DEF CON 26 - Josh Mitchell - Ridealong Adventures: Critical Issues with Police Body Cameras

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
from time to time we have a new speaker that has made it through the gauntlet of call for papers and they've been sort of vetted and we we really appreciate their effort and their work and their research in there there there's a lot of work and we we really want to congratulate our new speakers for making it through and for having the guts and figuring it out for the first time it's all down from hell so give Josh Mitchell a big round of applause [Applause] I think that makes four so josh is here to talk about some critical issues with police body cameras and ride-along adventures yeah hello hi welcome welcome oh all right so this is what we're gonna be talking about today yes we have to have this up front yeah guys can read that okay so here's some of the things we're gonna be talking about I'm gonna go a little bit of an introduction say hi to everybody let's talk about some of the technology involved in these devices I have five specific models to talk about I had seven but due to circumstances out of my control I can only talk about five and then we'll cover some industry wide issues that I think apply to all of the devices have some see some impacts that's kind of important and then have some questions so here this is me and yes that is a hamburger phone I've been I've been doing this for quite a while former military then I specialized in electronic warfare but then got into doing a little bit of malware stuff because it's fun and then I became a professional exploit developer for a number of years and now I do security research at nuoc so there are approximately I've categorized 77 different devices out there in the wild you have the big ones Panasonic Motorola Patrol now these these devices they have a wide variety of technology kind of forced into them it's Wi-Fi Bluetooth some support NFC that some devices have triggers event event triggers you can use some do live streaming direct over GSM those are really popular in Europe and other ones have proprietary RF communications and they ride along they they they piggyback on the the Walkabout radios that police are using right and it's very important to note that these devices were primarily designed for transparency versus secrecy although that may be a bit of a vendor line because of some of the issues that have found and we'll play a little little game feature versus vomb as we go through this presentation right again so these devices they interact that they have an entire ecosystem surrounding them it's not just the camera which I'll show you more about this one later it's they have they have desktop software some of them use blended storage so you have on-site storage you have cloud repositories some even have dedicated docking stations that use an embedded Linux distro and they create like a IPSec tunnel back to a cloud repository and most of the ones that are interesting have smartphone applications that allow that allow officers in the field to annotate videos and review the contents of the camera which we'll get into later it's quite bad so this is the first first device I kind of started looking at back in January and it's it sold on Amazon anyone can go and buy it pick it up that sold under this the Cesc people but advanced plus is actually the manufacturer of the device and they're they're located in China and one is mentioned really quick I did get in contact with the vendor and they have given me firmware and desktop a desktop application but I didn't get a chance to review it because it happened last week so anyways so this this particular device got it took it apart I took the remote apart trying to figure out how the remote is is interacting with the camera and you know had to go and look at some chips and see what what frequency is operating it's actually for 33 and RTL 44-33 identifies it as a smoke detector which is kind of interesting and the the neat thing about the remote and why I wanted to get these this device is because the remote can be used to trigger multiple different cameras not just one you can actually update the remote so that it it triggers like a wide variety of campus and so we can kind of be annoying with that because this is the simple signal that's being transmitted it's there's no rolling codes there's none of that so if you want to you can you can sit there with a rtl-sdr receive the signals you replay it with something more powerful than a hack RF because well it doesn't have much power the other interesting thing about this device is when I was getting in contact with the manufacturer they told me about their RF certification and it was not FCC certified so there's that Wow another thing about it is it's essentially a USB Drive so anything that you have you know when it records the videos it drops them down onto the the dedicated storage on the device you plug it in to your computer you pull the the things off just like a USB storage so if I wanted to put autorun dot in or take advantage of some link vulnerabilities that have been popular in the past that's completely possible with this camera right so here's another another camera this is the on-call OCP pro as you see the architecture of the system down there and big but unfortunately because of the one I got nothing really works so I I got it it I think the USB was broken it wouldn't wouldn't maintain a USB connection so everything to the to to your your right of the arrows I didn't get a chance to test out but there were enough glaring issues on the other part that it's fun to talk about it uses an artist called eCos that's hasn't there there hasn't been very many updates on that that particular website and in quite a while when you trigger the Wi-Fi on it through a button press it comes up as fire cam and that is the default password and yes and it has a has an a wonderful embedded he costs HTTP server that I thought would be fun to kind of poke at but you'll see that it wasn't really necessary yes so so this is the contents of the the movie folder and you see the other videos it's coming up as 2014 because I can't it never got a good time sync from my from my laptop but these are all the saved videos and you see you can remove them download them upload files you can actually even upload arbitrary HTML and serve that in the browser that's not good yeah so totally unprotected 100% no nothing nothing at all preventing anyone from downloading these videos or uploading ones and once to kind of overwrite these and I have a restaurant tools that use get and post to overwrite files and downloads all the contents it also has a nice settings file that you can download as well that has all of the relevant information about the camera in it which is interesting okay so here's the the first kind of big device widely kind of used device that I had had a chance to to look at so this this particular device has has smart it has a smartphone application that you can go and download on available on the Play Store it has desktop software that is is available for download on the manufacturer or the resellers website and I say reseller because we will show I'll show you this in a moment and the firmware is also available for anyone to go ahead and pull down and browse and look through because it's not signed and it's not encrypted which is awesome right so smartphone application is primarily used to access the RTSP server that is not protected from anyone and you can view the safe videos on the device and the the desktop software is is used to to authenticate with the camera and and download the video files off of the camera so the desktop software as you see there is the it's simple it's a simple wrapper around the dmt 10 dll and that is actually the the name of that comes I think comes from the Chinese manufacturer because they sell the DMT 10 version of this camera the admin and general user passwords are six characters they have to be exactly six characters no more or no less it has the SSID as you see for Amba boss and and that's not something that you can change and I'll get into that why that's kind of a big deal later and you have some other things you can can mess with in the this is the administrative interface as with all of the other desktop software that I have looked at it's missing a lot of the exploitation prevention mechanisms like a SLR and that that's kind of across the board you see here this little bit little clip from Ida the verify password routine coming from DMT 10 and then you have the set password exports that's called from that's available in DMT 10 as well as you can see there there's no correlation between the two that means that I can set the password without having to verify the password so that's awesome yeah ok again it comes with a smartphone application if you want to go find it there there it is and that is primarily used to view say videos and livestream whatever the camera is looking at and I want to be sure to mention all of these cameras except I think for the next one when you activate the Wi-Fi on these devices they they create a access point all right they act as as a wife I like hot spot without internet connectivity so so that that's kind of important because if anyone's wanting to review videos they create essentially a beacon upon themselves that anyone can kind of find and play with and we'll talk more about that part later right so again this this device it's running a little bit of an older version of Linux that's that's not really bad again it has a a JSON messaging server which I was really surprised about and RTSP and DNS and and after after I got to poke around on the system I found out that it was incredibly similar to a talk go pro or get the out that if you want to know anything more about how this system operates I would really recommend going reading and looking through that because it has a lot it goes to a lot in depth about the messaging subsystem and I wish I would have found that out right when I was looking at this but I didn't need to because it has roots on that Explorer with no password required and I wrote a wrapper script around pi telnet that allows you to upload and download files if you don't feel like using telnet again here's the contents of the media you have the media folder so any videos that you make or saved into here this directory is mounted when you use the desktop software to download and upload videos and it essentially sends a trigger to the camera and we can then like it treats it as a as a removable media drive so if you wanted to upload again link files or any type of windows-based exploits to take advantage of the back end digital evidence storage repository where these videos will be saved and you know have something nice like wanna cry you could definitely do that what yeah so there we go so this is this device the digital Ally first view HD is architectural II different than all of the other cameras it treats it is a client okay and it has other devices in its ecosystem that that act as servers for example the the rearview mirror in a cop car will act as a Wi-Fi access point when this device is within range it will automatically connect to that Wi-Fi access point and then you know interact through that it's also how if you're able if you turn on the sirens it will automatically start recording it has event triggers that kind of technology and again it supports has its own desktop software that I tried to purchase three month two months ago and I did not get which is unfortunate I has a smartphone application that anyone can download firmware is available and easy to look through literally tar will unpack the firmware and it does have a docking station that you know you can you take the camera out and plug it in and it will download stuff but interestingly enough it does come with a minimal software bundle on the device for anyone who who gets a hold of it and wants to minimum configuration manager and the minimum software viewer to to view the contents and see whatever's going on on the device you can also it also has like read meas on there about how the device is supposed to work so that's very very usually user friendly and kind of nice so here is a picture of the the minimum the like the the minimum minimal viewer that comes packaged on the device right the software defaults I've tried to purchase and well hopefully it will get here eventually because there's a lot of features that I wasn't able to interact with and and play around with because I didn't have that one of those main features being you turn the hot you turn the device into a wireless client right I couldn't I couldn't do that because you have to pay the $100 for the desktop software but we were still we were still able to get some good stuff out of it so the the packaged installer is written in C sharp which is awesome because it's really easy to decompile and play around with the configuration manager generates two types of files the one WM config and that's for Wireless it also generates the device config and that is a binary format that's that you can use to set the time and stuff like that now the the viewer which is used for evidence review and making comments and clipping videos and stuff generates three types of files the dad's file which is the digital Ally zip file the metadata file and the vm2 file which is XML and we will go into those right now so the WM config file is quite interesting because it is something that you're supposed to generate through the configuration software and then put on the device and it configures the device on how to interact with police networks and police can't like systems right so that would be important so that would not be a good thing to have that XOR as as the way to decode it and you can see here that the it's configured to use the to look for the the SSID that is associated with the police network has the PSK that is just text encoded and the password for ftp logins so that it can upload and download whatever media is on the device as it goes then the the device config file is against you to insert time and other information onto the device that has a couple lines worth of annex mark but it basically is an equivalent to hex 88x or so that's that's cool oh and 0:01 is before and then the small one is after when you decode it with with x-ray here's the dad's file the dad's file is generated through the viewer application when you you have so you have the the avi and the metadata file you insert that into the viewer application and then you mess around with it with the video and you save it out and it creates this dad's file and all this other stuff the the VM to file here is included in that in the zip file and you see it has a huge amount of metadata associated with how this camera was operating and how you know like what sensors were used what's the GPS coords all this kind of stuff right and you see here it uses aes-128 CBC and the file name is the decryption key see here we have it like in in this we would have D zero zero one eight zero zero two and then we just basically make that unicode and we have the IV and the decryption key for our AES whatever that's that's awesome right so since since digital Allied was so nice to include an unsigned installer on their application I thought it would be fun to insert a backdoor into that because I can override it download it modify it push it back override it and then if anybody wants to install it they they give me a nice shelf so you see here at the top right up that's the normal entry point I just hand gem disassembly and all that does is that creates a thread on the on the section that I added to the application and that section is Ono's and then underneath I simply put in some Metasploit for verse shell shell code and this is the here we have the install shield and down here we have this shell that's generated I had to cut a lot of videos so for time but so that's really bad right so again the the Android application which you can download on the Play Store is used to basically use the configuration manager and you side load config files onto it and that will turn your your phone into into an access point that the camera can then talk to now I was hoping that after two months I would get the software that I purchased and so I didn't bother to reverse engineer it on with Frida but I might have to soon or get my money back okay right so again here is the firmware that you can get from the from from the manufacturer again bin wok and tar is really all you need but as you're going through the the firmware because once it gets extracted it has some some really interesting interesting things going on in there that I think I'm gonna put in version 2 of this talk there's some serious unbounded memory copy operations going on but anyways if you don't want to debug anything running on the device if you created a nice little log file on the the the camera it creates every after every operation here we have this this log stuff going on after every in every function it generates that so there's tons of logging information and stuff and all you had to do is create the log file and it's good to go the GUI application in the MDV our mobile DVR pretty sure what that means is what's used to do all of this interesting stuff and it does some really interesting stuff because there's lots of Wi-Fi triggers and peer-to-peer operations going on with all these devices when they're within the same network and there's a lot of unbounded memory copying operations going on on these devices in their period for your network but yeah I think I've saved that for the next version ah this guy I wanted to spend some time on this because this camera is used in some pretty big in some pretty big departments again it has this smartphone application it has the awesome desktop software it even has docking station and a sports cloud storage and you can get the firmware and they tries they tried to be have a pretty professionalized operation again smartphone for live streaming and viewing media which we'll talk about later and desktop software for actually verifying that the media files that are coming from the device are valid and we'll talk about that later too so here's the desktop software it is a fat client right so essentially you have a sequel database install and then you have some too fat clients for admin one for admin and went for officers right and this used to the admin app is used to configure the cameras and then assign them to various officers and then the client application is used to upload download video and and that's essentially it right you can add comments but really at uploading downloading videos from the cameras exporting them from the the the effect client is essentially it but another application that is installed with this is the import/export tool and there's this two types of authentication going on here you have the authentication and the passwords that are created for through the admin app that is that are used to interact with the the software and with the contents of the database now then you have the windows authentication mechanism which is actually used by the import/export tool to authenticate with the database bypassing all of the V view at off and use a straight windows off so if I am local admin somewhere out there on a desktop that is used that the officer is using the client app to upload and download videos I can then connect and export videos but I'll show you that intimate other things associated with this we have you have lots of the install folders it kind of spreads out everywhere when you install it on your on your box and we have logs about the the the communication between your computer and this device it communicates over USB creates a comm serial over USB attaches to the the file and then starts writing stuff out to it it also has has downloaded metadata that like downloaded videos have cached on the computers so bypass down you have access to the downloaded metadata by bas bypassing the upload client by just looking into the the correct folder yeah and and again if you go there you can see all the cache videos ok so domain credentials what I was kind of talking about earlier are used to export the database instead of the application credentials that you use when you create users and that is the admin user super for a supervisor I suppose and that's the sha-1 of one two three four five six which is the default passwords for all of the admin yeah for the supervisor for the admin interface right and they they try to when you install this we started up but this is how I found it it requires you they asks you to contact their help and support system to configure the desktop software really it's so that they can upsell you right so I was like well no I don't want to do that because that probably wouldn't be good having Josh at his house contacts the support people and and so I was clicking around and found the import/export tool and googled the password and then I was able to have admin on their software which also you have to buy so ah another issue with this is when you download videos off of the camera you it it you can you can play the through the interface right through through the the admin or the client interface you can review the videos and to do that it comes bundled with F of MPEG and it also uses ffmpeg to to create thumbnails based on the video so not only when you just play the video doesn't use ffmpeg but when you when you upload all of the videos at the time of upload it uses this to create thumbnails of the videos which is important because it's processing videos with a version of ffmpeg that is from 2014 and has over 120 to public CVEs of out there for this version of empik so if i could modify those version those videos beforehand inserts and exploits i know i have a really really vulnerable piece of software that's gonna process those videos which would then give me gain me access to the evidence storage repository where these these videos are stored so here we have the the admin interface of the of the very Patrol software and you see here we have we have several videos that have been uploaded by supervisor and their durations are you know in there and they have valid digital signatures and then we have over over here we have making a copy of the video and exporting it and stuff and there's an important video that we need to look at right there it has a time length of 0 and a valid digital signature so as we export these avi files from the interface we have we you know just pick up pick an output folder and it creates the avi file and then it has the log file that that requires all the comments put in there and it saves them to wherever you want and again it says this file has a valid digital signature a valid digital signature so this is the contents of that avi file that has a valid digital signature that is used to prosecute people and put them in jail and I'll show you how I did that in a moment again so we have the interaction with this this device it has you know we create our lot it has large files that are nice and kind of improves through those it uses serial communications over USB to upload download files update firmware and do all that kind of nice fancy stuff well the other day when I noticed when I was downloading those files which were quite big it actually just tells the device to mount at this the application just tells the device to mount itself as a removable media drive and then downloads the files so if if you want to write an application to interact with this we see that that the command system is incredibly complex right here [Laughter] and very difficult to modify and we can see right here that the device gets mounted as the II drive and then it begins to upload the files so as I see this random drive pop up on my computer I'm like oh what's in E let me let me open that and then you can just download the files off of that completely bypassing all of the evidence collection software it's awesome right again so we have the the smartphone application that is supposed to interact with this device in the field and it uploads metadata to each of video based off with JSON which is pretty standard you can also download any file off of this device right so and then you can live stream with RTSP so the only thing you need to do is if you found one of these in the wild is download the app and you can see anything on it also if you're within proximity of some police officers and you'd like to see what they see you can see it you can see that over RTSP there was some pretty good talks a little while ago about the Sun plus format and there are some tools out there that I definitely use that converts the Sun plus firmware burn formats to two IDBI DB which is great it's freaking awesome you should check that out I love it so you don't have to unpack our unpack firmware or do anything like that it's just ready to good to go now this device has several services that are available on it and it is this one right here it has FTP has the Photo Transfer Protocol and it has our tsp FTP is used for uploading downloading files is also used for with the smartphone it's used to you know upload load metadata so you can download any video off the device you can also assign you know any type of metadata through the JSON interface now for you to be able to get for the smart phone to get a directory listing of which files are available it uses the Photo Transfer Protocol which there's some really great get repos out there about using PGP over Wi-Fi and that's going to be important in a minute and then of course our TSP which you know you just use VLC so if I wanted to see what else about all the video that was stored on this device you simply use PTP and we can see here that we have some avi files that were filled with A's earlier available in our PTP directory listing now for us to interact with that incredibly sophisticated FTP software and overwrite files that should be digitally signed and used to put people in jail we use FTP and we have some passwords Wi-Fi cam and username Wi-Fi camp it actually accepts any combination so if you don't remember a Wi-Fi cam you can try any other combination and it will work then we have we just used type 1 and then we enter past passive mode I was playing around here trying to delete video files it wouldn't let me delete pre-existing video files but it would let me overwrite them with whatever I wanted and that is how we got a in that digitally signed valid evidence file from earlier ok so we have like a little demo I'll show you here turn this guy on cool it's on alright so another thing that I wrote was a tool to identify these cameras in the wild based on their MAC addresses and their wireless access points because I said I was in the military and I think a very very important yet often overlooked thing is the ability to to locate something like in the field and be able to identify the emitter with the platform the platform being the police and the emitter being the camera and if I know that V view I go and look in the o UI database and I see the MAC addresses that are associated with this company that is published by the I Triple E and I can say that this company only makes cameras if I pick up a MAC address or a SSID that's associated with that well guess what it's only going to be it's only gonna be this right and as a bad guy you might want to know that right maybe find out about cops running around in our area let's see if this was working I don't know yeah live demos ass let's see if it's connected you'll see okay yeah there it is right there see my buggy software works no it's not working right now oh well this is a two-part demo right so everybody knows that like USB Wi-Fi and Linux is spend the story of my life trying to get one interface that works right but anyways if you wanted it's supposed to identify this guy right here that we see and we can just connect to that and the password is 1 2 3 4 5 6 7 8 9 0 it's very complicated anyways so here again and no nothing really protecting anything that's going on we'll just go ahead and we can just use VLC it's that easy takes well tada hi Def Con so again again feature feature right this is this is a feature that is awful right anybody that would be like yeah I would like to livestream some video off of a police officer whenever I want that's a feature oh and the manufacturers like to say that oh it's only supposed to be right here yeah cuz because Wi-Fi antennas can't pick up suffer from a mile away like that hasn't been proven years ago right okay and and we can change the default password on this to give it something very complex because crack doesn't exist and neither does that Wi-Fi thing the other day where you could you could get the the key without even needing a client on the wpa2 the network if you guys haven't read that I highly encourage doing it okay so we're Mike reason Tatian comeback right thing okay so cool industry-wide issues right so I analyzed its many cameras I can talk about five and an industry-wide issue is digital signatures are not applied to the multimedia coming off of the device before it touches anything else which means that if anyone is able to get in between that being either being on the desktop or interacting with the device in the field you can corrupt any kind of evidentiary and information on that device and that is supposed to stand up in a court of law and put people in jail again unencrypted from ur unsigned from her little unsigned your smartphone signs this firmware right that how much does that cost how much do these things cost about the same right so you can peruse you see anything you want if you have physical access device you could roll your own malware drop it on there and then as soon as it gets synced back in the backend you own them done do you mean this okay cool and again localization being able to find stuff out there I wore walk fine cops cool why it's important because this happens here last year right and the guy had cameras in the hallways and he was targeting police if he knew about this he'd be able to do that a lot better okay thanks thanks to Saha and everyone in the basement Brotherhood nuoc seat at and I think I think I have a couple minutes I got a questions I got time for questions like one one question it's Team Graham time time yes some do some don't some you can actually configure to always be on the Wi-Fi I always have Wi-Fi on some use Bluetooth no this doesn't show anything it's just on it's still connected to my laptop okay I have but it's very difficult to get any response at all back and they don't publish who you know who they're selling these things to except for that like anyway to be that you can go to these guys websites they have a couple their big contracts on there no they won't even send me the software I bought so cool [Applause]
Info
Channel: DEFCONConference
Views: 31,297
Rating: undefined out of 5
Keywords: DEF, CON, DEFCON, DEF CON 26, DC26, hackers, hacking videos, hacking conference, security conference, computer security, josh mitchell, police cameras, physical device security, internet of things, app security, mobilr app security, police body cameras, information security
Id: X34taF1R7sU
Channel Id: undefined
Length: 45min 47sec (2747 seconds)
Published: Fri Sep 14 2018
Related Videos
DEF CON 23 - Dennis Maldonado - Are We Really Safe? - Bypassing Access Control Systems
DEFCONConference
105K
DEF CON 26 - Eyal Itkin, Yaniv Balmas - What the Fax?!
DEFCONConference
65K
DEF CON 26 - Rob Joyce - NSA Talks Cybersecurity
DEFCONConference
114K
DEF CON 26 - Christopher Domas - GOD MODE UNLOCKED Hardware Backdoors in redacted x86
DEFCONConference
47K
DEF CON 23 - Chris Domas - Repsych: Psychological Warfare in Reverse Engineering
DEFCONConference
130K
DEF CON 23 - Robinson and Mitchell - Knocking my neighbors kids cruddy drone offline
DEFCONConference
612K
Jmaxxz - Your Car is My Car - DEF CON 27 Conference
DEFCONConference
100K
DEF CON 26 - smea - Jailbreaking the 3DS Through 7 Years of Hardening
DEFCONConference
121K
Don't Talk to the Police
Regent University School of Law
16M
DEF CON 26 - Steven Danneman - Your Banks Digital Side Door
DEFCONConference
22K
DEF CON 24 - Backdooring the Frontdoor
HackersOnBoard
20K
DEFCON 19: The Art of Trolling (w speaker)
Christiaan008
506K
DEFCON 19: Build your own Synthetic Aperture Radar (w speaker)
Christiaan008
46K
DEFCON 17: That Awesome Time I Was Sued For Two Billion Dollars
Christiaan008
1.6M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.