The dangers of black box devices.

79,676 views

Published on

The dangers of black box devices. Or...just how many insecure IP cameras are out there?

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
79,676
On SlideShare
0
From Embeds
0
Number of Embeds
2,500
Actions
Shares
0
Downloads
201
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

The dangers of black box devices.

  1. 1. The dangers of black box devices. Or...just how many insecure IP cameras are out there? Adrian Hayter Pen Tester - Convergent Network Solutions
  2. 2. Blackbox Devices
  3. 3. Timeline January 2012 consolecowboys release exploit of TRENDnet IP cameras. February 2012 TRENDnet release statement & new firmware. July 2012 Dan Tentler (@Viss) speaks about issue at Defcon 20. September 2012 7,000 potential feeds...748 are accessible. January 2013 TRENDnet release updated statement.
  4. 4. Timeline January 2012 consolecowboys release exploit of TRENDnet IP cameras. February 2012 TRENDnet release statement & new firmware. July 2012 Dan Tentler (@Viss) speaks about issue at Defcon 20. September 2012 7,000 potential feeds...748 are accessible. January 2013 TRENDnet release updated statement. Today... 637 accessible feeds (at least).
  5. 5. IP Cameras A quick clarification... IP Camera Not an IP Camera
  6. 6. The TRENDnet Exploit Authentication is required to access most of the IP camera interface. Side note: default credentials are admin/admin.
  7. 7. The TRENDnet Exploit Accessing a specific path (/anony/mjpg.cgi) bypasses authentication:
  8. 8. The TRENDnet Exploit For OWASP fans, this is a great example of #8 on the Top 10 Web Application Security Risks: Failure to Restrict URL Access. According to TRENDnet’s press release(s), the exploit affected all devices sold between April 2010 and February 2012. 22 different camera models were affected. Motion JPEG format means (almost) real-time camera feeds. No static images! Supported by all modern web browsers with the obvious exception of IE.
  9. 9. The Next Logical Step...Enumerate! Google hacking (inurl:/anony/mjpg.cgi) is limited and unreliable. We need something more powerful... What about the HTTP headers?
  10. 10. The Next Logical Step...Enumerate! Google hacking (inurl:/anony/mjpg.cgi) is limited and unreliable. We need something more powerful... What about the HTTP headers? $ curl -I http://67.168.142.6 HTTP/1.1 401 Unauthorized Content-Type: text/html Connection: keep-alive WWW-Authenticate: Basic realm="netcam" Content-Length: 17 If only there were a way to search headers rather than content...
  11. 11. SHODAN “Google for hackers”
  12. 12. SHODAN SHODAN scans the entire (IPv4) Internet and indexes headers of different services (HTTP, Telnet, SSH, etc.) By default you can only look at the first 10 results. :-( However...
  13. 13. SHODAN SHODAN scans the entire (IPv4) Internet and indexes headers of different services (HTTP, Telnet, SSH, etc.) By default you can only look at the first 10 results. :-( However... ...a one time payment of $19 gets you access to 10,000 results, plus unlimited API access, multiple filters, and lots more! :-)
  14. 14. Enumeration → Validation SHODAN isn’t perfect. Lots of results are out of date. All searches are case-insensitive (so “netcam” also matches “Netcam” and “NetCAM”). We need validation!
  15. 15. Enumeration → Validation SHODAN isn’t perfect. Lots of results are out of date. All searches are case-insensitive (so “netcam” also matches “Netcam” and “NetCAM”). We need validation! My favourite curl command: curl -sL --write-out %{http_code} -o /dev/null http://67.168.142.6/anony/mjpg.cgi
  16. 16. Enumeration → Validation SHODAN isn’t perfect. Lots of results are out of date. All searches are case-insensitive (so “netcam” also matches “Netcam” and “NetCAM”). We need validation! My favourite curl command: curl -sL --write-out %{http_code} -o /dev/null http://67.168.142.6/anony/mjpg.cgi So now we’ve got a list of URLs that respond with a “200 OK” status code. How best to manually check them all?
  17. 17. Enumeration → Validation
  18. 18. TRENDnet Cameras are (Mostly) Boring The majority of vulnerable cameras are pretty basic. Low resolution, stationary...
  19. 19. Controllable Cameras Move, pan, tilt, zoom, focus...the choice is yours!
  20. 20. Controllable Cameras The controllable cameras “most exposed” on the Internet appear to be made by Sony and Panasonic. Both can easily be found via HTTP header searches: “Server: NetEVI” for Sony “Server: U S So ware Web Server” for Panasonic
  21. 21. Controllable Cameras The controllable cameras “most exposed” on the Internet appear to be made by Sony and Panasonic. Both can easily be found via HTTP header searches: “Server: NetEVI” for Sony “Server: U S So ware Web Server” for Panasonic Many other makes / models can be found via Google hacking. Useful reddit community: /r/controllablewebcams
  22. 22. High-definition Zooming!
  23. 23. High-definition Zooming!
  24. 24. High-definition Zooming!
  25. 25. Examples!
  26. 26. Cots & Children’s Bedrooms...
  27. 27. Inside Homes
  28. 28. Tattoo Parlour
  29. 29. Lazy Office Workers...
  30. 30. ???
  31. 31. Monitoring Employees
  32. 32. Training Hospital
  33. 33. Animals
  34. 34. Nightclub
  35. 35. Strip club!
  36. 36. Dials
  37. 37. Server Racks
  38. 38. Various Controls / Outputs
  39. 39. Windows!
  40. 40. Exposed Webcam Viewer http://cryptogasm.com/webcams/ 38,037 potential feeds. 8,596 are currently online!
  41. 41. Questions? adrian.hayter@cnsuk.co.uk @ah8r http://cryptogasm.com

×