Upload
hoangduong
View
231
Download
6
Embed Size (px)
Citation preview
www.nshc.net
Vulnerability of CCTV & IP Camera
HYUNWOO KIM & HAENG-UN HA & MINJOON PARK
NSHC Pte, Ltd.
Your Partner for Cyber defense & Intelligence
Introduce
• Work NSHC in Singapore Hyunwoo KIM
• Work NSHC in Korea Haeng-un HA
• Worked NSHC in Singapore Minjoon PARK
Abstract
l IP Camera (IP-CAM, Network Camera) ü An Internet protocol camera, or IP camera, is a type of digital video
camera commonly employed for surveillance (Wikipedia)
Abstract
l IoT Device is increasingly affordable
Global Network Camera Market (MarkesandMarkets Report)
Abstract
l IP Camera are used from various area ü Home / Company / Public Place ü Government / Organization ü and so on...
How to hack IP-CAM | BUY products
In Singapore l Go to
ü There are many IoT devices
l Choice the goods ü D* / T* / L* vendor
In Korea l Internet Shopping
ü Used market
How to hack IP-CAM | EXTRACT Firmware
l How to get Firmware ü Download firmware from Vendor’s official Homepage ü If we can get root shell, try partition dump ü Use the hardware (ex: UART, JTAG) ü Flash memory dump ü Network packet dump
l Tools ü Firmware Modification Kit ü Binwalk
Vulnerability
l Vulnerability summary ü XSS(Cross Site Scripting) ü Information Disclosure ü Buffer OverFlow ü Protocol Vulnerability ü File Download ü Policy Fail ü and so on…
Vulnerability
l Policy Fail ü Password brute-force attack is allowed ü Any fail2ban?
ü Mobile app provides network scan for cam with default password ü No auth process
Backdoor
l We classified backdoors into two categories ü Unintended Backdoor
» Utilized for device management » Utilized to access the device
ü Intended Backdoor » Surveillance and other arbitrary purpose » Utilization for industry spy » Encapsulating the existence of the backdoor using encryption
Backdoor
l We found some backdoors in IP-CAM ü Unintended Backdoor – “D* vendor” ü Intended Backdoor – “T* vendor” ü Unclassified – “L* vendor”
l We choose a product for each company, and We succeeded to find it for all of them :(
Scenario and DEMO
l Crack the D* Vendor Password
세팅 내용이 broadcast(255.255.255.255)로 같은 로컬 네트워크의 모두에게 전달
사용자 CAM 구매 후 세팅 Send some packets to CAM Malicious program is with CAM
on same network (not necessary but recommended)
CRACK IT Get md5sum of PASSWORD from response