David

Privacy

October 2023

While scanning the school district’s network, I discovered two IP cameras used for board meetings that had concerning security issues. The cameras still used the default administrative and guest account usernames and passwords. This meant anyone could easily access the camera feeds and move the cameras remotely.

This poses a risk because the cameras are on the main district network accessible by all schools. With the network being shared between buildings, an attacker could view private feeds from other locations. Additionally, the WiFi password for the network the cameras connect to has been leaked multiple times.

Screenshot of the camera stream being played in VLC. Pixelated for obvious reasons.
Stream playing in VLC
SCreenshot of the cameras web interface
Web interface of the camera

October 2022

I uncovered a concerning vulnerability while examining the district’s web dashboard. I was alarmingly able to access server-side PHP code, revealing sensitive details about the site’s inner workings and database login credentials. Recognizing the potential risks this posed, I promptly notified school administrators so they could quickly fix the issue.

Screenshot of Dublin City Schools dasboard taken from the Internet Archive
Screenshot of the dashboard

© David Stephenson

Creative Commons by-nc-nd 4.0 International License
Acknowledgements