‘Experts' Fail On Dumbo IP Camera ‘Hack'

By Brian Karas, Published Aug 24, 2017, 10:12am EDT

Dumbo, revealed by Wikileaks, has become big news.

Unfortunately, 'experts' in the security industry have gotten it wrong, incorrectly contending that Dumbo hacks IP cameras.

In this report, we examine Dumbo, the erroneous claims and the impact that such errors have on cybersecurity.

Dumbo *** *******

***********'* ********* *** ***** Guide *** ***** ********* * ******** *********** designed ** *** *******, file ********, *** ******* attached ****** ******** ** Windows ********. ** ** executed ******* ** *** machine ***** *************, ********* from * *** *****. Dumbo ***** ** *** as ******, ***** ***** require ************* ****** ** the ******* ***** *************.

** ********, ********* ** IP ****** **** ** Windows *** ** ** cameras ********* **** *** ports, ****** ******** **** 'Dumbo' ******** ** ******* PCs *** ** ** cameras.

No ** / *** **********

*** ***** ****** ***** no ********* ** ** cameras (** *** ** devices *** **** ******), IoT *******, ***-** ***********, or *** **** ** remote/networked ******, ***********, ** device. ** **** ******* web/USB ******* *** ***********, as ***** ** *** machine ******* *** ********.

Erroneous **** ** *****

*** **** **** ***** poses ** **** ** ******** systems *** *** **** many from ******* ****** ** as * ******.

*** ******** "*********: *** Developed ** ****** ****" ******* ******** **** ***** allows *** *** ** "shut *** ** ******* or *********** ** * building ****** ******* ****** in", * ***** ***** is *** ****** ** anywhere. *************, *** **** fails ** ***** ********** cyber ******** *************** ** IP *******.

*** "******** ** ****** Institute"******* ********:

*** **** ************* ******* ** Intel's ************* **********, ******* ********** [link ** ****** *********], who *** *** *** **** **** keynote ******* ** ******** ******** "CIA *** ******* ******** Cameras ****** **********":

*** **** *** ****** shared ** ********.

**** ****** *** ** the ************ ** *** post, ** ***** ** defend *** *** ************** instead ** ******* *** post:

 

Lots ** ****** *** **** ** *******

**** *** *** **** ways ** **** ** *******? Certainly. *** ** *** lots ** ****** ****** on *** ********. *** number ** ******* ** unpatched ******** *************** ******** to ****. ** *** example, ******** *** **** ***** cameras can ** ******* ********* by ******** ******** ************* ****** available ******. *** *** *** have **** *** ** does *** ****** ** people *** *** ****** the ******** *** *** a ******.

***** ***** *** **** ways ** **** ******* IP *******, ***** ** no ******** ***** ** one ** ****.

Downside ** ******* ***** ******** *********

* *** ***** ***, cyber ******** *** ****** mentioned ** *** ******** industry, *** *** ** has ****** * ******* topic. ***** *** ******* awareness ** ****, *** downside ** **** **** publications *** ********* **** see **** ** * hot ***** ** ********** on, ******* ** ****** supported ** ********** ****** on ***** ******** ******* topics.

Worse **** *****'* *** ** ********

**** ** ******* **, but ***** ****, *** recent*****'* *** ****** ******** campaign, ***** ** ***** described ** ******, ************ exploit. *****, *** ******** company ****** *****'* *** spent ************ ****** ********** to *** ***** ********* for *********** ********, ************* the **** ** ***** security ******.

Caution ******* ** ***** ******** ******

************ ****** ******** ******* clear ******** ** ***** direct ********** *****, *** manufacturers ******** ***** ******** focus ******* ******* ***** or ******** ******** ** enhanced ******** ****** ** regarded **** ******* ****** relying ** **** ***********.

Comments (20)

Undisclosed Manufacturer #1

08/24/17 02:23pm

"SDM declared "WikiLeaks: CIA Developed IP Camera Hack" wrongly claiming that Dumbo allows the CIA to "shut off IP cameras or microphones in a building before sending agents in", a claim which is not backed up anywhere. Unfortunately, SDM also fails to cover legitimate cyber security vulnerabilities on IP cameras."

 

Wouldn't it be easier to just cut power to the building, or the entire block?

Agree: 2
Disagree
Informative
Unhelpful
Funny

Undisclosed Manufacturer #2

In reply to Undisclosed Manufacturer #1 | 08/24/17 02:31pm

No, because then they would trip and fall!

Agree
Disagree
Informative
Unhelpful
Funny: 1

Undisclosed Integrator #5

In reply to Undisclosed Manufacturer #2 | 08/24/17 09:48pm

They could use Flashlights just like they used at the Watergate hotel

oh hang on... :D

 

 

Agree
Disagree
Informative
Unhelpful: 1
Funny: 1

Undisclosed Manufacturer #2

In reply to Undisclosed Integrator #5 | 08/24/17 09:57pm

Look how well that turned out

Agree
Disagree
Informative
Unhelpful: 1
Funny
Avatar

Brian Karas

IPVM | In reply to Undisclosed Manufacturer #1 | 08/24/17 02:32pm

Wouldn't it be easier to just cut power to the building, or the entire block?

Agree
Disagree: 1
Informative: 1
Unhelpful
Funny

Undisclosed #3

IPVMU Certified | In reply to Brian Karas | 08/24/17 04:06pm

Plus, I do not think the CIA has the authorization to just cut power to a building or area on demand, without some extreme justification.

Remember, the CIA doesn't undertake operations at all within the borders of the United States, so "extreme justification" may not be necessary.

Agree: 1
Disagree
Informative
Unhelpful
Funny: 1

Undisclosed End User #4

08/24/17 08:21pm

           -=[Insert "Security organisation" here]=-

d'oh

Agree: 1
Disagree
Informative
Unhelpful: 1
Funny: 5

Undisclosed #3

IPVMU Certified | 08/24/17 08:33pm

Although I agree this does not directly hack IP cameras, it could effectively render them useless, in certain, possibly rare cases.

Brian is correct in stating that the claim that Dumbo is used to

"shut off IP cameras or microphones in a building before sending agents in"

is false.

Actually, the real purpose of Dumbo is to allow agents to remove video/audio evidence of a physical intrusion after agents have gained access, to cover their tracks.  That's why it's on a thumb drive; agents carry it to all PCs and run it at the machine.

To that end, Dumbo is a tool to help discover and remove the files that webcams might be creating on the local PC by

  1. Identifying the webcams/microphones 
  2. Identifying the processes associated with those devices 
  3. Identifying the data files associated with those processes
  4. Altering/removing those files

iSpy is a program used as an example in the documentation, shown above.

iSpy can record both local webcams and remote IP cams.  If an iSpy process was targeted for video corruption because of a local attached webcam, all files being recorded from any iSpy controlled camera, even remote IP cameras.  IMHO.

Other VMSes that allow webcams to be recorded might be similarly impacted.

That said, I agree with the premise of this article as to the general misunderstanding and miscommunication of the purposes and intent of Dumbo.

 

Agree
Disagree
Informative: 1
Unhelpful
Funny
Avatar

Brian Karas

IPVM | In reply to Undisclosed #3 | 08/24/17 09:05pm

You are correct on the finer details of Dumbo. I wanted to stay away from too much in-depth explanation of it, as that was not the main point of the report. 

Still, Dumbo targets or "hacks" PCs, not cameras, and certainly not IP cameras (though maybe it would have worked on The First Windows Based IP Camera). Any non-local-to-the-PC cameras it managed to interfere with would have been by pure luck, not design. These are also points that anyone reading through the wikileads stuff should be able to figure out quickly, if they read it.

 

Agree: 2
Disagree
Informative
Unhelpful
Funny

Undisclosed #3

IPVMU Certified | In reply to Brian Karas | 08/24/17 10:08pm

...though maybe it would have worked on The First Windows Based IP Camera). 

You have to be a genius hacker to make something work on Windows Embedded CE ;)

Agree: 1
Disagree
Informative
Unhelpful
Funny: 4

Undisclosed #3

IPVMU Certified | 08/24/17 10:56pm

Wikileaks may actually be the originator of the inaccurate claims, as it says this on its Dumbo home page:

It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks.

 

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Brian Karas

IPVM | In reply to Undisclosed #3 | 08/24/17 11:15pm

Yes, but it also says:

Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem.

Tell me how you reasonably get "hacks IP cameras" out of that.

 

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

Undisclosed #3

IPVMU Certified | In reply to Brian Karas | 08/25/17 01:17am

Tell me how you reasonably get "hacks IP cameras" out of that.

I don't.  

But I can see your average non-security network guy thinking that a hack of a system that can control systems monitoring cameras on a wired network would essentially be a VMS hack, (even though as you said it would not do this intentionally perhaps).

Then some ignorant reporter shortens it to 'IP camera hack' and there you have it.

My guess is that if Wikileaks didn't have that erroneous statement in its description, we wouldn't have gotten 'IP camera hack' down the line.

Agree/disagree?

 

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Brian Karas

IPVM | In reply to Undisclosed #3 | 08/25/17 01:52am

Then some ignorant reporter shortens it to 'IP camera hack' and there you have it.

What is your rationale for Intel's "Cybersecurity Strategist" not being able to figure out the simple truth either?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #3

IPVMU Certified | In reply to Brian Karas | 08/25/17 05:57am

What is your rationale for Intel's "Cybersecurity Strategist" not being able to figure out the simple truth either?

Laziness? Perhaps he read this Hacker news article:

How CIA Disables Security Cameras During Hollywood-Style Operations

which is generally factual, except for 

  1. The title saying 'Security Cameras'
  2. The composed graphic shown with the article
  3. This misinformation copied from the Wikileaks Dumbo home page:

The Dumbo CIA project involves a USB thumb drive equipped with a Windows hacking tool that can identify installed webcams and microphones, either connected locally, wired or wirelessly via Bluetooth or Wi-Fi.

After the obligatory title change, 'security cameras' becomes 'IP camera' and 'disabled' becomes 'hack'.

What's your rationale?

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Brian Karas

IPVM | In reply to Undisclosed #3 | 08/25/17 10:58am

What's your rationale?

 
Same as the position taken in the report: people who hold themselves up as being informers or subject matter experts did not do simple research of the core materials before making their claims.
 
 
 
Agree
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Brian Karas | 08/25/17 11:44am

I guess many people conflate 'webcams' and 'IP cameras' even though in common usage and technical terms, they are different.

In this industry and among anyone moderately technical, I would expect understanding this difference.

Agree: 4
Disagree
Informative
Unhelpful
Funny

Undisclosed #3

IPVMU Certified | In reply to Brian Karas | 08/26/17 09:58pm

Same as the position taken in the report: people who hold themselves up as being informers or subject matter experts did not do simple research of the core materials before making their claims.

IMHO, this position is not explicitly taken in the report. Rather, you state that the "core materials" do not support the reported conclusions, for instance:

The fact that Dumbo poses no risk to security systems did not stop many from wrongly hyping it as a threat.

Yes, one reason could be a failure to 'do simple research' as you say.  Another could be misinterpretation of core materials.  To wit, the core materials do mention 'security systems' as a requested target of Dumbo, which confuses the issue.

Furthermore, early versions of Dumbo have the ability to target ANY PC VMS, whether they have webcams or not, thru configuration options, and thereby rendering the recordings of their associated IP cameras useless.

Again, I agree that 'IP camera hack' is inexact at best and should be called out, however there are several misleading elements in the Wiki statement and the core documents that likely aided misinterpretation of the leak.

 

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed

In reply to Undisclosed #3 | 08/30/17 10:25pm

I think that text has it correct.  Dumbo is about manipulating video on a camera attached to a computer (an "installed device".)  I think the press who comingled "IP camera" and "camera as a peripheral on a pc, perhaps connected to a network/the internet" got it wrong.

By the way the files themselves are spectacularly unshocking.  Admin account, run the program, some care about what's in what directory.  Classic 4 day slammed together windows 3.1 UI.  Nothing interesting.  No juicy details on what magic IOCTL you do to swipe the video.  No example code on how they walk through the process tree to find the open files to detect video files to delete. 

 

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #3

IPVMU Certified | In reply to Undisclosed | 08/30/17 11:10pm

One thing I ran across in the docs (for an older version) was this:

Which I believe gives it the capability to run on arbitrary process names, such as Milestone's  *VideoOS.Recording.Service.exe* for example.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,098 reports and 941 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports