Hacking D-Link, Cisco And Iqinvision - Black Hat Video

That was an eye opener. These guys definitely live in a strange and interesting world.

For those of you who do not want to watch a half hour video, here's a recap of key claims / points made:

In general, what he is doing is applying Linux system administration skills to find ways to get root or admin access to the device. Once he has that, he can view, modify or change the underlying computer behind the 'camera'.

The Hollywood Hack

At the end, he showed how to do the classic Hollywood Hack of replacing a camera feed with a static image to fool a live security guard.

For example, here is an elevator:

Once he has root access to the computer/camera, he can kill the video streaming process, in the case below a MJPEG camera feed:

He can also issue a simple command to respond with a static image (that he supplies) when a user requests the video stream, thereby fooling the operator:

Doing this with a H.264 stream would be different but the same overall approach would apply.

Hacking D-Link Camera

The first hack shown was of the D-Link DCS-7410, though he said it applied to lots of D-Link cameras and other brands (like Trendnet). Also at the end, he noted that a fix has already been released in newer firmware.

He found 1 directory that was not password protected, this one:

Then he found that you could pass arbitrary commands to this URL and it would evaluate / run them:

Once he realized that, he simply passed the command to request the admin password which was return in plain text.

With the admin password, he obviously then had access to video and everything else.

In the middle of the presentation, he also showed hacks of Cisco and IQinVision cameras.

"probably use the same web browser, called "lightly""

It's actually a web server, not browser, and the common shorthand for that is "lighty", not "lightLy". nginx is the other popular lightweight embedded webserver you'll find used in a lot of IP cams.

You can tell what server is being used a few different ways if you're curious. The easiest is to use curl from a command line. curl should be installed by default on most unix/linux/BSD/OSX machines. I'm sure you can find it for Windows too, but I doubt it's there by default.

XXX-Air-2:~ xxx$ curl -I ipvm.com|grep Server
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 57351 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
Server: nginx/1.5.2 + Phusion Passenger 4.0.10

The IQInvision demonstration was a bit unsettling. I'd love to see him have a crack at an Axis camera - there are so many of them out there, it would be crazy if they were easily hacked too.

More bad news folks:

Eighteen brands of security camera digital video recorders (DVRs) are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will...

Apparently all the doin' of one "Ray Sharp"...

This was a very interesting post. However, traditional hacking may not even be the greatest risk.

About three months ago I informed a major vendor (with annual revenues on the order of $100 million) of the chance discovery that their netcam administration pages were accessible to anyone on the web using the camera model's default username and password.

Three months later, they haven't changed.

While a skilled penetration tester may find a way to breach any system as complex as a company's IT infrastructure, companies that at least implement industry standard practices around routine security matters such as usernames and passwords will greatly reduce their exposure to less gifted interlopers. Employees of larger companies should probably have been trained so that they understand where to forward information they receive about potential vulnerabilities as well.