Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Eyes On IZON: Surveilling IP Camera Security


Published on

Home IP cameras are becoming increasingly common thanks to sleek designs, WiFi connectivity, and intuitive mobile applications. Previously, such IP cameras were mostly in-use by home security aficionados and small business owners. Now, however, with increasing video quality and ease of use, these cameras are becoming popular for the average homeowner that wants a bit more confidence that all is well when they're absent. This presentation will provide insight into the security mechanisms being used by the IZON camera, some of the weaknesses found during research, and a few recommendations for them (or anyone else developing these sorts of cameras) to benefit from. Attention will be paid to topics such as network protocols, iOS app security, APIs, and other aspects of the camera's platform that has attack surface.

Published in: Technology
  • I've just bought a pair of these cameras and they work great! I was concerned with the issues in this article but I checked them out and it appears that the latest version of the application and camera firmware don't have these issues.
    Are you sure you want to  Yes  No
    Your message goes here

Eyes On IZON: Surveilling IP Camera Security

  1. 1. Eyes On IZON Surveilling IP Camera Security Mark Stanislav <>
  2. 2. What Is An IZON? ‣ IP enabled web camera that is fully managed from your iOS-based device ‣ Provides remote access to live video ‣ Supports recordings for motion & noise ‣ Only requires WiFi + AC power to run ‣ SKUs for US, Europe, China, Japan, UK, Australia, Hong Kong, and Singapore ‣ Sold at Apple, Amazon, Best Buy, Fry’s, Wal-Mart, Target, and other retailers Image from Image from
  3. 3. In The Beginning, A Simple Goal... ‣ The first question for any security research is, “Well, why this device?” ‣ Ever setup a Raspberry Pi? Me too. Except, I forgot to set a static IP and figured I’d NMAP my network ‣ It’s amazing the terrors that result from scanning your network Image from ‣ Telnet? RTSP? HTTP? What the hell is this device on my network?
  4. 4. All Network Device Assessment Begins With NMAP!
  5. 5. What Should We Test? A Wish List. Surface Desired Result Telnet Get a Shell HTTP Access Web Interface HTTP Find Vulnerabilities RTSP View Stream Passively RTSP Request Stream to View Device Access On-Camera Software Device Remotely Access a Camera Device Access Video Recordings Device Access Device Information Device Firmware Upload Access It’s always good to have goals!
  6. 6. How A Camera Is Setup ‣ Install the app on your iOS-based device ‣ Create an account (on app) that manages all of your cameras ‣ Go through a process to provide WiFi info (SSID/security details) ‣ Scan the QR code generated on your phone with the above info ‣ The camera connects to your network and does backend... stuff. ‣ We’ll talk more about that in a few... Image from QR decoded by
  7. 7. What Happens During A New Camera Setup? 1/2 Multicast DNS Traffic RSA (1024-bit) Public Key Transfers From Camera to App
  8. 8. What Happens During A New Camera Setup? 2/2 Encrypted “admin” password goes from the phone to camera
  9. 9. What If You Remove The Camera From Your Phone? Cameras are only attached to one account at a time ‣ ‣ This leads to a shared credential situation if you want your family members to also access it ‣ The device resets so that it goes back into factory default mode ‣ If you change the “admin” password, the app gets really mad :) Process output from camera after a “remove” is initiated 8515 root 1372 S < /bin/sh /bin/factoryreset complete_reset 8526 root 1384 S < /bin/sh /bin/ alt blink_start 5 8575 root 1424 S < /bin/sh /bin/ stop_bonjour
  10. 10. Gaining Access: The Failed Attempts :*( ‣ The “admin” user has an encrypted password sent over the wire, assumably utilizing the RSA public key we saw during setup ‣ Web site transactions are authenticated using HTTP Digest ‣ Because of this, we are unable to sniff the password, despite all requests being cleartext ‣ A brute force of Telnet and/or HTTP digest is potentially slow ‣ Hardware modification is not an area I know about... GET /cgi-bin/v1/servers/snapshot/1 HTTP/1.1 Host: Authorization: Digest username="admin", realm="Authorization required", nonce="e14a9782902552eb88d62c11183983fd", uri="/cgi-bin/v1/servers/snapshot/1", response="6fec266cccbfb3307f1a567147281a31", cnonce="823188c37fb6cd1b1190c4c07f49515e", nc=00000001, qop="auth" Accept-Encoding: gzip, deflate charset: utf-8 Accept-Language: en-us Accept: application/xml Connection: keep-alive User-Agent: IZON/1.0.5 CFNetwork/609.1.4 Darwin/13.0.0 HTTP Digest Authentication
  11. 11. Attacking The App Rasticrac (or Clutch) dumps the app from memory to review Verification that the dumped app from memory is cleartext yay!
  12. 12. Looking For Interesting Data Via IDA + `strings` Clean output via IDA Ugly output via `strings`
  13. 13. Default Credentials, Yes Please! Every “I Logged In” Screenshot Ever Quick check of the network services
  14. 14. Camera’s Linux Accounts DES CRYPT :) root@izon # cat /etc/shadow root:bcDOEAqtEnAkM:12773:0:99999:7::: daemon:*:12773:0:99999:7::: bin:*:12773:0:99999:7::: sys:*:12773:0:99999:7::: www-data:*:12773:0:99999:7::: backup:*:12773:0:99999:7::: admin:CTedwasnlmwJM:12773:0:99999:7::: nobody:*:12773:0:99999:7::: mg3500:ab8EYhqWKRB36:12773:0:99999:7::: stemroot /ADMIN/ merlin
  15. 15. Web Server - Lighttpd 1.4.24 Paths restricted by authentication “user” and “admin” credentials ...and here’s where those hashes come from Yes, user/user :)
  16. 16. Mobileye ; A Hidden “Feature” ‣ You can login to this hidden web interface using the stock credentials, user/user ‣ As “user” you can view the camera via an image stream, QVGA, and VGA video ‣ API service key/connection details are also available, notably for their “alert” video provider, IntelliVision ‣ Firmware details and alarm configuration also available http://camera-ip/mobileye/
  17. 17. Wireless Reconnaissance And Thief-Enablement Imagine a thief who knows if you’re home and can disable your motion/ audio sensors so that no video is recorded of them...
  18. 18. Don’t Like VLC Streaming? How About Flash! ‣ By default the video streams utilize VLC for streaming ‣ A configurable option is to enable Flash as the interface providing an easier-to-snoop experience! ‣ Both the video and audio are quite good, the mic picks up a lot
  19. 19. Firmware Details, Streaming Service Status, LED Fun!
  20. 20. IntelliVision Usage ‣ - “IntelliVision is a leading company in “Video Intelligence and Automated Monitoring” solutions for security, surveillance and safety markets.” ‣ Alert videos are accessible through their S3 bucket via HTTP ‣ Single, vendor-named bucket... MD5 filenames are used with a static formatting as such: ‣ ‣ ${MD5}-(THUMBNAIL|PLAYLIST|VIDEO)-${number}.(jpg|m3u8|ts) ‣ The aforementioned files are not encrypted prior to upload to S3 ‣ There are hardcoded S3 credentials found within the mobile app GET /970270ad8dfd3f070df7b76dca1fa5ec-THUMBNAIL-1.jpg HTTP/1.1 Host: Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: IZON/1.0.5 CFNetwork/609.1.4 Darwin/13.0.0 Accept-Language: en-us Accept: */* Example thumbnail retrieval
  21. 21. Video Deletion; Not As Deleted As You May Like... Thumbnail + video files (TS) are still available 2 months since I said to delete this content...
  22. 22. YOICS Usage ‣ ‣ “We enable safe, secure access to your devices and your data whenever you have an internet connection.” ‣ Provides access to your camera via a proxy when not on your WiFi network ‣ A public network address and port are opened-up which connects directly to your camera ‣ ‣ Best I can tell, this is utilized to administrate as well as stream the camera to your mobile device From the network connection I saw happen, it was accessing this proxy via HTTP, not HTTPS...
  23. 23. Additional YOICS Insights ‣ Your Stem innovation account’s password is also used for your YOICS account that’s automatically created for your usage ‣ Cleartext API queries to the YOICS service send your username and an MD5 hash of the aforementioned password to operate ‣ In some cases, the MD5 password is also base64-encoded Camera Device Details{token} &deviceaddress={MAC Address}&action=get API Token Information key=StemConnectApplication&user=stem_{email}&pwd={MD5}&type=xml
  24. 24. 62 Results For IZON’s Telnet Prompt Via SHODAN ‣ 1 - France ‣ 1 - Venezuela ‣ 1 - United Arab Emirates ‣ 2 - Panama ‣ 1 - Canada ‣ 2 - Japan ‣ 1 - Switzerland ‣ 5 - Germany ‣ 1 - China ‣ 13 - Mexico ‣ 1 - Denmark ‣ 32 - United States ‣ 1 - Finland Data Queried in July, 2013
  25. 25. What Should We Test? A Wish List. Attack Surface Desired Result Value Telnet Get a Shell Pass HTTP Access Web Interface Pass HTTP Find Vulnerabilities Untested RTSP View Stream Passively Pass RTSP Request Stream to View Pass Device Access On-Camera Software Pass Device Remotely Access a Camera Pass Device Access Video Recordings Pass Device Access Device Information Pass Device Firmware Upload Access Pass
  26. 26. Issue Summary ‣ Camera web server does not operate via HTTPS for anything ‣ Telnet is used for software upgrades and who knows what else ‣ Camera “API” calls are vulnerable to digest auth replay attacks ‣ RTSP is streamed in the clear so anyone can MITM live video ‣ Hardcoded root/mg3500/admin credentials for Linux accounts ‣ “Hidden” web backend with default login credentials for viewing ‣ S3 storage of alert videos without encryption or actual deletion ‣ Single S3 vendor bucket with hardcoded S3 access/secret keys ‣ Alert videos protected only by an MD5 path, no IAM credentials ‣ Your account password is sent as an MD5 over HTTP
  27. 27. Additional Areas To Research Camera Firmware ‣ ‣ Acquire (via intercepting the update process) ‣ Reverse engineer to find any other interesting secrets and/or attack surface ‣ Upload a custom firmware with additional functionality or edits Camera Processes ‣ ‣ Look for web application vulnerabilities in the administrative application/API ‣ Learn more about the services running on the device -- features? vulnerabilities? Changes Since Update ‣ ‣ 3.x code branch has been released, all testing thus far was done against 2.x Service APIs ‣ ‣ Better understand what API calls are doing going outbound for services
  28. 28. The FTC Dislikes When Something Is Labeled Secure, But Isn’t Screenshot from Screenshot from Screenshot from
  29. 29. ‣ 09/06: Contacted Stem Innovation via their site’s contact form due to a lack of e-mail addresses ‣ 09/06: Received a reply back from their help desk, asking me to clarify “my questions” ‣ 09/06: Explained the reason for my contact was not for “questions” but to discuss security issues ‣ 09/16: Having not heard back from them for 10 days, I followed-up via the help desk ticket I had ‣ 09/19: I received a response back that I needed to contact their company’s CEO for assistance ‣ 09/19: Contacted their CEO, providing an efficient overview of issues found with severity ratings ‣ 09/30: I had no response from their CEO in 11 days, so I opened up a new help desk case to ask why ‣ 10/01: The new case was updated saying their CEO was aware of my email and would respond ‣ 10/03: I received an e-mail from their CTO who was very polite but was light on specifics and didn’t ask for any further details, nor explained how/when they were fixing these issues ‣ 10/03: I followed-up with the CTO to ask for clarification on what issues were fixed or being fixed and expressed (again) my willingness to take a phone call or otherwise to help explain issues ‣ 10/14: Their CTO responds wanting to “meet” and claims there are inaccuracies with my research and potential “confidential” information that I may have come upon -- does not state any specifics ‣ 10/14: I responded back within 1 hour, offering times for the very next day to resolve these issues ‣ 10/16: I am still waiting for a response back... Disclosure Timeline
  30. 30. Parting Thoughts We’re trusting too many network-enabled devices very blindly ‣ ‣ WiFi enabled thermostats, ovens, fridges, lights bulbs, outlets, cameras, and alarm systems The average vendor is not going to notice many of these failures of best practices that to security experts are glaring issues ‣ ‣ Hence, why we do research and why we report problems -- responsibly :) Devices like these make great research projects since the hardware can be contained within your own network perimeter ‣ ‣ This device is just one of many that likely have major issues...
  31. 31. One Last Thing... That Raspberry Pi? Yeah, I’ve still never found it... Image from
  32. 32. Thanks Go Out To... ‣ @purehate_, @quine, and @dakykilla from Accuvant LABS for their help to determine the “admin” Linux account password ‣ @akgood and @jonoberheide for reviewing content early on and providing guidance ‣ @duiceburger for letting me use his jailbroken iPhone for app testing
  33. 33. Thanks! Questions? @markstanislav