Pro Focus LLC | 04/12/16 07:18pm
And we are to just take you at your word that you are a white hat hacktivist, being undisclosed and all?
Pro Focus LLC | 04/12/16 07:26pm
If you are looking for an easy target, Dahua has the most gaping holes in security that we've seen. They STILL are using admin/admin for ONVIF connections. No matter how hard you try to lock down their cameras, you can still access them via ONVIF Manager using default creds.
Question - To make a truly Hollywood style attack as the above video claims, how to mask the image with time stamp present ? (the video masks only the image; No time stamp is present in the demo video). That too, time stamp font colour changes when light change detected; how to achieve that?
If you're doing a planned attack and know a little bit about the camera beforehand you could likely install a pre-compiled version of Image Magick to handle encoding a dynamic timestamp on top of a static image.
There's a ton of good Image Magick examples on this site.
To take it a step further, you could download binwalk, decompile a firmware image for the camera, add in your custom IM build and timestamp manipulator and then upload a new firmware payload to the camera. While you're at it you could add a custom .cgi script on the camera that when called flips the camera from "Live" mode to "Fake Stream mode". It could even automatically take a static image from the camera at time of activation.
All this considered, I'm not sure I agree with this statement:
In my opinion, if the above hack is achieved to the proper effect, it would definitely be one of the top vulnerabilities with IP Cameras.
Camera-generated timestamps seem to mostly be used on lower-end systems with simple NVR's like the Hik unit you're using. These systems are less likely to be used in an environment that would have anything worth going to the extreme of spoofing a camera over.
Higher-end systems tend to use a VMS-generated timestamp because it's easier to keep all cameras in sync, and also because sometimes the camera network is so locked down there isn't even access to an NTP server.
Looking at it from a different angle, the more critical systems may be even easier to spoof because they're not expecting any dynamic image overlay on the cameras video stream.
@John, Thanks John for your clarification. Gradually, i too realizing not all people are in cyber space white hat.
@Brian: Got some useful input from your reply. but my first thought is, instead of camera ( which is already installed in wall or other place and not easy reach it). But VMS software on NVR seems more attractive a) it is powerful linux machine b) access to all the camera, including a where i wish to manipulate the video stream.
>>browser to view an mjpeg video stream, which isn't very realistic of a common modern use case
Environment like small office and remote viewing over company use LAN or remote viewing, browser is good choice. Right?
So realistic next step, look into Hikvison NVR firmware flaws or getting root access etc. Any thoughts?
Cheers to all :)
Pro Focus LLC | 04/13/16 11:33pm
Also, it's good to note that some (most?) NVRs have a built in firewall, meaning the cameras aren't exposed. The NVR will be your only internet facing host. You won't be able to see the cameras, unless you are the NVR.