Dumbo, revealed by Wikileaks, has become big news.
Unfortunately, 'experts' in the security industry have gotten it wrong, incorrectly contending that Dumbo hacks IP cameras.
In this report, we examine Dumbo, the erroneous claims and the impact that such errors have on cybersecurity.
Dumbo *** *******
***********'* ********* *** ***** ***** *** Dumbo ********* * ******** *********** ******** ** log *******, **** ********, *** ******* attached ****** ******** ** ******* ********. It ** ******** ******* ** *** machine ***** *************, ********* **** * USB *****. ***** ***** ** *** as ******, ***** ***** ******* ************* access ** *** ******* ***** *************.
** ********, ********* ** ** ****** runs ** ******* *** ** ** cameras ********* **** *** *****, ****** whatever **** '*****' ******** ** ******* PCs *** ** ** *******.
No ** / *** **********
*** ***** ****** ***** ** ********* to ** ******* (** *** ** devices *** **** ******), *** *******, non-PC ***********, ** *** **** ** remote/networked ******, ***********, ** ******. ** does ******* ***/*** ******* *** ***********, as ***** ** *** ******* ******* the ********.
Erroneous **** ** *****
*** **** **** ***** ***** ** **** to ******** ******* *** *** **** many from ******* ****** ** ** * threat.
*** ******** "*********: *** ********* ** Camera ****" ******* ******** **** ***** ****** *** CIA ** "**** *** ** ******* or *********** ** * ******** ****** sending ****** **", * ***** ***** is *** ****** ** ********. *************, SDM **** ***** ** ***** ********** cyber ******** *************** ** ** *******.
*** "******** ** ****** *********"******* ********:
*** **** ************* ******* ** *****'* ************* Strategist, Matthew ********** [**** ** ****** *********], who *** *** *** **** **** ******* ******* ** ******** ******** "*** *** Disable ******** ******* ****** **********":
*** **** *** ****** ****** ** LinkedIn.
**** ****** *** ** *** ************ in *** ****, ** ***** ** defend *** *** ************** ******* ** editing *** ****:
Lots ** ****** *** **** ** *******
**** *** *** **** **** ** hack IP *******? *********. *** ** *** lots ** ****** ****** ** *** Internet. *** ****** ** ******* ** unpatched ******** *************** ******** ** ****. As *** *******, ******** *** **** ***** cameras can ** ******* ********* ** ******** ******** ************* ****** ********* ******. *** *** *** **** **** but ** **** *** ****** ** people *** *** ****** *** ******** and *** * ******.
***** ***** *** **** **** ** hack ******* ** *******, ***** ** no ******** ***** ** *** ** them.
Downside ** ******* ***** ******** *********
* *** ***** ***, ***** ******** was ****** ********* ** *** ******** industry, *** *** ** *** ****** a ******* *****. ***** *** ******* awareness ** ****, *** ******** ** that **** ************ *** ********* **** see **** ** * *** ***** to ********** **, ******* ** ****** supported ** ********** ****** ** ***** security ******* ******.
Worse **** *****'* *** ** ********
**** ** ******* **, *** ***** than, *** ***********'* *** ****** ******** ********, ***** ** ***** ********* ** actual, ************ *******. *****, *** ******** company ****** *****'* *** ***** ************ effort ********** ** *** ***** ********* for *********** ********, ************* *** **** of ***** ******** ******.
Caution ******* ** ***** ******** ******
************ ****** ******** ******* ***** ******** or ***** ****** ********** *****, *** manufacturers ******** ***** ******** ***** ******* similar ***** ** ******** ******** ** enhanced ******** ****** ** ******** **** caution ****** ******* ** **** ***********.
"SDM declared "WikiLeaks: CIA Developed IP Camera Hack" wrongly claiming that Dumbo allows the CIA to "shut off IP cameras or microphones in a building before sending agents in", a claim which is not backed up anywhere. Unfortunately, SDM also fails to cover legitimate cyber security vulnerabilities on IP cameras."
Wouldn't it be easier to just cut power to the building, or the entire block?
They could use Flashlights just like they used at the Watergate hotel
oh hang on... :D
Wouldn't it be easier to just cut power to the building, or the entire block?
Plus, I do not think the CIA has the authorization to just cut power to a building or area on demand, without some extreme justification.
Remember, the CIA doesn't undertake operations at all within the borders of the United States, so "extreme justification" may not be necessary.
-=[Insert "Security organisation" here]=-
Although I agree this does not directly hack IP cameras, it could effectively render them useless, in certain, possibly rare cases.
Brian is correct in stating that the claim that Dumbo is used to
"shut off IP cameras or microphones in a building before sending agents in"
is false.
Actually, the real purpose of Dumbo is to allow agents to remove video/audio evidence of a physical intrusion after agents have gained access, to cover their tracks. That's why it's on a thumb drive; agents carry it to all PCs and run it at the machine.
To that end, Dumbo is a tool to help discover and remove the files that webcams might be creating on the local PC by
iSpy is a program used as an example in the documentation, shown above.
iSpy can record both local webcams and remote IP cams. If an iSpy process was targeted for video corruption because of a local attached webcam, all files being recorded from any iSpy controlled camera, even remote IP cameras. IMHO.
Other VMSes that allow webcams to be recorded might be similarly impacted.
That said, I agree with the premise of this article as to the general misunderstanding and miscommunication of the purposes and intent of Dumbo.
You are correct on the finer details of Dumbo. I wanted to stay away from too much in-depth explanation of it, as that was not the main point of the report.
Still, Dumbo targets or "hacks" PCs, not cameras, and certainly not IP cameras (though maybe it would have worked on The First Windows Based IP Camera). Any non-local-to-the-PC cameras it managed to interfere with would have been by pure luck, not design. These are also points that anyone reading through the wikileads stuff should be able to figure out quickly, if they read it.
...though maybe it would have worked on The First Windows Based IP Camera).
You have to be a genius hacker to make something work on Windows Embedded CE ;)
Wikileaks may actually be the originator of the inaccurate claims, as it says this on its Dumbo home page:
It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks.
Yes, but it also says:
Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem.
Tell me how you reasonably get "hacks IP cameras" out of that.
Tell me how you reasonably get "hacks IP cameras" out of that.
I don't.
But I can see your average non-security network guy thinking that a hack of a system that can control systems monitoring cameras on a wired network would essentially be a VMS hack, (even though as you said it would not do this intentionally perhaps).
Then some ignorant reporter shortens it to 'IP camera hack' and there you have it.
My guess is that if Wikileaks didn't have that erroneous statement in its description, we wouldn't have gotten 'IP camera hack' down the line.
Agree/disagree?
Then some ignorant reporter shortens it to 'IP camera hack' and there you have it.
What is your rationale for Intel's "Cybersecurity Strategist" not being able to figure out the simple truth either?
What is your rationale for Intel's "Cybersecurity Strategist" not being able to figure out the simple truth either?
Laziness? Perhaps he read this Hacker news article:
How CIA Disables Security Cameras During Hollywood-Style Operations
which is generally factual, except for
The Dumbo CIA project involves a USB thumb drive equipped with a Windows hacking tool that can identify installed webcams and microphones, either connected locally, wired or wirelessly via Bluetooth or Wi-Fi.
After the obligatory title change, 'security cameras' becomes 'IP camera' and 'disabled' becomes 'hack'.
What's your rationale?
I guess many people conflate 'webcams' and 'IP cameras' even though in common usage and technical terms, they are different.
In this industry and among anyone moderately technical, I would expect understanding this difference.
Same as the position taken in the report: people who hold themselves up as being informers or subject matter experts did not do simple research of the core materials before making their claims.
IMHO, this position is not explicitly taken in the report. Rather, you state that the "core materials" do not support the reported conclusions, for instance:
The fact that Dumbo poses no risk to security systems did not stop many from wrongly hyping it as a threat.
Yes, one reason could be a failure to 'do simple research' as you say. Another could be misinterpretation of core materials. To wit, the core materials do mention 'security systems' as a requested target of Dumbo, which confuses the issue.
Furthermore, early versions of Dumbo have the ability to target ANY PC VMS, whether they have webcams or not, thru configuration options, and thereby rendering the recordings of their associated IP cameras useless.
Again, I agree that 'IP camera hack' is inexact at best and should be called out, however there are several misleading elements in the Wiki statement and the core documents that likely aided misinterpretation of the leak.
I think that text has it correct. Dumbo is about manipulating video on a camera attached to a computer (an "installed device".) I think the press who comingled "IP camera" and "camera as a peripheral on a pc, perhaps connected to a network/the internet" got it wrong.
By the way the files themselves are spectacularly unshocking. Admin account, run the program, some care about what's in what directory. Classic 4 day slammed together windows 3.1 UI. Nothing interesting. No juicy details on what magic IOCTL you do to swipe the video. No example code on how they walk through the process tree to find the open files to detect video files to delete.
One thing I ran across in the docs (for an older version) was this:
Which I believe gives it the capability to run on arbitrary process names, such as Milestone's *VideoOS.Recording.Service.exe* for example.
