Black Hat 2013 - Exploiting Network Surveillance Cameras Like a Hollywood Hacker

Video Statistics and Information

Video

Captions Word Cloud

Captions

all right so I'm Craig Kepner this talk is obviously exploiting surveillance cameras like a Hollywood hacker now as some of you may or may not know when my talk was first announced it got a little bit of press which as a speaker is really cool the problem is that in order to hype their articles all of the news stories who covered my talk decided to emphasize the fact that I used to work for a particular three-letter agency who has been in the press quite a bit themselves lately and although they couldn't quite seem to agree what those three letters actually stood for some of them did go as far as to claim that what I was presenting at blackhat was actually work I had done for said agency now with current events being what they are this resulted in some very interesting phone calls from my ex employer yeah luckily we have people who handle the phones for me and they got yelled at instead of me but while my initial attempts to kind of assuage their fears didn't work I was eventually able to convince them that yes sometimes people on the internet are wrong so just to be very clear this talk is not about any work that I've ever done for any ex employer what this talk is about is work that I do for my current employer I work as an embedded vulnerability analyst for tactical Network solutions I also teach our embedded device exploitation courses and dabble with wireless hacking from time to time as well what I'm going to be talking about today obviously is the security and surveillance cameras or lack thereof as it may be back in early 2011 last year I started taking a look at the security that's in the firmware actually running on these network connected surveillance cameras and since I'm up here talking about it as you might surmise I found a lot of interesting things so I'll be dropping some O'Day's as well as some not so Oh days and we'll talk about that when we get to it but also demonstrating how these vulnerabilities ultimately can be leveraged and true Hollywood style fashion so when I started looking at surveillance cameras I said well I've looked at a lot of embedded devices before but I haven't looked at surveillance cameras so I kind of wanted to start off with something easy something that would be almost guaranteed to get me a win so I picked d-link because they never fail to disappoint specifically I looked at the dcs 7410 which at around $900 is one of their more expensive business IP cameras and like all the cameras that I'm going to be talking about today they provide an administrative interface as well as access to the video feed through a web server running on the camera which makes the webserver a very attractive target for an attacker now specifically this camera uses light II which is an open-source web server that you find used quite a bit in embedded devices and they actually in the lighting configuration they set up some very sane and restrictive access rules as to who can get to what through the web server so you can see here that if you wanted to get to anything in the CGI admin directory you have to be logged in as an admin if you want to get to anything in the video directory you can be any user but you do have to be authenticated you do have to be a valid user so they had entries for every single directory in their web interface except one they did not have an entry for CGI bin now as it turns out there's not much in the CGI bin directory almost all of the CGI scripts are actually in the CGI directory which is protected in fact CGI bin only has one file in it and that was our TPD CGI which is a shell script that can be used to start and the real-time transport protocol daemon so for example if you wanted to stop the RTP daemon you would simply send a request to RTP D that CGI and in your query string you specify action equal stop to stop service the problem is the way they handle this query string that you provide is they replace all ampersands with spaces and then eval the result so they're literally executing in a shell whatever you put in your query string and not only that it runs as route so you can do something like this and it reboots the device and I actually had a hard time categorizing this because it's not even command injection we're not injecting anything it's just running whatever we give it so I've dubbed this the Ron Burgundy because it will literally execute whatever you put in your query string not only will it execute what you put in your query string but it'll send you the response back to your browser so you can do something like this this particular command will echo out the admin password you get that sent back to your browser and so you now have the admin password and access to the video feed and so you're not only route you're also admin now as it turns out d-link like many vendors really likes to reuse code and so this popped up and a lot of their products but it didn't just affect d-link because it was also used by TRENDnet and several other off-brand devices as well and due to the fact that there are so much reuse of this code through within vendors and throughout different vendors it turns out there's quite a few of them already publicly accessible in an indexed by shodhan for you now this vulnerability might sound familiar to some people and that's because it probably is of course after my talk got accepted someone put a CBE out for this bug so it's technically not an eau de anymore however the CVE only addressed d-link devices and did not mention any of the other vendors affected and the truth is even if every single vendor put out a firmer update fixing this today everyone would still be vulnerable like three years from now because no one updates firmware or even knows what it is half the time so I expect this bug even though it's technically not a know day to be quite useful for some time to come so I said okay d-link is an easy target as I mentioned that's why I picked them let's move on to perhaps a more reputable vendor like Cisco the Cisco PVC 2300 is kind of a mid-range business IP camera runs about $500 now it too has a web server and it enforces authentication by using HTTP word files which most people are probably already familiar with so basically you put an HT password file or more specifically a sim link to a centralized HT password file in every directory that you want to be password protected so looking through the firmware every single directory in the web interface had a dot HT password file except one the o amp directory did not have any HT password file what it had was a bunch of XML files that were actually sim links to this om CGI binary so I said okay well let's let's look at what this o and CGI thing does and as it turns out it implements kind of its own little mini API that's totally separate from the rest of everything else running in the web interface so it expects you when you make a request to it to specify an action and this actually you can specify it can be one of many different things including download configuration file update firmware and many others but they weren't completely stupid we'll get to the stupid stuff later but they weren't completely stupid because what they do is before executing an action they check to make sure that you've also provided a valid session ID if you have not provided a valid session ID the only action it lets you run is the login action I said okay well this in itself is interesting because they're implementing authentication that's totally separate from the authentication used everywhere else in the interface so I started looking at how they actually handle this login action they expect you to specify a username and a password all right so no surprises there they then make two calls to this Pro get stir function now at this point I have no idea what probe get stirred does presumably it gets a string of some sort but I do know that on the first call to this function they pass it two strings o amp and l1 user and on the second call they pass o amp and l1 password now the value returned for l1 user is then compared against the username that you provided and the value returned for l1 password is compared against the password you provided so presumably this l1 user and a one password whatever their values are are the correct login for this o amp interface now the only other place I could find in the firmware that actually referenced l1 user and l1 password was in the configuration file these values are hard-coded in the devices running config under the o amp section of the configuration file you can see that l1 user is set to the string l1 underscore admin and l1 password is set to the string l1 underscore 51 and this is a real problem because this whole a lamp interface and these hard-coded accounts are completely undocumented so no one knows they're there except for people who bother to look at the firmware which of course an admin is never going to do that and even if an admin knew that these were here there's no way for the admin to change this there's no interface for the admin to go in and change these values and the problem with having hard-coded secret passwords in your system and backdoors is that they don't stay secret for long right so we can use these these backdoor accounts to exorcise the login action and sure enough we get back a session ID now as long as we send the session ID along with all of our other requests we can invoke any of the other actions supported by om CGI including download configuration file and this gives us back what appears to be base 64 encoded data the problem is if you try to base64 decode this no worky you just get a bunch of junk the reason for that becomes readily apparent when you look at the actual end code 64 function in the binary itself they are doing basics to for encoding but they're using a non-standard base64 key string luckily it's very easy and python to substitute the standard base 64 key string and pythons base 64 module with a custom key string like this and so with a couple lines of Python we can easily decode the config which gives us plaintext admin creds which lets me see your server room now the problem with viewing some of the server rooms is really exciting for like 10 seconds and then you're like holy shit this is boring so I went back and started looking at some more code because that's more exciting now the load firmware action is one of the other actions you can invoke and it's actually very interesting because instead of uploading a firmware file to the device you specify a URL and then the device goes that URL downloads presumably the firmware and then flashes it the problem is that URL that you specify is shoved into a command line string that's ultimately passed ellipses system and hopefully everyone here knows that taking unfiltered user-supplied content and passing it to system is bad you don't do it so we can easily do command injection through this parameter just putting semicolon reboots semicolon somewhere in your URL reboots the machine and of course we can run whatever command we want at this point this also affects the wvc 2300 it's basically the same camera but with antennas and there are hundreds of these cameras already out there online in hotels obviously server rooms and engineering companies who design things for the International Space Station I'm told so I said okay clearly d-link and Cisco are doing it wrong in their defense though you know they're not really camera companies they don't do cameras cameras isn't really their their focus so let's look at someone who is a camera company's their bread and butter hopefully they know how to do it right so I picked on IQ and vision partially because they make some really expensive high definition cameras the IQ 832 n for example will run you over a thousand dollars a piece so it was certainly not cheap the main reason though is that these are the guys who make the cameras that are used in the business complex where I work so is a little more personal and what you get for a thousand dollars per camera is a high-definition video feed unauthenticated open to the world by default now admittedly this is a configurable option you can require authentication this is the default setting but you can go in as an admin and change that now guess how many admins connected their cameras the internet without changing that default setting almost all of them so this is really interesting but it's not really that interesting from a security standpoint right it's like oh okay they don't know how to secure their stuff big deal I but I wanted some actual vulnerabilities so I said well let's look at getting into the admin area which is password protected and which thankfully most admins had the presence of mind to change the default settings for so to do this I started looking at what else can I get to without authentication and one of the few pages that you can get to without authentication is oh I D table dot CGI and the output from OID table really isn't that interesting it's a bunch of technicals camera settings like focus and all that other stuff there's nothing really sensitive in here like usernames and passwords what's more interesting is the code behind oh id table because if you if you disassemble this CGI binary you'll see that it looks to see if you specified a grep parameter in your query string when you send your get request to it now if you have it checks to make sure the value you provided is less than 32 bytes long and as long as you meet that requirement it'll take that string shove it into a grep command and pass it to P open at which case I facepalm did my best Kim Jong eagle impression and did some command injection and again just like with the D link you see I can run a PS command and I get the output sent back to my browser so I have a built-in unauthenticated web root shell already on the device it's also worth noting that while process listings are interesting these cameras already have netcat installed on them with the - I option enabled so I'm sure most people here can think it's more interesting commands to run than a process listing but my main goal and all this was really to get to the admin area recall so I said well how can I do that well we can also use this bug to retrieve our the contents of arbitrary of files now the Etsy Prive word file is what contains the actual admin credentials it's not an FC password it's actually prove password so we can we can pull back the contents of that file and as you can see here it has the username root and the unencrypted password so at this point we have two options you can try and decrypt the password or if that doesn't work I mean screw it we're root we'll just overwrite the file with whatever we want in either case we get access to the admin area and again we're both root and admin on these cameras these bugs affect most of IQ and visions product line including their three series cameras the seven series The Sentinel series the Alliance Pro Alliance MX and Alliance miniseries I won't read off all the models it's I'll be up here forever and there are plenty of these out online which is a little distressing considering that they're known to be deployed by schools police banks government's prisons casinos utility companies financial consulting firms and DHL to name a few so have fun with that by far the most expensive camera I looked at though was the N 50 72 from 3s vision now this one has a list price of contact us which is how I know I can't afford it and I rent to a bit of a problem with this particular camera a little hiccup at first because for all the other cameras I had been able to just go to the vendor website pull down a firmware update whatever the latest firmware update was and start analyzing the code and the firmware for vulnerabilities so I really didn't have to buy the device in order to at least do initial testing and things like that when I went to download the firmware for this camera it gave me a little JavaScript pop-up box on the vendors web page saying ah we want your password so I immediately tried all the most common passwords love sex god of course none of those worked what ended up working though was tab equals 4 because if you look at the JavaScript it sends your password back to the server I don't even need to explain to see you guys it's great and as long as you get the password right it just redirects you to your current URL with ampersand tab equals for appended onto the end of it and I said well gee since I'm literate and all I bet I can do that myself and sure enough I get the download page so this does not bode well for the security of their systems nor does the fact that they're using a custom web server it's rather innocuous Lee named httpd but if you actually look just look at the strings in this binary it's very clear that this is very custom to their firmware it's either something that they rolled themselves from scratch or something that's been very heavily modified by them so I said well if this this looks really custom I really need to start looking at how their web server handles authentication now I know that the cameras use basic HTTP basic authentication so I know that they're going to be doing some base64 decoding because if you're not familiar with HTTP basic off your username and password are basically concatenated and then basic c4 encoded so I started looking through the code for cross references to be 64 decode and so what they do when they when they decode your password is they pass it to be 64 decode all right that's fine that's their decoding your stuff they then do two string comparisons against a hard-coded string 3s admin and another hard-coded string two seven nine eight eight three zero three I saw this when I thought there is no way you were dumb enough to hard code stuff into your HTTP server these can't possibly be creds but they were and they work great so you can access any 3's vision camera become admin with these backdoor creds and that gives you access to video feeds of cash machines Taiwanese checkpoints and Russian industrial basements at least that's what I assume that is now again looking at video feeds is really boring so I wanted route luckily their code is littered especially once you're logged in as admin your tax surface is wide open and their code is just littered with unsafe function calls is absolutely horrible probably the best example of this is their record CGI handler now not all of the cameras but many of their cameras support local storage so you can plug in say an SD card to the camera and it'll save files off to the SD card for you so they also provide a way to do some basic file management from the admin interface and this is done through the record CGI page now record CGI is not a physical CGI page sitting on disk what happens is when the web server sees that you requested record CGI and it invokes the do records function handler so the do records function handler checks to see what action you've provided so for example if you wanted to delete a file you can tell it action equals remove now if you're deleting a file you also have to tell it which file you want to lead it so it checks to make sure that you've specified a file name as well that file name is then shoved into an RM command that is passed to system and I think everyone knows where this is going yeah setting file name equals backticks reboot backtick makes it not respond to pings anymore now this affects almost all 3s visions product line not only the cameras but also their video servers because they use the same web server as well and after a bit of research I found that another company named a linking use the same code in their cameras as well now a linking went through and changed the hard-coded creds to something else so they still have all the a linking cameras have the same hard-coded creds they're just different from 3s visions hard coded creds and I'll leave finding those as an exercise to the reader but they're there and they're easy to find now these cameras are particularly interesting due to their their cost there's not a whole lot of them you know when compared to some of the other devices but considering that these cameras are known to be deployed in foreign military energy and industrial facilities they're particularly interesting so all of you who are already like looking these up on shodhan you know be careful don't blame me when the Chinese military shows up and gets pissed at you so what all this what this all boils down to is I'm in your network I can see you and I'm route which is not a bad position for any attacker to be in most of these cameras with the way that they're deployed they're actually connected to the internal network so if you can remotely access them and break into them get route on them you now have a linux-based or machine sitting inside their network that you can then use to go after anything else in the network but I wanted to kind of take a step back from that and say ok that's great and all but what can I do to the camera itself all right I've got root on the camera this is awesome but if you go up to noon at average admin to say I got root on your camera he's like I don't even know what that means write it what the hell are you talking about so I wanted to do something a little more interesting something that would actually demonstrate what you can do so skipping slides I wanted to take say a video stream that looks like this and instead make it look like this and this is kind of the classic Hollywood hack right you've got you've got to get into the facility that's guarded and it's got security cameras so the token hacker of the group has to break into this camera system and make it look like no one's there when really they are so to demonstrate this and just do a little proof of concept I picked a trend net IP 410 WN now I picked this camera for a couple reasons first of all I can afford it which is a big plus but secondly it has a backdoor account that can access certain restricted files which have very obvious command injection bugs which can be trivially exploited by anyone who can send packets to the camera in other words it's the same stuff I've done up here talking about the whole time just on a slightly less expensive camera now as it turns out this particular bug is also not a node a it was actually first published in 2011 the problem is I didn't know about it and neither did anyone else because they when they published this they didn't mention any specific devices that were affected they didn't mention any specific firmware versions that were affected so if you went in googled for yo TV IP 410 WN vulnerabilities or exploits you didn't find anything and the problem with not providing this information when you do things like vulnerability reports is it's difficult for other people in the security community to validate your claims first of all but it also makes it impossible for vendors and customers to determine what models need to be fixed and whether I'm actually vulnerable or not so the easiest solution here is to just ignore it and hope it goes away which is what everyone did so these devices even though this is a known bug since 2011 have been shipping with these bugs ever since oh yeah there's a lot of them out there too so let's say hypothetically this is our admins video feed we want to make sure it stays that way right so for purposes of demonstration will assume that the admin is browsing the video feed through the web interface rather than maybe through a custom service or RT PE D or something like that so if you're on this particular camera when you're browsing excuse me when you're viewing the video feed through your browser the process responsible for streaming images to your browser is M JPEG CGI so with command injection and the ability to see the output from our commands that we're injecting we can run process lists and see what processes are running and then we can just kill off all the MJPEG CGI processes and this actually has the effect of temporarily freezing the admins video feed because his browser is only going to show him whatever the last image it received was and he's no longer getting any more images but we don't want to stop there because if the admin refreshes his browser or navigates away from the page and comes back he starts up a new stream and he's going to see the live video feed so what we also want to do is replace M JPEG CGI and this does not have to be difficult a two line bash script will suffice particularly in a pinch all you have to do is replace this CGI page on disk with a bass grip that echoes out some basic headers to make the browser happy and then cats out the contents of its static JPEG image presumably this JPEG is a picture of the empty elevator but you know it can be goatse or whatever you want so while the admin will all now always see this no matter what is actually going on in the elevator so this is actually a lot more fun to see in a live demo so if the demo gods will work with me today all right so I have my camera guarding my precious beer here so you can see if I try and take it whoever's watching will know however I have a little exploit script written up and this exploit script does a couple of things first of all it's going to kill the admins video feed it's going to replace the M JPEG CGI just like we showed it's also going to give me the administrative credentials to the camera and set up a secret URL so that I can still see the live video feed even though the admins is frozen permanently so sending exploit ok so you can see here it gave me back user credentials the login as admin and secure cam one two three four it also tells me what URL it's set up so that I can view the real video feed so if I go over to my hackers browser here see if I can type this I can see what's going on so if I try and take this I know that but the admin doesn't so that's the demo so a couple closing thoughts I'd like to leave you with first of all this clearly is not an all-encompassing list of bugs in security cameras not by a longshot so there's lots more of these to be found if you want to go look for them yourself and as you've seen most of them are epically trivial to exploit another thing I'd like to point out is that almost all of these cameras will reveal their model name even if you're not authenticated either on the login page or the login prompt depending on on how they're doing authentication it'll tell you what is model number is so if I as an attacker know the model number even if I know nothing else about this camera I can go on Google I can google the model number go to the vendors web page download the firmware you know maybe have to have you know tab equals four get the firmware and start analyzing it for vulnerabilities without ever even having to buy the device and this is exactly what I did with all of these cameras I was able to find the vulnerabilities and right working exploits without ever having to buy a single camera it was all done with firmware analysis basically using bin walk to do firmware analysis and extraction and then using Ida and qmu for disassembly and emulation if necessary so with that now I know when I open up for Q&A like half the room always leaves so before you head out please fill out the surveys or swipe your badge for surveys or however that works in the back but with that I'll open up for any questions you guys might have Oh got one No so there were a lot more cameras that I looked at I simply didn't I do need like a 2-hour slot to talk about all of them I did not run into one that was actually well done and actually secure now with that said there are a lot of larger vendors that I simply didn't have the resources to look at you know they don't put their firmware up for free and I don't have the money to buy their cameras right so I'm not saying there aren't secure cameras out there but the ones I've looked at certainly not anyone else oh hey you have to speak up I can't can hear you ah so the easiest way to do that in this case would be like an animated gif which is you know a really pretty hacky workaround certainly this can be taken a lot farther yeah I mean you could easily write your own CGI that really does feed a live video of whatever you want I'm lazy though and that was my demo but you know the concepts the same you know you're rude on these devices you can do whatever you want yeah you can certainly do that let it

Info

Channel: HackersOnBoard

Views: 643,078

Rating: 4.9380159 out of 5

Keywords: Black Hat Briefings (Conference Series), 2013, bhb, usa, conference, t810, Network Surveillance Cameras, Hollywood, Surveillance Cameras, Network Surveillance Cameras Like a Hollywood Hacker, Surveillance (Literature Subject)

Id: B8DjTcANBx0

Channel Id: undefined

Length: 33min 36sec (2016 seconds)

Published: Tue Nov 19 2013

Reddit Comments

The biggest thing to take away from this is that regardless of what you are programming never trust unsanitized user input and never leave a process that runs anything as SYSTEM or root exposed on an unauthenticated page

👍︎︎ 11 👤︎︎ u/ameyer505 📅︎︎ Oct 31 2014 🗫︎ replies

stand-up comedy for geeks, loved it

👍︎︎ 5 👤︎︎ u/karmedian 📅︎︎ Oct 31 2014 🗫︎ replies

Very interesting. I understood nothing, but still interesting.

👍︎︎ 11 👤︎︎ u/Sir_Tibbles 📅︎︎ Oct 31 2014 🗫︎ replies

Somebody get that man a glass of water...

👍︎︎ 7 👤︎︎ u/Dreamcrusher69 📅︎︎ Oct 31 2014 🗫︎ replies

I literally cannot believe how bad security vendors are at securing their devices. There was a talk I found a little while ago talking about exploits in anti-virus software, and there were just awful holes in nearly all of them that in some cases actually provided root to an attacker. My favourite was one that did login by passing unsanitised user inputted login credentials to a root shell.

👍︎︎ 2 👤︎︎ u/ProjectAmmeh 📅︎︎ Oct 31 2014 🗫︎ replies

http://i.imgur.com/JLyWL.jpg

👍︎︎ 2 👤︎︎ u/[deleted] 📅︎︎ Oct 31 2014 🗫︎ replies

At first I read this as "Exploding Network Surveillance Cameras". Damn, that would be cool...

👍︎︎ 1 👤︎︎ u/themike03 📅︎︎ Oct 31 2014 🗫︎ replies

Still less confusing than hacking in Fallout

👍︎︎ 1 👤︎︎ u/[deleted] 📅︎︎ Oct 31 2014 🗫︎ replies

tab=4

👍︎︎ 1 👤︎︎ u/YouMissedTheHole 📅︎︎ Nov 01 2014 🗫︎ replies