How To Hack IoT Cameras - Vulnerability Demonstration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hi and welcome to the channel if you're new here please consider subscribing and ringing the bell so you don't miss any future video now the following video is a lecture that i did at a university here in sydney as part of a partnership that i have with my company in this lecture we demonstrate the vulnerability of iot devices specifically this security camera right here we performed a live hack to demonstrate these world abilities but to keep this within a 20 minute time frame we had we had to try and speed things up a little bit so just keep that in mind as you're watching anyway enjoy the show leave your questions or comments down below and smash that like button and i'll see you in the next one okay so what i'm going to walk through is a bit of a live hack demo of a iot device it's a hypothetical scenario if we've got a target in mind and because we have haven't got access to any of the devices here at unsw to pen test so we'll simulate it as a bit of a fictional scenario before i get started reiterating on what what ed said do not do this at home with devices that you do not own uh it's a good way to kill your career before it starts alrighty so let's get into it i gotta remember what i was going to do now so what i'm going to do is basically run over the methodology that a pen tester or possibly even an unethical hacker will take based on what ed went through in the slides keep in mind this is very accelerated to fit in a 15 to 20 minute time frame this will generally take a lot longer and a lot more trial and error things should probably hopefully go quite well so let's start by taking a look at showdown and say we're we're some cybercriminal or we've got really bad marks at uni and we're pissed off we want to we want to hack unsw right so let's have a look see what devices unsw have out on the network so we use showdown which as ed mentioned it's like a google for iot devices or basically anything connected to the internet um and it will basically do a port scan and will pull back banner information for iot device right there um it will pull back a the banner for every of for every port that it finds and can communicate to so let's have a look at what we have here so we've got a citrix gateway aws engineering society i think i saw a minecraft server here and let's just say hypothetically um there's a security cam that we want we've found in here um we think that it could be vulnerable and we want to attack it um so let's just imagine that yes it's the engineering society one we can click into that we can see that okay ports 80 and 443 are open so let's have a look and see what we get all right so engineering site website cool so in this scenario we'll attack the following ip address which is 192.168.2 and we can see here that we're greeted with a login message and we've got a bit of a clue here we see dcs 5020l underscore 72. now to me this seems like a model number of something and because we already know that we're kind of looking to attack a security camera this is a really good place for us to start so we'll come back to this in a second um but for now let's just see what we can find on google for say the default credentials so default 50 credentials l part of my spelling okay and it looks like the default password is add sorry username is admin and the default password is empty so we can give this a try no no luck okay that's fine what we'll do while we set up more advanced attacks is see if we can just do a brute force attack um brute force attacks are cheap they're they're easy but it's something we can set and forget while we look at other exploits other vulnerabilities so what i'm launching here is a tool called burp suite and this is kind of like our swiss army knife when it comes to pen testing it's really handy for us to do anything with http traffic it basically lets us edit any payload before it goes out of the network so it's useful to for doing anything like injections or brute force attacks basically anything that you can think of that you want to partially semi-automate or just fiddle around with it's really handy for that so i've set up i've already got a proxy running on on here so i'm just going to use firefox because it's already configured to use this burp proxy and instantly it's captured something from firefox let's just disable that so let's hit that ip address again 1.2168.2.3 and we're at the same login again so we'll type in admin because we don't know the password we'll leave that blank and let's see what this looks like so here is the get request that it's being sent out to try and authenticate us into the management page for the webcam and something to note here is that we have an authorized authorization string here in the http header for anybody who knows what that is that's basic authentication it's not the most secure form of authentication nowadays and it's easy to play with so what i'm going to do is i'm going to send this to the intruder module in burp and this allows us to basically substitute parameters so we can try and substitute a password so what i'll do here is just add a parameter at the end here with these little curly dollar signs and then we'll go to payloads and we'll load up a text list full of passwords now the text list that i am using is called produ.txt and produ is based off a very famous text list called roku.txt flow are unaware uh rocky was a bit of a gaming website back in early facebook days and they got hacked and i think about 14 million passwords got leaked so it's just a fantastic place to start whenever you're trying to brute for something because you've got 14 million original passwords to play with produce however is only 3500 and for this demonstration it's a bit more suitable so what we need to do before we send out the payload is two two things first we need to make sure that it is encoded back into base64 so that way it is matching the convention that's expected and we just need to turn off url decoding so any special characters won't get encoded into the percent 20 signs and things like that that i'm sure you've all seen lastly we'll just set a few more threads to hopefully make it go quicker and we'll start the attack so as we can see a heap of 401s which is just access forbidden and let's just hide these because they're not relevant when we get a http http 200 meaning everything is okay it should come back up here now in the interim we can have a look for some published vulnerabilities for this security cam so a good place to start is of course google and we google cve cves are what's what's known as a common vulnerability so every time something gets hacked and the vendor uh acknowledges that this is a security exploit they publish a cva uh telling people about the hack and how to pro how to get themselves to be protected from it so it's basically a an artist saying hey yep like a recall notice just saying hey yep we've got a problem with this um here's what you need to do to fix it so cve details is one of the best sites that we use for lists and this looks like the relevant page so we can see that there are true vulnerabilities for this there's one for code execution which sounds pretty interesting and there's one for cross-site request forgery less interesting but it could be useful let's have a look at the code execution so this has been given cve number 2017-17020 which will be helpful for us when we're googling around trying to find uh how to actually pull off this exploit because generally they tell you that there is a exploit rarely do they tell you how to do it so we'll just look through the references but first we'll look at the scores so we can see that it's got a partial impact to confidentiality integrity and availability and it's got a relatively low complexity to pull off this attack so that looks pretty good for us there's two references here one from it looks like d-link confirming it and one for the actual camera cool so spoiler alert i've read this before in preparation for this talk but essentially what these guys did was really really impressive um what they do did was they got a firmware update and instead of installing it like you know most of us do when we get a firmware update for our phones they decided okay let's decompile it let's look at the code let's look at what's in it and see what we can find so what they did was pretty clever they decompiled the all the binaries and had a look through it and they were they did a bin walk so that's basically looking for text strings within the files and generally when you're doing this one of the best words to search for is password as we can see there's a few li a few mentions of it here and i think the off has intentionally cropped this but we can see that on this line and the line below there are some mentions of some input being overwritten to the edge password file and for any of us who have played with linux systems we know that the etch password file is where all the system passwords are stored and user accounts so they did a very low level analysis going all the way down to assembly to see how all these strings are being executed and moved around the application and they concluded that this was actually happening in the change password field so what they were able to do is within the admin id parameter of the change password field do a coding code injection which will allow them to run code on the underlying system and spin up a telnet server so then they we can then connect back can connect into the camera so who's heard of this sql injection before probably some people yep most of us so code injection is basically the same thing and as i mentioned um it executes code on the underlying system and it works off the same parameters by basically tricking the underlying application to accept our to accept input and then allow us to specify our code so we'll give that a try but let's have a quick look at the intruder and it looks like we've got a http 200 now and this is the authorization string so what we can do in burp it also has a handy little decoder function so we can decode from base64 into plain text and it looks like the password is i love james have we got any james's here no james's ah damn sorry james we love you still okay so what we'll do is we'll use this username and password to try and get into the management interface of the webcam admin i love james and does james love us back he does excellent okay we'll just open this in internet explorer because it is not designed for firefox very well cool so it looks like we've gotten into the web interface of the security cam so we've done our job right we can probably have a bit more fun and we can see everybody here wave to the camera a one person ways i wonder how we can get this thing to focus properly okay so as the exploit mentioned this was done in the change admin password functionality so let's have a bit of a look for that network set up dns maintenance admin here we are so we can try this injection and see what we get because we don't want to raise any alarm bells i'll keep the password still as it originally was so i love james i love james and i love james i really don't love james sorry um we'll put our intruder back on so like this means when we go to submit this request it will go into burp and we can play around with it again what was i in sorry i need to do it from firefox hopefully i typed it right okay so this is the password change request going in uh any of you i'm sure most of you have seen a http post request before the parameter that we're looking at is admin id and admin there so that's where we're going to perform our code in injection so we'll reference the article again wherever it went okay so this looks like the text for the code injection so basically it's we're changing the admin id from admin just to a and then we are doing a quote tell net d okay i think i typed that wrong tell net d okay all right so let's fold this on and fingers crossed that if we try to telnet to this ip address we will get a session and that's because i didn't type on it and we've got it we've got a so we've managed to start a telnet server running on this ip cam so now we just got to log in so we just changed the password to a and the password hopefully should still be i love james and now now we're in so we've effectively just hacked into this uh security cam here so you can see that it's running uh busybox version 1.12.1 so which is a built-in shell so what happens if we do just like a ls we can see a standard directory structure and so to many of you this might start to look familiar and you'd be right in thinking that because maybe we could do cat etch password and we found the password file so for this tiny little security camera here that looks like it's just functions as a camera underneath all of its bells and whistles it's basically just a linux operating system that is used to control this camera and a web interface so from here we could pivot our attacks which means useless as useless webcam as a way to go throughout the organization that's running it uh into their internal network and cause all sorts of havoc we could install crypto miners on it we could hijack the video feed the opportunities are endless and i'll leave that to your imagination to think of what we could do next but that kind of leads me to kind of like my concluding remarks so we tend to see iot as lee's new emerging flashy technology which we need to drop everything and focus on how to prepare ourselves for it and that is partially true i agree with that but as we've demonstrated today this iot device uses the same underlying software operating system protocols as computers have been for the past 30 years so i like to think of iot not so much as a new type of technology but more a new purpose for technology and it's in that purpose that we can create these new vulnerabilities and that we need to make sure that we're secure with these devices especially if they're exposed to the internet so that practically wraps it up um ed and i are happy to take some questions for the last 10 15 20 minutes however long we've got 20 minutes [Applause] you
Info
Channel: JSON SEC
Views: 34,491
Rating: 4.8790932 out of 5
Keywords: hacking, iot, device, live, how, do, hack, into, security, web, camera, lecture, demonstration, webcam, unsw, university, tutorial, demo, penetration, test, cameras, IoT, internet, of, things, pentest, cyber, code, injection, csrf, bruteforce, burp, cve, shodan, remote, authentication, bypass, login, basic, auth, workflow, hacker, enumeration, exploitation, post, where, go, to, learn, wireless, wifi, dlink, video, cam, 5020l, dcs, exploit, db, json, sec, cross, site, request, forgery, brute, force, attack, hijack, sql, terminal, busybox, linux, shell, how to hack
Id: jiYv-bQ2UX8
Channel Id: undefined
Length: 20min 25sec (1225 seconds)
Published: Mon May 04 2020
Related Videos
Install Linux instead of Windows 11 - Here's how!
Linus Tech Tips
1.3M
Linux for Ethical Hackers (Kali Linux Tutorial)
freeCodeCamp.org
2.5M
Disable a Wi-Fi Security Camera with Aireplay-ng [Tutorial]
Null Byte
172K
IoT Security: Backdooring a smart camera by creating a malicious firmware upgrade
stacksmashing
201K
Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016
OWASP
1M
But how does bitcoin actually work?
3Blue1Brown
10M
Drone Programming With Python Course | 3 Hours | Including x4 Projects | Computer Vision
Murtaza's Workshop - Robotics and AI
1.4M
How TOR Works- Computerphile
Computerphile
1.2M
Network Security 101: Full Workshop
SecureSet
1.5M
Billionaire Mathematician - Numberphile
Numberphile
3.2M
Hacking your Home: How safe is the Internet of Things? | IoT Security
DW Shift
10K
Search for Vulnerable Devices Around the World with Shodan [Tutorial]
Null Byte
382K
you need to learn Virtual Machines RIGHT NOW!! (Kali Linux VM, Ubuntu, Windows)
NetworkChuck
2.5M
Fast Track Your Way Into A Ethical Hacking Career (Paid Path)
JSON SEC
3.8K
Hacking Routers & IoT Devices with Routersploit
SecurityFWD
8.5K
Intercept Images from a Security Camera Using Wireshark [Tutorial]
Null Byte
595K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.