Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Eyes On IZON: Surveilling IP Camera Security

Eyes On IZON: Surveilling IP Camera Security

Home IP cameras are becoming increasingly common thanks to sleek designs, WiFi connectivity, and intuitive mobile applications. Previously, such IP cameras were mostly in-use by home security aficionados and small business owners. Now, however, with increasing video quality and ease of use, these cameras are becoming popular for the average homeowner that wants a bit more confidence that all is well when they're absent. This presentation will provide insight into the security mechanisms being used by the IZON camera, some of the weaknesses found during research, and a few recommendations for them (or anyone else developing these sorts of cameras) to benefit from. Attention will be paid to topics such as network protocols, iOS app security, APIs, and other aspects of the camera's platform that has attack surface.

Mark Stanislav

October 23, 2013
Tweet

More Decks by Mark Stanislav

Other Decks in Technology

Transcript

  1. What Is An IZON? ‣ IP enabled web camera that

    is fully managed from your iOS-based device ‣ Provides remote access to live video ‣ Supports recordings for motion & noise ‣ Only requires WiFi + AC power to run ‣ SKUs for US, Europe, China, Japan, UK, Australia, Hong Kong, and Singapore ‣ Sold at Apple, Amazon, Best Buy, Fry’s, Wal-Mart, Target, and other retailers Image from http://steminnovation.com/izon Image from http://steminnovation.com/izon
  2. In The Beginning, A Simple Goal... ‣ The first question

    for any security research is, “Well, why this device?” ‣ Ever setup a Raspberry Pi? Me too. Except, I forgot to set a static IP and figured I’d NMAP my network ‣ It’s amazing the terrors that result from scanning your network ‣ Telnet? RTSP? HTTP? What the hell is this device on my network? Image from http://www.raspberrypi.org/
  3. What Should We Test? A Wish List. Surface Desired Result

    Telnet Get a Shell HTTP Access Web Interface HTTP Find Vulnerabilities RTSP View Stream Passively RTSP Request Stream to View Device Access On-Camera Software Device Remotely Access a Camera Device Access Video Recordings Device Access Device Information Device Firmware Upload Access It’s always good to have goals!
  4. How A Camera Is Setup ‣ Install the app on

    your iOS-based device ‣ Create an account (on app) that manages all of your cameras ‣ Go through a process to provide WiFi info (SSID/security details) ‣ Scan the QR code generated on your phone with the above info ‣ The camera connects to your network and does backend... stu . ‣ We’ll talk more about that in a few... QR decoded by http://zxing.org/w/decode.jspx Image from http://www.shopify.com
  5. What Happens During A New Camera Setup? 1/2 Multicast DNS

    Tra c RSA (1024-bit) Public Key Transfers From Camera to App
  6. What If You Remove The Camera From Your Phone? 8515

    root 1372 S < /bin/sh /bin/factoryreset complete_reset 8526 root 1384 S < /bin/sh /bin/led.sh alt blink_start 5 8575 root 1424 S < /bin/sh /bin/wifizconf.sh stop_bonjour Process output from camera after a “remove” is initiated ‣ Cameras are only attached to one account at a time ‣ This leads to a shared credential situation if you want your family members to also access it ‣ The device resets so that it goes back into factory default mode ‣ If you change the “admin” password, the app gets really mad :)
  7. Gaining Access: The Failed Attempts :*( ‣ The “admin” user

    has an encrypted password sent over the wire, assumably utilizing the RSA public key we saw during setup ‣ Web site transactions are authenticated using HTTP Digest ‣ Because of this, we are unable to sni the password, despite all requests being cleartext ‣ A brute force of Telnet and/or HTTP digest is potentially slow ‣ Hardware modification is not an area I know about... GET /cgi-bin/v1/servers/snapshot/1 HTTP/1.1 Host: 192.168.0.6 Authorization: Digest username="admin", realm="Authorization required", nonce="e14a9782902552eb88d62c11183983fd", uri="/cgi-bin/v1/servers/snapshot/1", response="6fec266cccbfb3307f1a567147281a31", cnonce="823188c37fb6cd1b1190c4c07f49515e", nc=00000001, qop="auth" Accept-Encoding: gzip, deflate charset: utf-8 Accept-Language: en-us Accept: application/xml Connection: keep-alive User-Agent: IZON/1.0.5 CFNetwork/609.1.4 Darwin/13.0.0 HTTP Digest Authentication
  8. Attacking The App Rasticrac (or Clutch) dumps the app from

    memory to review Verification that the dumped app from memory is cleartext yay!
  9. Camera’s Linux Accounts root@izon # cat /etc/shadow root:bcDOEAqtEnAkM:12773:0:99999:7::: daemon:*:12773:0:99999:7::: bin:*:12773:0:99999:7:::

    sys:*:12773:0:99999:7::: www-data:*:12773:0:99999:7::: backup:*:12773:0:99999:7::: admin:CTedwasnlmwJM:12773:0:99999:7::: nobody:*:12773:0:99999:7::: mg3500:ab8EYhqWKRB36:12773:0:99999:7::: DES CRYPT :) stemroot merlin /ADMIN/
  10. Web Server - Lighttpd 1.4.24 “user” and “admin” credentials Paths

    restricted by authentication ...and here’s where those hashes come from Yes, user/user :)
  11. Mobileye ; A Hidden “Feature” http://camera-ip/mobileye/ ‣ You can login

    to this hidden web interface using the stock credentials, user/user ‣ As “user” you can view the camera via an image stream, QVGA, and VGA video ‣ API service key/connection details are also available, notably for their “alert” video provider, IntelliVision ‣ Firmware details and alarm configuration also available
  12. Wireless Reconnaissance And Thief-Enablement Imagine a thief who knows if

    you’re home and can disable your motion/ audio sensors so that no video is recorded of them...
  13. Don’t Like VLC Streaming? How About Flash! ‣ By default

    the video streams utilize VLC for streaming ‣ A configurable option is to enable Flash as the interface providing an easier-to-snoop experience! ‣ Both the video and audio are quite good, the mic picks up a lot
  14. IntelliVision Usage GET /970270ad8dfd3f070df7b76dca1fa5ec-THUMBNAIL-1.jpg HTTP/1.1 Host: intellivision3.s3.amazonaws.com Connection: keep-alive Accept-Encoding:

    gzip, deflate User-Agent: IZON/1.0.5 CFNetwork/609.1.4 Darwin/13.0.0 Accept-Language: en-us Accept: */* ‣ http://www.intelli-vision.com - “IntelliVision is a leading company in “Video Intelligence and Automated Monitoring” solutions for security, surveillance and safety markets.” ‣ Alert videos are accessible through their S3 bucket via HTTP ‣ Single, vendor-named bucket... http://intellivision3.s3.amazonaws.com/ ‣ MD5 filenames are used with a static formatting as such: ‣ ${MD5}-(THUMBNAIL|PLAYLIST|VIDEO)-${number}.(jpg|m3u8|ts) ‣ The aforementioned files are not encrypted prior to upload to S3 ‣ There are hardcoded S3 credentials found within the mobile app Example thumbnail retrieval
  15. Video Deletion; Not As Deleted As You May Like... Thumbnail

    + video files (TS) are still available 2 months since I said to delete this content...
  16. YOICS Usage ‣ https://www.yoics.com ‣ “We enable safe, secure access

    to your devices and your data whenever you have an internet connection.” ‣ Provides access to your camera via a proxy when not on your WiFi network ‣ A public network address and port are opened-up which connects directly to your camera ‣ Best I can tell, this is utilized to administrate as well as stream the camera to your mobile device ‣ From the network connection I saw happen, it was accessing this proxy via HTTP, not HTTPS...
  17. Additional YOICS Insights ‣ Your Stem innovation account’s password is

    also used for your YOICS account that’s automatically created for your usage ‣ Cleartext API queries to the YOICS service send your username and an MD5 hash of the aforementioned password to operate ‣ In some cases, the MD5 password is also base64-encoded http://apistream.yoics.net/web/login.ashx? key=StemConnectApplication&user=stem_{email}&pwd={MD5}&type=xml API Token Information http://apistem.yoics.net/web/api/device.ashx?token={token} &deviceaddress={MAC Address}&action=get Camera Device Details
  18. 62 Results For IZON’s Telnet Prompt Via SHODAN ‣ 1

    - France ‣ 1 - United Arab Emirates ‣ 1 - Canada ‣ 1 - Switzerland ‣ 1 - China ‣ 1 - Denmark ‣ 1 - Finland ‣ 1 - Venezuela ‣ 2 - Panama ‣ 2 - Japan ‣ 5 - Germany ‣ 13 - Mexico ‣ 32 - United States Data Queried in July, 2013
  19. What Should We Test? A Wish List. Attack Surface Desired

    Result Value Telnet Get a Shell Pass HTTP Access Web Interface Pass HTTP Find Vulnerabilities Untested RTSP View Stream Passively Pass RTSP Request Stream to View Pass Device Access On-Camera Software Pass Device Remotely Access a Camera Pass Device Access Video Recordings Pass Device Access Device Information Pass Device Firmware Upload Access Pass
  20. Issue Summary ‣ Camera web server does not operate via

    HTTPS for anything ‣ Telnet is used for software upgrades and who knows what else ‣ Camera “API” calls are vulnerable to digest auth replay attacks ‣ RTSP is streamed in the clear so anyone can MITM live video ‣ Hardcoded root/mg3500/admin credentials for Linux accounts ‣ “Hidden” web backend with default login credentials for viewing ‣ S3 storage of alert videos without encryption or actual deletion ‣ Single S3 vendor bucket with hardcoded S3 access/secret keys ‣ Alert videos protected only by an MD5 path, no IAM credentials ‣ Your account password is sent as an MD5 over HTTP
  21. Additional Areas To Research ‣ Camera Firmware ‣ Acquire (via

    intercepting the update process) ‣ Reverse engineer to find any other interesting secrets and/or attack surface ‣ Upload a custom firmware with additional functionality or edits ‣ Camera Processes ‣ Look for web application vulnerabilities in the administrative application/API ‣ Learn more about the services running on the device -- features? vulnerabilities? ‣ Changes Since Update ‣ 3.x code branch has been released, all testing thus far was done against 2.x ‣ Service APIs ‣ Better understand what API calls are doing going outbound for services
  22. The FTC Dislikes When Something Is Labeled Secure, But Isn’t

    Screenshot from http://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html Screenshot from http://steminnovation.com/page/IZON_WIFI_Video_Monitor/44/24/ Screenshot from http://steminnovation.com/page/IZON_WIFI_Video_Monitor/44/24/
  23. Disclosure Timeline ‣ 09/06: Contacted Stem Innovation via their site’s

    contact form due to a lack of e-mail addresses ‣ 09/06: Received a reply back from their help desk, asking me to clarify “my questions” ‣ 09/06: Explained the reason for my contact was not for “questions” but to discuss security issues ‣ 09/16: Having not heard back from them for 10 days, I followed-up via the help desk ticket I had ‣ 09/19: I received a response back that I needed to contact their company’s CEO for assistance ‣ 09/19: Contacted their CEO, providing an e cient overview of issues found with severity ratings ‣ 09/30: I had no response from their CEO in 11 days, so I opened up a new help desk case to ask why ‣ 10/01: The new case was updated saying their CEO was aware of my email and would respond ‣ 10/03: I received an e-mail from their CTO who was very polite but was light on specifics and didn’t ask for any further details, nor explained how/when they were fixing these issues ‣ 10/03: I followed-up with the CTO to ask for clarification on what issues were fixed or being fixed and expressed (again) my willingness to take a phone call or otherwise to help explain issues ‣ 10/14: Their CTO responds wanting to “meet” and claims there are inaccuracies with my research and potential “confidential” information that I may have come upon -- does not state any specifics ‣ 10/14: I responded back within 1 hour, o ering times for the very next day to resolve these issues ‣ 10/16: I am still waiting for a response back...
  24. Parting Thoughts ‣ We’re trusting too many network-enabled devices very

    blindly ‣ WiFi enabled thermostats, ovens, fridges, lights bulbs, outlets, cameras, and alarm systems ‣ The average vendor is not going to notice many of these failures of best practices that to security experts are glaring issues ‣ Hence, why we do research and why we report problems -- responsibly :) ‣ Devices like these make great research projects since the hardware can be contained within your own network perimeter ‣ This device is just one of many that likely have major issues...
  25. One Last Thing... That Raspberry Pi? Yeah, I’ve still never

    found it... Image from http://blog.reyboz.it
  26. Thanks Go Out To... ‣ @purehate_, @quine, and @dakykilla from

    Accuvant LABS for their help to determine the “admin” Linux account password ‣ @akgood and @jonoberheide for reviewing content early on and providing guidance ‣ @duiceburger for letting me use his jailbroken iPhone for app testing