A bunch of cameras having been analyzed for security vulnerabilities, Craig Heffner demonstrates a demo about hacking admin’s video feed and does a brief Q&A.
… So the admin will now always see the empty elevator no matter what is actually going on in there. This is actually a lot more fun to see in a live demo. So, if the demo gods will work with me today…
Alright, so I have my camera guarding my precious beer here. You can see if I try and take it, whoever is watching will know. However, I have a little exploit script written up, and this exploit script does a couple of things. First of all, it’s going to kill the admin’s video feed, it’s going to replace the mjpg.cgi just like we showed, it’s also going to give me the administrative credentials to the camera and set up a secret URL so that I can still see the live video feed even though the admin’s is frozen permanently.
So, sending exploit…Okay, you can see it gave me back the user credentials: the login is admin and securecam1234. It also tells me what URL it set up so that I can view the real video feed. If I go over to my hacker’s browser here, I can see what’s going on. So if I try and take this, I know that but the admin doesn’t. So, that’s the demo.A couple of closing thoughts I’d like to leave you with (see right-hand image). First of all, this clearly is not an all-encompassing list of bugs in security cameras, not by a long shot, so there’re lots more of these to be found if you want to go look for them yourself. And as you see, most of them are epically trivial to exploit. Another thing I’d like to point out is that almost all of these cameras will reveal their model name even if you’re not authenticated, either on the login page or the login prompt, depending on how they’re doing authentication. It will tell you what its model number is.
So, if I as an attacker know the model number, even if I know nothing else about this camera, I can go on Google, I can google the model number, go to the vendor’s web page, download the firmware, maybe have to add “tab=4”, and start analyzing it for vulnerabilities without ever even having to buy the device. And this is exactly what I did with all of these cameras. I was able to find the vulnerabilities and write working exploits without ever having to buy a single camera. It was all done with firmware analysis, basically, using Binwalk to do firmware analysis and extraction, and then using IDA and Qemu for disassembly and emulation if necessary.I know if I open up a Q&A, like half the room always leaves. So before you head out please fill out the surveys or swipe you badge for surveys, or however that works in the back. But with that, I’m ready for any questions you guys might have.
Question: Have you worked with any actually secure cameras?
Craig: No… There were a lot more cameras that I looked at. I simply didn’t need, like, a two-hour slot to talk about all of them. I did not run into one that was actually well done and actually secure. With that said, there are a lot of larger vendors that I simply didn’t have the resources to look at. You know, they don’t put their firmware up for free and I don’t have the money to buy their cameras. So I’m not saying there aren’t secure cameras out there, but the ones I’ve looked at are certainly not.
Question: Is there a way to make the admin see some motion rather than a static image?
Craig: The easiest way to do that in this case would be, like, an animated GIF, which is a pretty hacky workaround. Certainly this can be taken a lot farther. I mean, you can easily write your own CGI that really does feed a live video of whatever you want. I’m lazy though, and that was my demo. But the concept is the same: you’re root on these devices, you can do whatever you want. Yeah, you can certainly do that.