University admits mistakes, cameras will remain off until March
The university’s investigation into the controversial cameras at the entrances of buildings and lecture halls has revealed digital security problems. The system will remain deactivated pending further investigation.
Anoushka Kloosterman en Mark Reid
Friday 11 February 2022
An example of the cameras produced by Xovis

Also read our reconstruction of #Cameragate: The inevitable classroom scanners

‘Partly in response to Mare’s reporting, we arranged for a security test to be carried out by an external party’, writes the university spokesperson. ‘The result of this test partly confirms the findings reported by Mare.’

On the basis of these findings, the university asked the supplier of the cameras to update the software in order to resolve the security problems. According to the university, the supplier has since done so and the software is now being tested again for security.

Last November, Mare reported that the Xovis brand camera system used by the university might pose certain security risks. For example, the login page of the system was accessible via an unsecured connection and users who were not logged in could access information on the camera.

'The combination of these two weaknesses poses a serious security risk'

It was also found that the system used an extremely outdated method of encrypting passwords and that users who were not logged in could possibly also see the password in encrypted form.

Ethical hacker Sijmen Ruwhof called these risks in the software a sign of carelessness: ‘The MD5 algorithm that’s used here has been known to be really unsafe for about fifteen years now. The fact that the server sends the encrypted password to the user is outrageous and would never have been necessary if the system had been set up in a secure manner. The combination of these two weaknesses poses a serious security risk.’

Until the investigation is complete, the university does not want to share exactly which problems were uncovered during the investigation and which of them have supposedly been fixed by the manufacturer.

In addition to the external investigation, a public penetration test and hacking demonstration of the system will take place in March. The cameras will remain deactivated at least until these tests have been carried out.

Mare asked Xovis for a reaction to the security risks in the software, but the camera manufacturer did not want to respond to questions.