Camera Hacking: Attack Vectors, Vulnerability Scanning Tools, and Surveillance Protection

[Man]

CCTV cameras have become part of the Internet of Things and, like other devices with unimpeded access to the network, have become the focus of hackers' interest. Millions of IP cameras from different manufacturers are open to attackers.

Camera manufacturers can save on the work of programmers and hardware - buyers get cheap devices with limited computing resources and huge holes in security mechanisms.

The firmware of mass-market noname devices does not stand up to criticism. Often, they are not updated by anyone and do not become more secure after changing the default password. Moreover, the manufacturer itself can lay a backdoor.

Below we will consider the main directions of attacks on video surveillance systems.

Free cheese​

"5MP pinhole lens camera module for video surveillance camera pinhole module from the factory"

From the consumer's point of view, the market is illogically complex. With a "penny" cost of the IP camera modules themselves, at the output we get the cost of the simplest devices close to 100 dollars.

The main cost is formed at the level above the hardware. The main thing is computing resources, firmware and the ability to support all the "chips" of the firmware for as long as desired. The camera should work for years at the same high level of protection.

The point is that the manufacturer of embedded equipment, which strives to save on everything, with a high probability leaves such vulnerabilities in the firmware and hardware that even access via the "naked" ONVIF protocol with a complex password does not protect against an intruder.

The lack of automatic updates is a death sentence for the entire security system. An ordinary user does not follow the news in the IT sphere and will not manually download new firmware for his camera bought on Aliexpress on sale.

One of the most impressive examples of exploitation of cheap cameras is the Heartbleed OpenSSL exploit – a nasty combination of the Heartbleed vulnerability and the specificity of embedded devices, which may never be updated.

As a result, cameras are used for spying and, what happens much more often, become part of botnets. Thus, the hacking of Xiongmai cameras led to a powerful DDOS attack on the websites of Netflix, Google, Spotify and Twitter.

Passwords​

The woman in the video bought the camera at a discount store. She wanted to use the device to keep an eye on her puppy. After a while, the camera started talking to its owner and rotating on its own. What happened is what often happens with cheap Chinese cameras, which have direct open access to the video stream even on the manufacturer's website.

At first glance, camera passwords may seem too obvious a security measure to discuss, but tens of thousands of cameras and DVRs are regularly compromised due to the use of default passwords.

The hacker group Lizard Squad hacked thousands of CCTV cameras using a simple factory account that is the same for all cameras. The devices were hacked using banal brute force (although it is possible that they spied the login and password from the manufacturer itself).

Ideally, manufacturers should assign a unique, long and non-obvious password for each camera. Such a meticulous process takes time to set up and is difficult to administer. Therefore, many integrators use one password for all cameras.

Employee turnover or changing user roles can create unexpected holes in enterprise security. If the system lacks a well-thought-out mechanism for differentiating access rights for different employees, camera groups, and objects, we get a potential vulnerability like a “Chekhov’s gun” – it will definitely go off.

Port forwarding​

Number of cameras infected via 81 TCP ports (Shodan data)

The term “port forwarding” is sometimes replaced by similar terms: “port forwarding”, “port redirection” or “port translation”. This is opening a port on a router to, for example, connect to a home camera from the Internet.

Most traditional surveillance systems today, including DVRs, NVRs, and VMSs, are connected to the Internet for remote access or operate on a local network that is in turn connected to the global network.

Port forwarding allows for customized access to a camera on your local network, but it also opens up a window of opportunity for hacking. If you apply a certain type of query, the Shodan search engine will show about 50,000 vulnerable devices “hanging out” freely on the network.

An open-to-the-Internet system requires, at a minimum, an IDS / IPS for additional protection. Ideally, place the surveillance system on a physically separate network or use a VLAN.

Encryption​

Argentine security researcher Ezequiel Fernandez has published a vulnerability that allows easy extraction of unencrypted video from local drives of various DVRs.

Fernandez found that it is possible to access the control panel of certain DVRs using a short exploit:

$> curl "http: // {DVR_HOST_IP}: {PORT} /device.rsp?opt=user&cmd=list" -H "Cookie: uid = admin"

We have come across a surprising number of cameras, DVRs, NVRs, VMS that do not encrypt the channel even over SSL. Using such devices threatens problems worse than completely abandoning https. At Ivideon, we use TLS encryption not only for video in the cloud, but also for streams from cameras.

In addition to insecure connections, the same privacy risks arise when storing unencrypted video on disk or in the cloud. For a truly secure system, video must be encrypted both when stored on disk and when transmitted to the cloud or local storage.

Hacking procedure​

Brute force for the little ones

Video stream management software often interacts with various potentially vulnerable components of the operating system. For example, many VMS use Microsoft Access. Thus, unencrypted video can be accessed through "holes" in the OS.

Since cameras are vulnerable from all sides, the choice of targets for attack is unusually wide, most illegal actions do not require special knowledge or special skills.

Almost anyone who wants to illegally watch the broadcast from the camera can easily do so. Therefore, it is not surprising that unskilled hackers often connect to unprotected cameras just for fun.

For brute force, you can use the BIG HIT SPAYASICAM and SquardCam programs, along with the masscan and RouterScan penetration testing tools. Sometimes you don't even need to use security scanners - the Insecam and IP-Scan sites make the task easier by helping to find cameras on the Internet.

Access to the camera's RTSP link greatly simplifies hacking. And the desired links can be obtained here or here. For remote viewing and control of video recorders and cameras, official applications from equipment manufacturers are widely used – SmartPSS and IVMS-4200.

Unobvious consequences​

Information about open cameras or cameras with known passwords is widely distributed on imageboards and social networks. Videos of hacked cameras on YouTube gain hundreds of thousands of views.

Compromised cameras have several non-obvious ways of using them. Among them is cryptocurrency mining. Employees of the IBM X-Force division discovered a variant of the ELF Linux/Mirai Trojan, which is equipped with a module for mining bitcoins. The malware searches for and infects vulnerable devices on Linux, including DVRs and CCTV cameras.

More serious consequences can arise from the use of vulnerable devices as intermediate points for attacks on third-party infrastructures, which can be launched to hide traces of forensic examination, falsify data, or perform a permanent denial of service.

And the last thing to be aware of when using cameras is that the manufacturer itself may leave a backdoor for itself with an unknown purpose. Thus, security specialists from the company Risk Based Security discovered a vulnerability in video surveillance cameras of the Chinese manufacturer Zhuhai RaySharp Technology.

The firmware of products manufactured by RaySharp is a Linux system with CGI scripts that form a web interface. It turned out that the password 519070 opens access to viewing images and system settings of all cameras. However, such firmware with insecure connections to the backend are common.

Protecting cameras from hacking​

Inside one of Google's data centers

Cloud video surveillance services are not susceptible to the vulnerabilities of previous-generation systems. For a cloud solution without port forwarding, firewall configuration is usually not required. Any Internet connection is suitable for connecting to the Ivideon cloud and a static IP address is not required.

For all devices with the Ivideon service, the password is randomly generated when connecting cameras in the personal account. For some camera models, for example, Nobelic, you can create your own password in the Ivideon user's personal account.

We do not store user passwords, so they cannot be accessed. We do not store video archives centrally. They are distributed among many machines in different data centers.

Access to the mobile application is protected by a PIN code, and biometric protection will be available in the future.

The cloud service also automatically sends patches and security updates via the Internet to any local user device. The end user does not need to do anything additional to monitor security.

In Ivideon, many functions (except for the cloud archive and video analytics modules) and all security updates are provided free of charge for all customers.

We hope that these simple rules will be used in all cloud video surveillance services.

Source