‘Experts' Fail On Dumbo IP Camera ‘Hack'

By: Brian Karas, Published on Aug 24, 2017

Dumbo, revealed by Wikileaks, has become big news.

Unfortunately, 'experts' in the security industry have gotten it wrong, incorrectly contending that Dumbo hacks IP cameras.

In this report, we examine Dumbo, the erroneous claims and the impact that such errors have on cybersecurity.

Dumbo *** *******

***********'* ********* *** ***** Guide *** ***** ********* * ******** *********** designed ** *** *******, file ********, *** ******* attached ****** ******** ** Windows ********. ** ** executed ******* ** *** machine ***** *************, ********* from * *** *****. Dumbo ***** ** *** as ******, ***** ***** require ************* ****** ** the ******* ***** *************.

** ********, ********* ** IP ****** **** ** Windows *** ** ** cameras ********* **** *** ports, ****** ******** **** 'Dumbo' ******** ** ******* PCs *** ** ** cameras.

No ** / *** **********

*** ***** ****** ***** no ********* ** ** cameras (** *** ** devices *** **** ******), IoT *******, ***-** ***********, or *** **** ** remote/networked ******, ***********, ** device. ** **** ******* web/USB ******* *** ***********, as ***** ** *** machine ******* *** ********.

Erroneous **** ** *****

*** **** **** ***** poses ** **** ** ******** systems *** *** **** many from ******* ****** ** as * ******.

*** ******** "*********: *** Developed ** ****** ****" ******* ******** **** ***** allows *** *** ** "shut *** ** ******* or *********** ** * building ****** ******* ****** in", * ***** ***** is *** ****** ** anywhere. *************, *** **** fails ** ***** ********** cyber ******** *************** ** IP *******.

*** "******** ** ****** Institute"******* ********:

*** **** ************* ******* ** Intel's ************* **********, ******* ********** [link ** ****** *********], who *** *** *** **** **** keynote ******* ** ******** ******** "CIA *** ******* ******** Cameras ****** **********":

*** **** *** ****** shared ** ********.

**** ****** *** ** the ************ ** *** post, ** ***** ** defend *** *** ************** instead ** ******* *** post:

 

Lots ** ****** *** **** ** *******

**** *** *** **** ways ** **** ** *******? Certainly. *** ** *** lots ** ****** ****** on *** ********. *** number ** ******* ** unpatched ******** *************** ******** to ****. ** *** example, ******** *** **** ***** cameras can ** ******* ********* by ******** ******** ************* ****** available ******. *** *** *** have **** *** ** does *** ****** ** people *** *** ****** the ******** *** *** a ******.

***** ***** *** **** ways ** **** ******* IP *******, ***** ** no ******** ***** ** one ** ****.

Downside ** ******* ***** ******** *********

* *** ***** ***, cyber ******** *** ****** mentioned ** *** ******** industry, *** *** ** has ****** * ******* topic. ***** *** ******* awareness ** ****, *** downside ** **** **** publications *** ********* **** see **** ** * hot ***** ** ********** on, ******* ** ****** supported ** ********** ****** on ***** ******** ******* topics.

Worse **** *****'* *** ** ********

**** ** ******* **, but ***** ****, *** recent*****'* *** ****** ******** campaign, ***** ** ***** described ** ******, ************ exploit. *****, *** ******** company ****** *****'* *** spent ************ ****** ********** to *** ***** ********* for *********** ********, ************* the **** ** ***** security ******.

Caution ******* ** ***** ******** ******

************ ****** ******** ******* clear ******** ** ***** direct ********** *****, *** manufacturers ******** ***** ******** focus ******* ******* ***** or ******** ******** ** enhanced ******** ****** ** regarded **** ******* ****** relying ** **** ***********.

Comments (20)

Undisclosed Manufacturer #1

08/24/17 02:23pm

"SDM declared "WikiLeaks: CIA Developed IP Camera Hack" wrongly claiming that Dumbo allows the CIA to "shut off IP cameras or microphones in a building before sending agents in", a claim which is not backed up anywhere. Unfortunately, SDM also fails to cover legitimate cyber security vulnerabilities on IP cameras."

 

Wouldn't it be easier to just cut power to the building, or the entire block?

Undisclosed Manufacturer #2

In reply to Undisclosed Manufacturer #1 | 08/24/17 02:31pm

No, because then they would trip and fall!

Undisclosed Integrator #5

In reply to Undisclosed Manufacturer #2 | 08/24/17 09:48pm

They could use Flashlights just like they used at the Watergate hotel

oh hang on... :D

 

 

Undisclosed Manufacturer #2

In reply to Undisclosed Integrator #5 | 08/24/17 09:57pm

Look how well that turned out

Avatar

Brian Karas

IPVM | In reply to Undisclosed Manufacturer #1 | 08/24/17 02:32pm

Wouldn't it be easier to just cut power to the building, or the entire block?

Undisclosed #3

In reply to Brian Karas | 08/24/17 04:06pm

Plus, I do not think the CIA has the authorization to just cut power to a building or area on demand, without some extreme justification.

Remember, the CIA doesn't undertake operations at all within the borders of the United States, so "extreme justification" may not be necessary.

Undisclosed End User #4

08/24/17 08:21pm

           -=[Insert "Security organisation" here]=-

d'oh

Undisclosed #3

08/24/17 08:33pm

Although I agree this does not directly hack IP cameras, it could effectively render them useless, in certain, possibly rare cases.

Brian is correct in stating that the claim that Dumbo is used to

"shut off IP cameras or microphones in a building before sending agents in"

is false.

Actually, the real purpose of Dumbo is to allow agents to remove video/audio evidence of a physical intrusion after agents have gained access, to cover their tracks.  That's why it's on a thumb drive; agents carry it to all PCs and run it at the machine.

To that end, Dumbo is a tool to help discover and remove the files that webcams might be creating on the local PC by

  1. Identifying the webcams/microphones 
  2. Identifying the processes associated with those devices 
  3. Identifying the data files associated with those processes
  4. Altering/removing those files

iSpy is a program used as an example in the documentation, shown above.

iSpy can record both local webcams and remote IP cams.  If an iSpy process was targeted for video corruption because of a local attached webcam, all files being recorded from any iSpy controlled camera, even remote IP cameras.  IMHO.

Other VMSes that allow webcams to be recorded might be similarly impacted.

That said, I agree with the premise of this article as to the general misunderstanding and miscommunication of the purposes and intent of Dumbo.

 

Avatar

Brian Karas

IPVM | In reply to Undisclosed #3 | 08/24/17 09:05pm

You are correct on the finer details of Dumbo. I wanted to stay away from too much in-depth explanation of it, as that was not the main point of the report. 

Still, Dumbo targets or "hacks" PCs, not cameras, and certainly not IP cameras (though maybe it would have worked on The First Windows Based IP Camera). Any non-local-to-the-PC cameras it managed to interfere with would have been by pure luck, not design. These are also points that anyone reading through the wikileads stuff should be able to figure out quickly, if they read it.

 

Undisclosed #3

In reply to Brian Karas | 08/24/17 10:08pm

...though maybe it would have worked on The First Windows Based IP Camera). 

You have to be a genius hacker to make something work on Windows Embedded CE ;)

Undisclosed #3

08/24/17 10:56pm

Wikileaks may actually be the originator of the inaccurate claims, as it says this on its Dumbo home page:

It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks.

 

Avatar

Brian Karas

IPVM | In reply to Undisclosed #3 | 08/24/17 11:15pm

Yes, but it also says:

Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem.

Tell me how you reasonably get "hacks IP cameras" out of that.

 

Undisclosed #3

In reply to Brian Karas | 08/25/17 01:17am

Tell me how you reasonably get "hacks IP cameras" out of that.

I don't.  

But I can see your average non-security network guy thinking that a hack of a system that can control systems monitoring cameras on a wired network would essentially be a VMS hack, (even though as you said it would not do this intentionally perhaps).

Then some ignorant reporter shortens it to 'IP camera hack' and there you have it.

My guess is that if Wikileaks didn't have that erroneous statement in its description, we wouldn't have gotten 'IP camera hack' down the line.

Agree/disagree?

 

Avatar

Brian Karas

IPVM | In reply to Undisclosed #3 | 08/25/17 01:52am

Then some ignorant reporter shortens it to 'IP camera hack' and there you have it.

What is your rationale for Intel's "Cybersecurity Strategist" not being able to figure out the simple truth either?

Undisclosed #3

In reply to Brian Karas | 08/25/17 05:57am

What is your rationale for Intel's "Cybersecurity Strategist" not being able to figure out the simple truth either?

Laziness? Perhaps he read this Hacker news article:

How CIA Disables Security Cameras During Hollywood-Style Operations

which is generally factual, except for 

  1. The title saying 'Security Cameras'
  2. The composed graphic shown with the article
  3. This misinformation copied from the Wikileaks Dumbo home page:

The Dumbo CIA project involves a USB thumb drive equipped with a Windows hacking tool that can identify installed webcams and microphones, either connected locally, wired or wirelessly via Bluetooth or Wi-Fi.

After the obligatory title change, 'security cameras' becomes 'IP camera' and 'disabled' becomes 'hack'.

What's your rationale?

Avatar

Brian Karas

IPVM | In reply to Undisclosed #3 | 08/25/17 10:58am

What's your rationale?

 
Same as the position taken in the report: people who hold themselves up as being informers or subject matter experts did not do simple research of the core materials before making their claims.
 
 
 

John Honovich

IPVM | In reply to Brian Karas | 08/25/17 11:44am

I guess many people conflate 'webcams' and 'IP cameras' even though in common usage and technical terms, they are different.

In this industry and among anyone moderately technical, I would expect understanding this difference.

Undisclosed #3

In reply to Brian Karas | 08/26/17 09:58pm

Same as the position taken in the report: people who hold themselves up as being informers or subject matter experts did not do simple research of the core materials before making their claims.

IMHO, this position is not explicitly taken in the report. Rather, you state that the "core materials" do not support the reported conclusions, for instance:

The fact that Dumbo poses no risk to security systems did not stop many from wrongly hyping it as a threat.

Yes, one reason could be a failure to 'do simple research' as you say.  Another could be misinterpretation of core materials.  To wit, the core materials do mention 'security systems' as a requested target of Dumbo, which confuses the issue.

Furthermore, early versions of Dumbo have the ability to target ANY PC VMS, whether they have webcams or not, thru configuration options, and thereby rendering the recordings of their associated IP cameras useless.

Again, I agree that 'IP camera hack' is inexact at best and should be called out, however there are several misleading elements in the Wiki statement and the core documents that likely aided misinterpretation of the leak.

 

Rodney Thayer

In reply to Undisclosed #3 | 08/30/17 10:25pm

I think that text has it correct.  Dumbo is about manipulating video on a camera attached to a computer (an "installed device".)  I think the press who comingled "IP camera" and "camera as a peripheral on a pc, perhaps connected to a network/the internet" got it wrong.

By the way the files themselves are spectacularly unshocking.  Admin account, run the program, some care about what's in what directory.  Classic 4 day slammed together windows 3.1 UI.  Nothing interesting.  No juicy details on what magic IOCTL you do to swipe the video.  No example code on how they walk through the process tree to find the open files to detect video files to delete. 

 

Undisclosed #3

In reply to Rodney Thayer | 08/30/17 11:10pm

One thing I ran across in the docs (for an older version) was this:

Which I believe gives it the capability to run on arbitrary process names, such as Milestone's  *VideoOS.Recording.Service.exe* for example.

Read this IPVM report for free.

This article is part of IPVM's 6,536 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Faked Convergint Fever Camera 'Expert' Marketing on Jun 16, 2020
Convergint touts they are "THERMAL CAMERA SOLUTION EXPERTS" while faking...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
ISC News Fakes Fever Screening, Falsely Quotes FDA on Jun 18, 2020
ISC News, the Reed publication behind the ISC East and West trade shows, has...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
WDR Cheat Sheet and Camera Tracking - 30 Manufacturers on Aug 26, 2020
Manufacturers are regularly cryptic about what WDR support they actually...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....
Faulty Hikvision Cali Colombia Fever Camera Implementation on Jul 20, 2020
The mayor of one of Colombia's largest cities has promoted a faulty Hikvision...
Avigilon Now Available At ADI In EMEA, Not Americas on Jul 21, 2020
ADI, the home for Dahua and Hikvision flash sales, is now selling Motorola...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Door Fundamentals For Access Control Guide on Aug 24, 2020
Doors vary greatly in how difficult and costly it is to add electronic access...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...