To Watch or Be Watched: Turning Your Surveillance Camera Against You

No ratings

Presented at HITBSecConf Amsterdam 2013 by

“Doesn’t matter what you see, Or into it what you read, You can do it your own way, If it’s done just how I say…” – Eye Of The Beholder, Metallica Low cost IP surveillance cameras are becoming increasingly popular among households and small businesses. As of January 2013 Shodan (www.shodanhq.com) shows close to 100000 cameras active all over the world. Despite the fact that there are many models by different vendors, most of them are actually based on the similar hardware and firmware. Interestingly enough, these cameras have little or no emphasis on security. In particular, the web based administration interfaces can be considered as a textbook example of an insecure web application and easily leads to an exposure of not only sensitive personal information (such as wireless network, FTP, and even email access credentials), but also provides an eye to an inside of your house. Apart from the flaws in the web interface, the cameras also use questionable security practices when it comes to securing the firmware, which leads to even more interesting attack vectors. This presentation will cover: - How those cameras work - How to gain control over a camera in the wild: analysis of security malpractices - Going deeper: Harvesting sensitive data stored on the camera - Turning the camera into a persistent XSS backdoor - Making cameras part of a botnet - Automating the process: A bot that finds and owns cameras for you - Do the vendor’s job: Making it less (in)secure We will also release a toolkit for extracting, altering and re-packaging original components of the camera including: - The WebUI firmware (where malicious javascript can be injected) - The system firmware (romfs, Linux) - The recording settings for the camera (which contains all sorts of sensitive information). The toolkit will also include a framework for automating the modification of the software components above.