www.nshc.net

Vulnerability of CCTV & IP Camera

HYUNWOO KIM & HAENG-UN HA & MINJOON PARK

NSHC Pte, Ltd.

Your Partner for Cyber defense & Intelligence

Introduce

•  Work NSHC in Singapore Hyunwoo KIM

•  Work NSHC in Korea Haeng-un HA

•  Worked NSHC in Singapore Minjoon PARK

Contents

Abstract

How to hack

Vulnerability

Backdoor

Scenario and DEMO

Conclusion

Abstract

l  IP Camera (IP-CAM, Network Camera) ü An Internet protocol camera, or IP camera, is a type of digital video

camera commonly employed for surveillance (Wikipedia)

Abstract

l  IoT Device is increasingly affordable

Global Network Camera Market (MarkesandMarkets Report)

Abstract

l  IP Camera are used from various area ü Home / Company / Public Place ü Government / Organization ü and so on...

How to hack IP-CAM

Buy Install Extract Analysis Exploit

How to hack IP-CAM | BUY products

In Singapore l Go to

ü There are many IoT devices

l  Choice the goods ü D* / T* / L* vendor

In Korea l  Internet Shopping

ü Used market

How to hack IP-CAM | INSTALL product

l  Install IP-CAM

How to hack IP-CAM | EXTRACT Firmware

l How to get Firmware ü Download firmware from Vendor’s official Homepage ü  If we can get root shell, try partition dump ü Use the hardware (ex: UART, JTAG) ü  Flash memory dump ü Network packet dump

l  Tools ü  Firmware Modification Kit ü Binwalk

How to hack IP-CAM | Analysis & Exploit

l  Extracted files analysis

How to hack IP-CAM | Analysis & Exploit

l Web Hacking

Vulnerability

l  Vulnerability summary ü XSS(Cross Site Scripting) ü  Information Disclosure ü Buffer OverFlow ü Protocol Vulnerability ü  File Download ü Policy Fail ü and so on…

Vulnerability

l  XSS(Cross Site Scripting)

Vulnerability

l  Information Disclosure

Vulnerability

l  Buffer OverFlow

Vulnerability

l  Buffer OverFlow

Vulnerability

l  File Download

Vulnerability

l  Policy Fail ü Password brute-force attack is allowed ü Any fail2ban?

ü Mobile app provides network scan for cam with default password ü No auth process

Backdoor

Backdoor

l We classified backdoors into two categories ü Unintended Backdoor

»  Utilized for device management »  Utilized to access the device

ü  Intended Backdoor »  Surveillance and other arbitrary purpose »  Utilization for industry spy »  Encapsulating the existence of the backdoor using encryption

Backdoor

l We found some backdoors in IP-CAM ü Unintended Backdoor – “D* vendor” ü  Intended Backdoor – “T* vendor” ü Unclassified – “L* vendor”

l We choose a product for each company, and We succeeded to find it for all of them :(

Backdoor

l Disclosure of IP-CAM Administrator ID / PW

Backdoor

l Web based Backdoor

Backdoor

l  Telnet based Backdoor

Scenario and DEMO

l  Crack the D* Vendor Password

세팅 내용이 broadcast(255.255.255.255)로 같은 로컬 네트워크의 모두에게 전달

사용자 CAM 구매 후 세팅 Send some packets to CAM Malicious program is with CAM

on same network (not necessary but recommended)

CRACK IT Get md5sum of PASSWORD from response

Conclusion

l  IPCAM has many vulnerability!!

l  Also, IPCAM has backdoor