Yesterday I commented on Twitter that some of the conferences that took place at ekoparty 2013 were already posted on video. One of them addressed the issue of security in IP cameras that are often used for surveillance and wanted to see it again to test some attacks on cameras that I have at home.
In this article I quickly comment on a vulnerability that I discovered in one of my cameras thanks to this conference and that allows obtaining the administrator password. And below I leave the video of the talk so you can see it with a short summary.
It should be clarified that the information is shared for preventive purposes so that those who have vulnerable IP cameras are aware of these problems and take the necessary measures to protect themselves.
Obtaining the password of a Chinese IP camera (Foscam clone):
My camera is a clone of the brand Foscam model FI8908W, it is one of the classic ones that can be bought online at Deal Extreme and places like that.
One of the vulnerabilities discussed in the talk allows access to information from the camera without being authenticated. Simply write the address (IP + port) followed by /get_status.cgi
In this example the port does not appear in the URL because by default it is 80, but you can see that in a second data is obtained from the camera including the firmware you have installed… In this case the version 220.127.116.11 who is vulnerable to a traversal path(more details enopenipcam.com)
This vulnerability allows direct access to camera files, including one called kcore that allows to see all the contents of the memory. It is there where in plain text With this firmware the access credentials are stored:
Simply writing the address followed by // proc / kcore the content is dumped and in the same browser you can find the user and administrator password:
If the camera was configured to operate wirelessly, you could also see the WiFi password in plain text and actually all the configuration data including passwords and users for e-mail, FTP and other functions.
It is a serious problem because any user with access to the network could take control of the camera and if it is connected to the internet the same could be done from anywhere in the world.
In other words, even if you have a password that is impossible to guess, if an attacker reaches the login of your camera and you have vulnerable firmware, they could remove your password, steal information, spy on you, and many other things.
The solution for this is update the firmware to its latest available version, the firmware is the camera's operating system and can be downloaded from the manufacturer's page. In the case of Chinese cameras it is more complicated because there is no official support and for some like mine the latest available firmwares are still vulnerable.
For these cases the ideal would be avoid connecting the cameras to the internet or do it with some extra protection like a firewall. On the local network, the camera could also be isolated to avoid attacks that could compromise other computers.
By the way, I forgot to mention that the default credentials of these cameras are admin for the user and the password is blank. It is important to mention it because many people simply connect the cameras and as they work they forget to change these basic settings.
There is also an application called getmecamtool (developed by Sergey Shekyan and Artem Harutyunyan) that makes it easy to exploit these and other vulnerabilities in models FI8910W, FI8908W, and FI8909W.
Ekoparty Conference on IP Cameras:
The talk presents an investigation carried out by the Core Security team, it begins with an introduction on the operation of IP cameras and then they fully delve into explaining the different vulnerabilities that they discovered in cameras from well-known brands such as MayGion, Foscam, D-Link, Zavio and TP-Link.
They are all remote access and pre-authentication vulnerabilities.
There is something for everyone, perhaps the most curious because we have seen it many times in the movies is to modify the live streaming of the camera (video stream hijacking) to show instead a series of images or a video.
On this they perform a live demo with a Foscam camera that is flashed with modified firmware, a process that takes about 60 seconds and can be done from the administrator account which, as we will see earlier, is very easy to access if the firmware is vulnerable.
You can download the presentation of the talk from here (pptx).