmiller Yea I've had to deal with this in the past, the software is just awful to deal with, and literally makes nothing more secure, for either the prosecution, defendant(s) or the public attempting to view the material.

            Simple answer is, that it just proves how vulnerable police departments are with such horrible software requirements.

            Not aware of any requirement. They just choose this kind of equipment over other options.

            1 Reply Last reply Reply Quote 0
            • 1 / 1
            • First post
              Last post