Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Hand That Rocks the Cradle: Hacking IoT Baby Monitors

1,702 views

Published on

Every couple of months, the news covers some prankster yelling at an infant or an unsuspecting nanny through a baby monitor by hijacking its RF signal or abusing vendor-default credentials over the web. As the rapid growth of the Internet of Things (IoT) continues, the capabilities of a predator or prankster to abuse baby-monitoring devices is increasing due to the usage of a complex mixture of platforms, protocols, and hardware. With many high-end baby monitoring devices on the market, how is the never-ending expansion of must-have features for parents being weighed against the threats posed by continually increasing attack surface to provide them?

This presentation will discuss security research performed against nine of the most highly-regarded IoT baby monitors on the market today. Details of research methodologies and vulnerability findings will be presented to give attendees insight into what security flaws were found within the intricate combination of mobile applications, protocols, services, and hardware running these devices. Examples of potential remediations for identified flaws will be conveyed to help attendees learn the right way to handle similar situations in their own engineering efforts. Lastly, a custom scoring system will be used to help provide an apples-to-apples view of how each device faired in holistic security versus other assessed devices.

Curious about how well your privacy and safety are being taken care of by IoT vendors? Interested in IoT security research and want to understand what flaws are being found in devices today? Want to spin your own IoT research but need a methodology and tools to get you started? Attend this presentation and become more aware of the risks facing your family and from the technologies powering our lives.

Published in: Technology
  • Be the first to comment

The Hand That Rocks the Cradle: Hacking IoT Baby Monitors

  1. 1. Hacking IoT Baby Monitors Mark Stanislav, Sr. Security Consultant
  2. 2. Thanks for nothing, CSI:Cyber
  3. 3. Some People Still Care… Like, You Know, Parents July 24th, 2015
  4. 4. What Does an Internet-Connected Monitor Offer? • “Connected” Features (via a Web Site and/or a Mobile Application) • Viewing a live stream locally (the home’s Wi-Fi) or remotely (Internet) • Controlling the camera’s position via pan, tilt, and zoom functionality • Communicating audio through the monitor (i.e. two-way audio) • Playing music or other recorded audio clips (i.e. bring your own lullabies) • Manage device preferences such as the audio volume and “night vision” • Share access and provide privileges to other people (e.g. family, friends) • Access recordings for humidity, temperature, noise, and/or motion alerts • Remote (e.g. SaaS, FTP) and local (e.g. Micro SD) DVR recordings
  5. 5. A Mess of Dependencies and Attack Surface • Many IoT baby monitors leverage third-party services, firmware, and software • Some vendors put a lot of trust in their supply chain without testing security • Implementation errors or failure to comply with best practices also occurs
 • Complex ecosystems means that there are plenty of ways to screw up: • Mobile applications, cloud services, backend services, web applications, firmware, hardware, network protocols, wireless protocols, & cryptography • It’s difficult for a single IoT vendor to be proficient in security across all of it
 • The frameworks, protocols, and design patterns of IoT are still very much in flux
  6. 6. SO, HOW DO WE HACK THESE THINGS?
  7. 7. Via Dumping Firmware Pomona SOIC Clip + Bus Pirate flashrom to Dump Flash binwalk to Extract Filesystems
  8. 8. Hash Cracking with cudaHashcat Scouring Google for Useful Details Via Brute Force of Various Means
  9. 9. JTagulator
 (or Bus Pirate, Shikra, etc.) U-Boot Configuration UART Scan & Connect Via Serial Console (UART)
  10. 10. Via JTAG (e.g. Dumping Memory via GDB) Not a baby monitor… but you get the idea!
  11. 11. Acquire Firmware with dex2jar + JD-GUI for Android View API Calls with mitmproxy (esp. SSL/TLS) Find API End-Points with Clutch + strings for iOS Via Mobile Applications
  12. 12. View Protocol Details with wireshark Uncover Network Services with nmap Via Network Analysis
  13. 13. XSS on Camera Cloud Web Service Hidden Administrative Web Interface Via Web Applications
  14. 14. THE BABY MONITORS
  15. 15. A Variety of Vendors, Styles, Costs, & Features Vendor Model Price Amazon
 Rank* / Stars Two-Way Audio Pan Tilt Zoom Wi-Fi Ethernet Gynoii GCW-1010 $89.34 #56 / 3.8 ✓ ✗ ✗ ✗ ✓ ✗ iBaby M3S $169.95 #243 / 3.4 ✓ ✓ ✓ ✓ ✓ ✓ iBaby M6 $199.95 #31 / 3.7 ✓ ✓ ✓ ✓ ✓ ✗ Lens LL-BC01W $54.99 #149 / 2.8 ✓ ✗ ✗ ✗ ✓ ✓ Philips B120/37 $77.54 #N/A / 2.2 ✓ ✗ ✗ ✗ ✓ ✗ Summer 28630 $199.99 #64 / 3.1 ✓ ✓ ✓ ✓ ✓ ✗ TRENDnet TV-IP743SIC $69.99 #N/A / 3.5 ✓ ✗ ✗ ✓ ✓ ✗ WiFiBaby WFB2015 $259.99 #156 / 3.2 ✗ ✗ ✗ ✓ ✓ ✓ Withings WBP01 $204.60 #101 / 2.9 ✓ ✓ ✓ ✓ ✓ ✓ * Amazon Ranking Based on Category “Baby > Safety > Monitors”, Which Includes Non-IoT Baby Monitors
  16. 16. THE FINDINGS
  17. 17. Withings WBP01 - $204.60
  18. 18. Disabled Doesn’t Quite Mean What it Used To After a stream exists, “disabling” it via the app doesn’t actually stop it… 20 Minutes Later…
 The Stream Still Works!
  19. 19. When Obfuscation Goes Wrong, or, Not at All? At first, this looks like a really poor attempt at an obfuscation method to “hide” the password for this web service account.
 
 On further review, however, the mchunk method simply returns at the start of the for loop, yielding the output from the input to be a concatenation of “ff” and the integer passed as a parameter.
 
 Was this obfuscation intended to be enabled? Did someone give up on their dream of confusing reverse engineers? The world may never know…
  20. 20. WiFi Baby WFB2015 - $259.99
  21. 21. Unauthenticated Log With Stream Details Hardcoded SSL Cert … That’s Not Even Used … Nothing Makes Sense to Me Any More
  22. 22. UPnP RCE Bugs, CVE-2012-5958 & CVE-2012-5959 UPnP Bugs: Alive and Well in Baby Monitoring
  23. 23. Lens Peek-A-View (LL-BC01W) - $54.99
  24. 24. If You Needed Some Free Cloud Storage An FTP Account Per Camera, Apparently Used for Configuration Backups 


 [redacted]
  25. 25. Backdoor Credentials Galore Hidden Web Interface Credentials Cracking the Linux ‘admin’ Password This account has functional ‘root’ privilege due to ugly permissions The Live Stream Passes Credentials in URL over HTTP
  26. 26. Gynoii GCW-1010 - $89.34
  27. 27. Unencrypted Web Services - Local and Cloud Local Administrative API Calls Vendor Cloud API Calls Hidden Device Web Interface Third-Party Streaming Service None of these services or APIs use any encryption and often pass sensitive credentials and keys
  28. 28. TRENDnet TV-IP743SIC - $69.99
  29. 29. 2-for-1 — Unencrypted Web Service + XSS Either MITM a User or Just BYOJS to their DOM:) [redacted]
  30. 30. Telnet Available, Just Not Default A Remote Shell Waiting to Happen… Pro Tip: Remove Remote Access Services, Don’t Just Disable Them! Username: root Password: admin
  31. 31. iBaby M3S - $169.95
  32. 32. Uncovering Backdoor Linux Accounts & Access An nmap Scan Reveals Telnet :) Password is “Protected” by UNIX Crypt Username: admin Password: admin * FYI, there is no ‘root’ on here, only ‘admin’
  33. 33. iBaby M3S - A Historical Look at Software? ✦ U-Boot: 1.1.3, released August 14th, 2005 ✦ OpenSSL: 0.9.8e, released February 23rd, 2007 ✦ Linux Kernel: 2.6.21, released April 26th, 2007 ✦ BusyBox: 1.12.1, released September 28th, 2008
 ✦ UNIX Crypt: First appeared in 1979, limited to 8-character passwords ✦ Telnet: Developed in 1968 — SSH-1 came out in 1995…
  34. 34. Encryption! Just Not Great Choices For it :) Stream Encryption… with XXTEA? Encrypted Backups… with a Hardcoded Password?
  35. 35. iBaby M6 - $199.95
  36. 36. Cryptography? Naw, They Are Just Babies… Unencrypted Web Service Login Telnet & Unencrypted HTTP on Device Unencrypted Mobile API Calls
  37. 37. This is the iBaby Cloud Web Site Today… Login for Camera Owners …and What is Now Returned on Login…
  38. 38. But a Few Months Ago, Direct Object Reference! <—Proper Account “Attacker” Account—> No Authorization/Privilege Given to Our “Attacker” Account
  39. 39. Full Access to All Audio & Motion Alert Videos View Source -> Find AVI Filename -> Access Static CloudFront URL “Attacker” Account—> Don’t let the broken images fool you… there’s live data ready to be viewed! [redacted] [redacted] [redacted] [redacted]
  40. 40. Unauthenticated Access to Unencrypted Videos Example AVI Thumbnail File Video Downloads via Amazon CloudFront ✦ URLs are not requested via HTTPS ✦ No IAM credentials or signed URLs Mobile API Call for Alert Video Retrieval [redacted] [redacted] [redacted] [redacted]
  41. 41. …and Some Weirdly Exposed Web Applications? …But an Admin Site? Now That’s an Interesting Find! Apparently There’s a Private Wiki. What For? No Clue.
  42. 42. Philips In.Sight B120/37
  43. 43. Everything Old is New Again… My IZON Research - 2013 My InSight Research - 2015 The question is… Did security issues fixed by one camera manufacturer ever trickle into devices also leveraging the same firmware?
  44. 44. Shout out to Paul Price for his research into the In.Sight M100 which shares a few issues from my old Stem Innovation IZON research and subsequent research into the In.Sight B120. Check out his site detailing this and other research at ifc0nfig.com! A Quick Look at “Old” Security Issues Still There No SSL on Backend Web Service Telnet Enabled by Default (Until Recently)Multiple Hardcoded Linux Accounts Insecure Firmware Upgrade Process
  45. 45. A Few Newer Issues. But Wait, There’s More! :) Multiple XSS on Web Service Portal Backdoor Telnet Enablement Script Predictable ‘admin’ Web Service Password Username: root Password: b120root
  46. 46. Unauthenticated Administrative Camera Access Camera Home Network Internet User Web Service
 HTTP/80 Clear Text Clear Text Clear Text HTTP Reverse Proxy When a remote end user requests their camera’s stream, an HTTP reverse proxy is opened on a public host & port number, directly to the camera’s backend web service, allowing for a remote attacker to achieve the following: ✦ Unauthenticated and unencrypted video/audio stream access to the user’s camera ✦ Full administrative access to the camera’s powerful backend web service ✦ This includes manipulating camera configuration or even re-enabling Telnet
  47. 47. Finding Exposed Cameras on the Internet The reverse proxy is setup by the stream provider, Yoics, and has a finite number of enumerable hostnames, each with about ~30,000 possible ports that may be utilized.
 
 While this may seem like a lot, an attacker could test this entire range every minute to look for exposed cameras with a simple script or perhaps something powerful like zmap. Unencrypted, Unauthenticated Remote Camera Access Now “Friends” Can Remotely Enable Telnet For You! :) Take David Adrian’s Word For It :)
  48. 48. Baby Monitors — Now With 100% More Track Suit …Because Car Hacking…
  49. 49. Summer Infant Baby Zoom (28630) - $199.99
  50. 50. Issues Found Last Year and Still There Today! Weirdo Command Execution Script Lots of Hardcoded Credentials Shout out to Amir Etemadieh for this research into the Summer Infant Baby Zoom last year. This research can be found at the exploitee.rs web site with a lot of other great work from that team!
  51. 51. Oh, Be Sure to Change Your Password… Default New User Passwords == Last name (truncated to 8 characters) + Group ID
 
 This is not required to be changed on first login and could be enumerated if someone
 knows that you have this device — simply iterate over group ID integers!
  52. 52. Adding a Privileged User to Any & All Cameras Before… After! This HTTP call could be ran against all possible IDs
  53. 53. Coordinated Disclosure Timeline Initial Vendor Disclosure
 July 4th, 2015 — Because America! CERT Disclosure
 July 21st, 2015 — 17 Days After Vendor Disclosure Public Disclosure
 September 2nd, 2015 — 60 Days After Vendor Disclosure
  54. 54. A Modest Baby Monitor Security Checklist Vendor Model Local API 
 HTTP SSL Cloud API HTTP SSL No Remote Shell No Hidden Accounts No Known Vulns No UART Access All Streams Encrypted Gynoii GCW-1010 ✗ ✗ ✗ ✗ ✓ ✗ ✗ iBaby M3S N/A ✓ ✗ ✗ ✓ ✗ ✓ iBaby M6 ✗ ✗ ✗ ✗ ✗ ✗ ✗ Lens LL-BC01W ✗ ✗ ✓ ✗ ✓ ✗ ✗ Philips B120/37 ✗ ✓ ✗ ✗ ✗ ✗ ✗ Summer 28630 ✓ ✓ ✓ ✗ ✗ ✗ ✗ TRENDnet TV-IP743SIC ✗ ✗ ✓ ✗ ✗ ✗ ✗ WiFiBaby WFB2015 ✗ N/A ✓ ✗ ✗ ✗ ✗ Withings WBP01 N/A ✗ ✗ ✗ ✓ ✗ ✗
  55. 55. Scoring Baby Monitors for Overall Security Security Concern Description of Concern Penalty for Missing Local API HTTP SSL All local web service/API calls should be encrypted, regardless of being on a LAN. -20 Points Cloud API HTTP SSL All Internet-facing web service/API calls should be encrypted, including registration. -30 Points No Remote Shell The presence of a remote shell (e.g. Telnet, SSH) create additional attack surface. -50 Points No Hidden Accounts All accounts, whether web services or shell access should be known to customers. -30 Points No Known Vulns All portions of the camera’s supply chain should be free of serious vulnerabilities. -75 Points No UART Access Devices should disable direct serial access and definitely not drop to a root shell. -10 Points All Streams Encrypted All video/audio streams, whether live or recorded, should be encrypted end-to-end. -35 Points All Cameras Start With 250 Points and Receive Deductions
  56. 56. Baby Monitor by Security Score & Grade Vendor Model Price Amazon
 Rank / Stars Score Grade* Gynoii GCW-1010 $89.34 #56 / 3.8 75 F iBaby M3S $169.95 #243 / 3.4 160 D iBaby M6 $199.95 #31 / 3.7 0 F Lens LL-BC01W $54.99 #149 / 2.8 125 F Philips B120/37 $77.54 #N/A / 2.2 30 F Summer 28630 $199.99 #64 / 3.1 100 F TRENDnet TV-IP743SIC $69.99 #N/A / 3.5 50 F WiFiBaby WFB2015 $259.99 #156 / 3.2 80 F Withings WBP01 $204.60 #101 / 2.9 95 F * Grading Scale Based on Points:
 F: < 150 (<60%) ; D: 150 - 174 (60-69%) ; C: 175 - 199 (70-79%) ; B: 200 - 224 (80-89%) ; A: 225 - 250 (90-100%) Baby is Unsatisfied
  57. 57. …But Really? 1. The iBaby M6, Summer, and Philips all had what I would consider “critical” security issues that make them a deal breaker, despite their overall scoring.
 2. Only the iBaby M3S had apparent encryption for all streaming of content and even then, it’s not exactly “industry standard” and has its own potential issues.
 3. More vulnerabilities likely exist such as RCE, XSS, and CSRF in backend web applications — in addition to already noted backdoor credentials/interfaces.
 4. Frankly? Nine devices were way too much and while I am satisfied in the issues that were found, there’s a lot I probably missed others may find!
  58. 58. Conclusions 1. The status quo of security for “connected” baby monitors is deeply concerning.
 2. Even the “best” cameras tested were well below what I’d consider “secure.”
 3. Consumers are woefully unaware that camera security features such as end- to-end encryption of audio/video and well defined, secured access don’t exist.
 4. It’s highly unlikely, based on the issues found, that any of these vendors have third-party security audits and/or a security-focused development program. Parents and their children deserve better. Whether you paid $54.99 or $259.99, a minimum level of security should be expected, and achieved, for all baby monitors.
  59. 59. Not All Hope is Lost, However :) BuildItSecure.ly: Initiative targeted at sharing technical resources with IoT engineering teams and pairing IoT vendors with pro-bono security researchers. OWASP IoT Top 10: Provides vendors a list of the top 10 areas of IoT security that should be focused on during development to ensure a secure ecosystem. Online Trust Alliance: Currently devising the IoT Trust Framework, aimed at providing vendors with clear guidance around IoT privacy and security needs.
 Google Projects: Brillo is a hardened, stripped-down version of Android for IoT, while secure Weave is a secure solution for inter-device communication.
  60. 60. …AND REMEMBER…
  61. 61. Thanks! Questions? Mark Stanislav mstanislav@rapid7.com @markstanislav

×