Hacking cameras: attack vectors, vulnerability search tools and protection from surveillance

Surveillance cameras became part of the Internet of Things and, like other devices with unhindered access to the network, became the focus of interest of hackers. Millions of IP cameras from different manufacturers are open to intruders.

Manufacturers of cameras can save on the work of programmers and hardware - buyers get cheap devices with limited computing resources and huge holes in the security mechanisms.
')
Firmware mass-consumer noname devices do not hold water. Often they are not updated by anyone and do not become more secure after changing the default password. Moreover, the manufacturer itself can lay a backdoor.

Next, we consider the main directions of attacks on video surveillance systems.

Free cheese

"5MP pinhole lens camera module for CCTV camera pinhole module from factory"

From the point of view of the consumer, the market is not logical. With the "penny" cost of the IP-camera modules themselves, the output is the cost of the simplest devices close to $ 100.

The main cost is formed at a level higher than iron. The main thing is computing resources, firmware and the ability to support all the "chips" of the firmware for an arbitrarily long time. The camera should work years at the same high level of protection.

The point is that the manufacturer of embedded hardware, which seeks to save on everything, is very likely to leave such vulnerabilities in the firmware and hardware that even access via the bare ONVIF protocol with a complex password does not protect against an intruder.

The lack of automatic updates is a sentence to the entire security system. A regular user does not follow the news in the IT sphere and will not go manually to download a new firmware for his camera purchased on Aliexpress on sale.

One of the most impressive examples of exploitation of cheap camera features is related to the Heartbleed exploit OpenSSL - this is an unpleasant combination of Heartbleed vulnerability with the specifics of embedded devices that may not be updated ever.

As a result, cameras are used for espionage and, which happens much more often, become part of botnets. So hacking the Xiongmai cameras led to the most powerful DDOS attack not the sites of Netflix, Google, Spotify and Twitter.

Passwords

The woman in the video acquired a camera in a discount store. She wanted to use the device to keep track of her puppy. After some time, the camera began to talk with the hostess and independently rotate. And something happened that often happens with cheap Chinese cameras, in which direct open access to the video stream is provided even on the manufacturer's website.

At first glance, camera passwords may seem too obvious a security measure to discuss, but tens of thousands of cameras and DVRs are regularly compromised due to the use of default passwords.

The hacker grouping Lizard Squad hacked thousands of surveillance cameras using a simple factory account, the same for all cameras. The devices were hacked by a banal brute force (although, perhaps, the manufacturer and the user themselves peered the password).

Ideally, manufacturers should assign a unique, long and not obvious password for each camera. Such a meticulous process takes time to set up and is difficult to administer. Therefore, many integrators use the same password for all cameras.

Staff turnover or changing user roles helps to create unexpected security holes for enterprises. If the system does not have a well-thought-out mechanism for differentiating access rights for various employees, groups of cameras and objects, we get a potential vulnerability such as a “Chekhov’s gun” - it will definitely fire.

Port Forwarding

The number of cameras infected via TCP port 81 (data Shodan)

The term “port forwarding” is sometimes replaced with similar ones: “port forwarding”, “port forwarding” or “port translation”. Open the port on the router, for example, to connect from the Internet to your home camera.

Most of the traditional surveillance systems, including DVR, NVR and VMS, are now connected to the Internet for remote access or operate in LAN, which, in turn, is connected to the global network.

Port forwarding allows customizable access to the camera on your local network, but also opens up a window of opportunity for hacking. If you apply a request of a certain type , the search engine Shodan will show about 50,000 vulnerable devices freely “dangling” in the network.

An Internet-open system requires, at a minimum, IDS / IPS for additional protection. Ideally, put the surveillance system on a physically separate network or use a VLAN.

Encryption

Argentine security researcher Esequiel Fernandez has published a vulnerability that makes it easy to extract unencrypted video from local DVR discs.

Fernandez discovered that you can access the control panel of certain DVRs using a short exploit:

$> curl "http: // {DVR_HOST_IP}: {PORT} /device.rsp?opt=user&cmd=list" -H "Cookie: uid = admin"

We met a surprising number of cameras, DVR, NVR, VMS, which did not encrypt the channel even over SSL. The use of such devices threatens with problems worse than the complete failure of https. In Ivideon, we use TLS encryption not only for video in the cloud, but also for camera streams.

In addition to insecure connections, the same privacy risks threaten when storing unencrypted video on disk or in the cloud. For a truly secure system, the video must be encrypted both when stored on disk and when transferred to the cloud or local storage.

Hacking procedure

Bust for the smallest

Video management software often interacts with various potentially vulnerable components of the operating system. For example, many VMS use Microsoft Access. Thus, you can get to the unencrypted video through the "holes" in the OS.

Since cameras are vulnerable on all sides, the choice of targets for an attack is unusually wide, the majority of illegal actions do not require special knowledge or special skills.

Almost anyone who wants to watch a camera broadcast illegally can easily do it. Therefore, it is not surprising that unskilled hackers are often engaged in connecting to unprotected cameras just for fun.

For brute-force, you can use the BIG HIT SPAYASICAM and SquardCam programs, along with the masscan and RouterScan penetration testing tools. Sometimes you don’t even need to use security scanners — Insecam and IP Scan make it easy for you to find cameras on the Internet.

Significantly simplifies hacking access to the camera's RTSP link. And the desired links can be obtained here or here . For remote viewing and control of DVRs and cameras widely used official applications from equipment manufacturers - SmartPSS and IVMS-4200.

Unobvious consequences

Information about open cameras or cameras with known passwords is widespread on image boards and in social networks. Clips from hacked cameras on YouTube are gaining hundreds of thousands of views.

There are several unobvious ways to use compromised cameras. Among them is cryptocurrency mining. Employees of IBM X-Force discovered a variant of the ELF Linux / Mirai trojan , which is equipped with a module for mining bitcoins. The malware searches and infects vulnerable devices on Linux, including DVRs and security cameras.

More serious consequences can arise from the use of vulnerable devices as intermediate points for attacks on third-party infrastructures that can be launched to hide forensic evidence, falsify data or perform denial of service.

And the last thing you need to know when using cameras - the manufacturer can leave a backdoor for himself with an unknown purpose. For example, security experts from Risk Based Security have discovered a vulnerability in CCTV cameras from a Chinese manufacturer, Zhuhai RaySharp Technology.

Firmware products manufactured in RaySharp, is a Linux-system with CGI-scripts that form the web interface. It turned out that the password 519070 gives access to viewing images and system settings of all cameras. However, similar firmware with unsafe connections to the backend are common .

Camera protection against hacking

Inside one of Google's data centers

Cloud surveillance services are not affected by the vulnerabilities of previous generation systems. For a cloud solution without port forwarding, firewall configuration is usually not required. To connect to the Ivideon cloud, any Internet connection is suitable and a static IP address is not required.

For all devices c service Ivideon password is generated randomly when connecting cameras in your account. For some camera models, for example, Nobelic , you can create your own password in your Ivideon user account.

We do not store user passwords, so you cannot access them. We do not store centrally video archives. They are distributed between many machines in different data centers.

Access to the mobile application is protected by a PIN code, and in the future there will be a biometric protection.

The cloud service also automatically sends patches and security updates via the Internet to any local device of the user. No additional actions are required from the end user for security monitoring.

In Ivideon, many features (with the exception of the cloud archive and video analytics modules) and all security updates for all customers are provided free of charge.

We hope that these simple rules will be used in all cloud surveillance services.