Hacking D-Link, Cisco And Iqinvision - Black Hat Video

There's a 33 minute video here on this subject:

The presenter is a penetration tester from a security company. Pentesters have some pretty hairy skills and a lot of the video is pretty technical but there's some good demos that have Hollywood beat, in that they aren't fictional and don't involve screens, smoke or mirrors, or a lot of drama.

He says he reviewed only a few companies and doesn't claim what he found applies to every manufacturer but since they all probably use the same web browser, called "lightly", an open source BSD app lighttpd, it's quite probable they share essentially the same vulnerabilities. But what he does say about the systems he reviewed is very interesting.

A lot of his assessment was based on analyzing the upgrades, which saved the expense of buying the camera but gave the same information. One of the issues raised was changing the stored video, if this isn't adequately protected it isn't likely to have much value unless the court doesn't understand the issue.

Another one is if the system is facing the internet without any protection it's going to get scanned which raises the possibility it might provide an entry to the rest of the network. I've seen PC's with fresh OS installs get discovered and probed a lot sooner than I thought possible, no idea who it was, could have been a bot-net herder, or breeder. Probably how they were reproduced.

These are issues that might be worth considering, so far no has pointed any fingers at anyone over this but it's probably an issue that warrants more attention, and at least some caution. This stuff can sound scary, but that's not the point, it's better to have some awareness of the issue so as to protect oneself.

For those of you who do not want to watch a half hour video, here's a recap of key claims / points made:

In general, what he is doing is applying Linux system administration skills to find ways to get root or admin access to the device. Once he has that, he can view, modify or change the underlying computer behind the 'camera'.

The Hollywood Hack

At the end, he showed how to do the classic Hollywood Hack of replacing a camera feed with a static image to fool a live security guard.

For example, here is an elevator:

Once he has root access to the computer/camera, he can kill the video streaming process, in the case below a MJPEG camera feed:

He can also issue a simple command to respond with a static image (that he supplies) when a user requests the video stream, thereby fooling the operator:

Doing this with a H.264 stream would be different but the same overall approach would apply.

Hacking D-Link Camera

The first hack shown was of the D-Link DCS-7410, though he said it applied to lots of D-Link cameras and other brands (like Trendnet). Also at the end, he noted that a fix has already been released in newer firmware.

He found 1 directory that was not password protected, this one:

Then he found that you could pass arbitrary commands to this URL and it would evaluate / run them:

Once he realized that, he simply passed the command to request the admin password which was return in plain text.

With the admin password, he obviously then had access to video and everything else.

In the middle of the presentation, he also showed hacks of Cisco and IQinVision cameras.

"probably use the same web browser, called "lightly""

It's actually a web server, not browser, and the common shorthand for that is "lighty", not "lightLy". nginx is the other popular lightweight embedded webserver you'll find used in a lot of IP cams.

You can tell what server is being used a few different ways if you're curious. The easiest is to use curl from a command line. curl should be installed by default on most unix/linux/BSD/OSX machines. I'm sure you can find it for Windows too, but I doubt it's there by default.

XXX-Air-2:~ xxx$ curl -I ipvm.com|grep Server
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 57351 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
Server: nginx/1.5.2 + Phusion Passenger 4.0.10

You're really smart :) But the easiest way is to have a website run the check for you - like BrowserSpy

Provided the camera you're testing is on a public IP, and on the default port 80. That website link doesn't seem to accept the standard IP:PORT convention for specifying non-standard ports.

The IQInvision demonstration was a bit unsettling. I'd love to see him have a crack at an Axis camera - there are so many of them out there, it would be crazy if they were easily hacked too.

Scott, I agree - a seriously flaw in an Axis camera would be a huge deal. Unfortunately, and ironically, hackers are so focused on consumer brands that they misunderstand where the real danger would be. That, or they tried, and Axis cameras are bulletproof to such attack!

More bad news folks:

Eighteen brands of security camera digital video recorders (DVRs) are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will...

Apparently all the doin' of one "Ray Sharp"...

That's more than a year old. Still bad, but not so much news...

Doh! Is it '14 already? I was already thinkin' it was dated cause it was a month old, but this is just plain embarrassing :(

This was a very interesting post. However, traditional hacking may not even be the greatest risk.

About three months ago I informed a major vendor (with annual revenues on the order of $100 million) of the chance discovery that their netcam administration pages were accessible to anyone on the web using the camera model's default username and password.

Three months later, they haven't changed.

While a skilled penetration tester may find a way to breach any system as complex as a company's IT infrastructure, companies that at least implement industry standard practices around routine security matters such as usernames and passwords will greatly reduce their exposure to less gifted interlopers. Employees of larger companies should probably have been trained so that they understand where to forward information they receive about potential vulnerabilities as well.