‘Experts' Fail On Dumbo IP Camera ‘Hack'

By: Brian Karas, Published on Aug 24, 2017

Dumbo, revealed by Wikileaks, has become big news.

Unfortunately, 'experts' in the security industry have gotten it wrong, incorrectly contending that Dumbo hacks IP cameras.

In this report, we examine Dumbo, the erroneous claims and the impact that such errors have on cybersecurity.

*****, ******** ** *********, *** ****** *** news.

*************, '*******' ** *** security ******** **** ****** it *****, *********** ********** that ***** ***** ** cameras.

** **** ******, ** examine *****, *** ********* claims *** *** ****** that **** ****** **** on *************.

[***************]

Dumbo *** *******

***********'* ********* *** ***** Guide *** ***** ********* * ******** *********** designed ** *** *******, file ********, *** ******* attached ****** ******** ** Windows ********. ** ** executed ******* ** *** machine ***** *************, ********* from * *** *****. Dumbo ***** ** *** as ******, ***** ***** require ************* ****** ** the ******* ***** *************.

** ********, ********* ** IP ****** **** ** Windows *** ** ** cameras ********* **** *** ports, ****** ******** **** 'Dumbo' ******** ** ******* PCs *** ** ** cameras.

No ** / *** **********

*** ***** ****** ***** no ********* ** ** cameras (** *** ** devices *** **** ******), IoT *******, ***-** ***********, or *** **** ** remote/networked ******, ***********, ** device. ** **** ******* web/USB ******* *** ***********, as ***** ** *** machine ******* *** ********.

Erroneous **** ** *****

*** **** **** ***** poses ** **** ** ******** systems *** *** **** many from ******* ****** ** as * ******.

*** ******** "*********: *** Developed ** ****** ****" ******* ******** **** ***** allows *** *** ** "shut *** ** ******* or *********** ** * building ****** ******* ****** in", * ***** ***** is *** ****** ** anywhere. *************, *** **** fails ** ***** ********** cyber ******** *************** ** IP *******.

*** "******** ** ****** Institute"******* ********:

*** **** ************* ******* ** Intel's ************* **********, ******* **********, *** *** *** *** **** **** keynote ******* ** ******** ******** "CIA *** ******* ******** Cameras ****** **********":

*** **** *** ****** shared ** ********.

**** ****** *** ** the ************ ** *** post, ** ***** ** defend *** *** ************** instead ** ******* *** post:

 

Lots ** ****** *** **** ** *******

**** *** *** **** ways ** **** ** *******? Certainly. *** ** *** lots ** ****** ****** on *** ********. *** number ** ******* ** unpatched ******** *************** ******** to ****. ** *** example, ******** *** **** ***** cameras can ** ******* ********* by ******** ******** ************* ****** available ******. *** *** *** have **** *** ** does *** ****** ** people *** *** ****** the ******** *** *** a ******.

***** ***** *** **** ways ** **** ******* IP *******, ***** ** no ******** ***** ** one ** ****.

Downside ** ******* ***** ******** *********

* *** ***** ***, cyber ******** *** ****** mentioned ** *** ******** industry, *** *** ** has ****** * ******* topic. ***** *** ******* awareness ** ****, *** downside ** **** **** publications *** ********* **** see **** ** * hot ***** ** ********** on, ******* ** ****** supported ** ********** ****** on ***** ******** ******* topics.

Worse **** *****'* *** ** ********

**** ** ******* **, but ***** ****, *** recent*****'* *** ****** ******** campaign, ***** ** ***** described ** ******, ************ exploit. *****, *** ******** company ****** *****'* *** spent ************ ****** ********** to *** ***** ********* for *********** ********, ************* the **** ** ***** security ******.

Caution ******* ** ***** ******** ******

************ ****** ******** ******* clear ******** ** ***** direct ********** *****, *** manufacturers ******** ***** ******** focus ******* ******* ***** or ******** ******** ** enhanced ******** ****** ** regarded **** ******* ****** relying ** **** ***********.

Comments (20)

Undisclosed Manufacturer #1

08/24/17 02:23pm

"SDM declared "WikiLeaks: CIA Developed IP Camera Hack" wrongly claiming that Dumbo allows the CIA to "shut off IP cameras or microphones in a building before sending agents in", a claim which is not backed up anywhere. Unfortunately, SDM also fails to cover legitimate cyber security vulnerabilities on IP cameras."

 

Wouldn't it be easier to just cut power to the building, or the entire block?

Undisclosed Manufacturer #2

In reply to Undisclosed Manufacturer #1 | 08/24/17 02:31pm

No, because then they would trip and fall!

Undisclosed Integrator #5

In reply to Undisclosed Manufacturer #2 | 08/24/17 09:48pm

They could use Flashlights just like they used at the Watergate hotel

oh hang on... :D

 

 

Undisclosed Manufacturer #2

In reply to Undisclosed Integrator #5 | 08/24/17 09:57pm

Look how well that turned out

Avatar

Brian Karas

IPVM | In reply to Undisclosed Manufacturer #1 | 08/24/17 02:32pm

Wouldn't it be easier to just cut power to the building, or the entire block?

Undisclosed #3

In reply to Brian Karas | 08/24/17 04:06pm

Plus, I do not think the CIA has the authorization to just cut power to a building or area on demand, without some extreme justification.

Remember, the CIA doesn't undertake operations at all within the borders of the United States, so "extreme justification" may not be necessary.

Undisclosed End User #4

08/24/17 08:21pm

           -=[Insert "Security organisation" here]=-

d'oh

Undisclosed #3

08/24/17 08:33pm

Although I agree this does not directly hack IP cameras, it could effectively render them useless, in certain, possibly rare cases.

Brian is correct in stating that the claim that Dumbo is used to

"shut off IP cameras or microphones in a building before sending agents in"

is false.

Actually, the real purpose of Dumbo is to allow agents to remove video/audio evidence of a physical intrusion after agents have gained access, to cover their tracks.  That's why it's on a thumb drive; agents carry it to all PCs and run it at the machine.

To that end, Dumbo is a tool to help discover and remove the files that webcams might be creating on the local PC by

  1. Identifying the webcams/microphones 
  2. Identifying the processes associated with those devices 
  3. Identifying the data files associated with those processes
  4. Altering/removing those files

iSpy is a program used as an example in the documentation, shown above.

iSpy can record both local webcams and remote IP cams.  If an iSpy process was targeted for video corruption because of a local attached webcam, all files being recorded from any iSpy controlled camera, even remote IP cameras.  IMHO.

Other VMSes that allow webcams to be recorded might be similarly impacted.

That said, I agree with the premise of this article as to the general misunderstanding and miscommunication of the purposes and intent of Dumbo.

 

Avatar

Brian Karas

IPVM | In reply to Undisclosed #3 | 08/24/17 09:05pm

You are correct on the finer details of Dumbo. I wanted to stay away from too much in-depth explanation of it, as that was not the main point of the report. 

Still, Dumbo targets or "hacks" PCs, not cameras, and certainly not IP cameras (though maybe it would have worked on The First Windows Based IP Camera). Any non-local-to-the-PC cameras it managed to interfere with would have been by pure luck, not design. These are also points that anyone reading through the wikileads stuff should be able to figure out quickly, if they read it.

 

Undisclosed #3

In reply to Brian Karas | 08/24/17 10:08pm

...though maybe it would have worked on The First Windows Based IP Camera). 

You have to be a genius hacker to make something work on Windows Embedded CE ;)

Undisclosed #3

08/24/17 10:56pm

Wikileaks may actually be the originator of the inaccurate claims, as it says this on its Dumbo home page:

It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks.

 

Avatar

Brian Karas

IPVM | In reply to Undisclosed #3 | 08/24/17 11:15pm

Yes, but it also says:

Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem.

Tell me how you reasonably get "hacks IP cameras" out of that.

 

Undisclosed #3

In reply to Brian Karas | 08/25/17 01:17am

Tell me how you reasonably get "hacks IP cameras" out of that.

I don't.  

But I can see your average non-security network guy thinking that a hack of a system that can control systems monitoring cameras on a wired network would essentially be a VMS hack, (even though as you said it would not do this intentionally perhaps).

Then some ignorant reporter shortens it to 'IP camera hack' and there you have it.

My guess is that if Wikileaks didn't have that erroneous statement in its description, we wouldn't have gotten 'IP camera hack' down the line.

Agree/disagree?

 

Avatar

Brian Karas

IPVM | In reply to Undisclosed #3 | 08/25/17 01:52am

Then some ignorant reporter shortens it to 'IP camera hack' and there you have it.

What is your rationale for Intel's "Cybersecurity Strategist" not being able to figure out the simple truth either?

Undisclosed #3

In reply to Brian Karas | 08/25/17 05:57am

What is your rationale for Intel's "Cybersecurity Strategist" not being able to figure out the simple truth either?

Laziness? Perhaps he read this Hacker news article:

How CIA Disables Security Cameras During Hollywood-Style Operations

which is generally factual, except for 

  1. The title saying 'Security Cameras'
  2. The composed graphic shown with the article
  3. This misinformation copied from the Wikileaks Dumbo home page:

The Dumbo CIA project involves a USB thumb drive equipped with a Windows hacking tool that can identify installed webcams and microphones, either connected locally, wired or wirelessly via Bluetooth or Wi-Fi.

After the obligatory title change, 'security cameras' becomes 'IP camera' and 'disabled' becomes 'hack'.

What's your rationale?

Avatar

Brian Karas

IPVM | In reply to Undisclosed #3 | 08/25/17 10:58am

What's your rationale?

 
Same as the position taken in the report: people who hold themselves up as being informers or subject matter experts did not do simple research of the core materials before making their claims.
 
 
 

John Honovich

IPVM | In reply to Brian Karas | 08/25/17 11:44am

I guess many people conflate 'webcams' and 'IP cameras' even though in common usage and technical terms, they are different.

In this industry and among anyone moderately technical, I would expect understanding this difference.

Undisclosed #3

In reply to Brian Karas | 08/26/17 09:58pm

Same as the position taken in the report: people who hold themselves up as being informers or subject matter experts did not do simple research of the core materials before making their claims.

IMHO, this position is not explicitly taken in the report. Rather, you state that the "core materials" do not support the reported conclusions, for instance:

The fact that Dumbo poses no risk to security systems did not stop many from wrongly hyping it as a threat.

Yes, one reason could be a failure to 'do simple research' as you say.  Another could be misinterpretation of core materials.  To wit, the core materials do mention 'security systems' as a requested target of Dumbo, which confuses the issue.

Furthermore, early versions of Dumbo have the ability to target ANY PC VMS, whether they have webcams or not, thru configuration options, and thereby rendering the recordings of their associated IP cameras useless.

Again, I agree that 'IP camera hack' is inexact at best and should be called out, however there are several misleading elements in the Wiki statement and the core documents that likely aided misinterpretation of the leak.

 

Rodney Thayer

In reply to Undisclosed #3 | 08/30/17 10:25pm

I think that text has it correct.  Dumbo is about manipulating video on a camera attached to a computer (an "installed device".)  I think the press who comingled "IP camera" and "camera as a peripheral on a pc, perhaps connected to a network/the internet" got it wrong.

By the way the files themselves are spectacularly unshocking.  Admin account, run the program, some care about what's in what directory.  Classic 4 day slammed together windows 3.1 UI.  Nothing interesting.  No juicy details on what magic IOCTL you do to swipe the video.  No example code on how they walk through the process tree to find the open files to detect video files to delete. 

 

Undisclosed #3

In reply to Rodney Thayer | 08/30/17 11:10pm

One thing I ran across in the docs (for an older version) was this:

Which I believe gives it the capability to run on arbitrary process names, such as Milestone's  *VideoOS.Recording.Service.exe* for example.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
"Stats Don't Lie" Says Deceptive IFSEC on Jul 30, 2019
While IFSEC has declared #statsdontlie and trumpeted seemingly skyrocketing visitor numbers, they are decieving about their show's problems. On...
Hikvision: In China, We Obey PRC Human Rights Law on May 28, 2019
Hikvision defended its activities in Xinjiang, where the PRC is accused of mass human rights abuses, by stating that human rights have a “varied...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Inside Look Into Scam Market Research on May 17, 2019
Scam market research has exploded over the last few years becoming the most commonly cited 'statistics' for most industries, despite there clearly...
Verkada False Allegations Against Avigilon Exposed on May 08, 2019
Verkada has leveled false allegations against Avigilon, as part of their aggressive marketing tactics against the 'dinosaurs' in the 'ancient'...
Verkada Salesman: IPVM "Stuck In A The Stone Age" on Apr 25, 2019
Verkada is 'tackling dinosaurs' and battling those, like IPVM, who are 'stuck in a the stone age'. Verkada's recent sales recruiting promotion...
The Embarrassing Story of ISC West's Best New IP Camera on Apr 24, 2019
A sad but simple situation: Only 2 companies paid SIA the thousands of dollars required to compete for the best new 'cameras IP' The judges...

Most Recent Industry Reports

Alarm Veteran "Demands A Criminal Investigation" Of UL on Oct 18, 2019
The Interceptor's Project pressure against UL continues to rise. Following Keith Jentoft's allegation that "UL Has Blood On Their Hands", Jentoft...
Camect "Worlds Smartest Camera Hub" Tested on Oct 18, 2019
Camect is a Silicon Valley startup that claims the "Smartest AI Object Detection On The Market", detecting not only people and vehicles, but...
Hikvision Global News Reports Directory on Oct 17, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Camera Calculator V3.1 Release Improves User Experience on Oct 17, 2019
IPVM has released a new version of our Camera Calculator, V3.1, with significant user experience improvements, a new development plan, and an...
Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be...
Access Control Course Fall 2019 - Last Chance on Oct 17, 2019
Register Now - Fall 2019 Access Control Course. Thursday, October 17th is the last day to register. IPVM offers the most comprehensive access...
US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns on Oct 16, 2019
A senior DoD official said the US is "concerned" with the cybersecurity of Hikvision, Dahua, and Huawei due to "CCP" (China Communist Party)...
Pelco Sarix Pro3 Camera Tested on Oct 16, 2019
Pelco has released their Sarix Professional Series 3 cameras, claiming "more security detail in challenging scenes with excellent low light and...
IPVM Camera Calculator User Manual / Guide on Oct 16, 2019
Learn how to use the IPVM Camera Calculator. The guide below includes instructions, images, gifs, and videos demonstrating and explaining the...
Altronix Claims Tango 'Eliminates Electricians' on Oct 15, 2019
Power supply provider Altronix claims its new Tango power supply 'eliminates the need for an electrician, dedicated conduit and wire runs'. In...

What IPVM Is

The world's leading authority on video surveillance, with 200,000+ visits monthly.

  • Articles on cameras, video analytics, VMS, and trends
  • Tests showing actual performance and problems
  • Courses in surveillance, access control, etc
  • Camera Calculator for designing systems

Dedicated To Independence

We're dedicated to staying independent and objective. We're the only industry source to refuse any and all advertisements, sponsorship, and consulting from manufacturers. Why?