I regularly speak every year, and I always forget to do this! You're at the end, the tough part is over (only questions left), and it's so easy to miss it. (I've written this so I engrave it into my brain)
Good speaking practice, but to be fair, I really liked this speaker's mannerisms, his talk presence and clarity so I let it pass because his talk was extremely interesting and very entertaining.
Or you could just ascertain the questions by listening to the answer. Lemme help you out. (and yes I know this was commented 3 years ago) First person asked if these were the only cameras he had looked at for his research, or if he had an opportunity to look at some other more secure vendors. And second question asked if it was possible to replace the .cgi with something other than a still image, such as a video file. Luckily, there were no questions that were simply answered with a "Yes' or "No", but that's just offering half ass answers anyways, which most presenters are going to try their best not to do. Alrighty then!
I have a router, I am powned. Simple as that. Mode, make etc makes no difference. But the only webcam I have is connected through USB when used and otherwise physically disconnected.
@@nogo7277 unless the hacker can automate the blackmailing (which is not an easy thing to do), it's probably not worth their time. They could work on some ransomware instead which brings some shitton of money, or just get a real job at some security testing team. You see those are the big money, not individual person's wallet. Those are not big, and many would still refuse to pay.
Some of these are so blatant, you have to wonder if they're on purpose. Oops, the one script we forgot to password-protect happens to have a trivial root command injection exploit...
I think the vast majority of these backdoors rely on complacency - "we know way more than the average user, and that makes this device secure" - or security through obscurity - "let's make it difficult to defeat this security by throwing a few things in there they can't possibly know already". Lamentably, as a manufacturer it's far easier to deliberately write a backdoor into every device you produce than to try and provide the customer service to all of those who actually manage to lock themselves out of their own devices. This talk serves to demonstrate that if you (accidentally or deliberately) make your design vulnerable to attack, somebody will attack it. Because if they can attack it with the right reasons in mind, anybody can attack it for any purpose they want to.
@@omardude39 Ahh yes, the classic "We know more than you and our customers are bound to be ignorant. Let us accommodate easy troubleshooting solutions that don't ask too much of our privileged position!" No idea why anyone thinks this is good logic, as something that is only secure to the ignorant masses isn't actually secure from any threat that matters.
@imdahG What does this have to do with the talk? It doesn't take a government to take advantage of these types of vulnerabilities. Anyone with a decent undestanding of RE and exploitation can utilize them, and anyone that watches a talk like this and has a basic understanding of computers can follow along and utilize the bugs that security researchers publish. Furthemore, going back to your actual point, what makes you think the government even takes advantage of these? The employees have more important things to do than watch random video feeds. The speaker also made a note to say that he discovered these on his own - this wasn't work he was doing for the government.
true, but it's actually sad too, now what the fuck am I gonna do? I can't buy a fucking camera that can't be exploited by anybody who has a brain and some free time to work out the exploits
Every single time that I worry that technology is moving too fast for us security types, there's a million dollar company to prove me wrong. Every, single, goddamn time. I love it.
Of course. No one cares about these things. NSA want these backdoors. Russian equivalent want them. Customers (even when running nuclear plants) does not know enough about these thing. I as an professional programmer with more than a few decades worth of experience and enough interest to see a few of these videos do not know _enough_ about these things. And most people, programmers and customers alike, can't be bothered.
I'd even argue there are two reasons. Innovation and profit. Flaws=room to improve=Selling "Better" equipment with different flaws. After all, the media basically suffers from the same security through "obscurity" bias.
This is why I drop all traffic to and from my IP cameras at my edge firewall. If I want to view them remotely I will VPN into my network. It's old school but I don't trust any hardware running embedded Linux on my network. To many companies have no idea what they are doing code wise and these cameras are essentially computers to be abused.
Very good presentation. The presenter is also very good with public speaking, and knew this subject very well. Also was experienced with good audience eye contact, and body language. As a former instructor/trainer myself, public speaking is not for everyone. Interesting subject, I didn't understand a lot about the coding and software values, but nonetheless it was fun/scarey to listen to what can be done. Job well done.
Moral of the story: don't put your surveillance system on the Internet. And if that is impossible for you, put it behind a firewall that has been beefed up to eliminate such exploits (I'm not sure this is even realistically possible, but I'm just suggesting a possible way to deal with insecure devices of which we have no shortage).
I don't think a firewall will protect you, unless you are blocking all traffic to the camera. If there is a firewall rule allowing incoming http traffic to the camera, to the camera it will be the same to have video feed streaming out from strings coming in or out, and those strings can be malformed urls or command injections.
Yeah. So again, don't put your system on the internet. What little having an internet-connected system buys you (a bit of convenience), is not worth the risk of easy exploits.
the easiest way to block from the firewall is to use port knocking. that means trying for example to connect on port 30506, then 18365, then 28435, then the firewall allow http packets to the webcam from your IP only, if you don't connect in this exact sequence, it blocks you for 5 seconds. if you wanted to brute force a 3 port port knocking pattern with a 5 sec timeout, you'd have to wait about 21 990 232 555 520 seconds or about 696 828 years. Still doable, but if you change the pattern every 2 months, that might be almost impossible (you'd need a 4 million ip botnet working on it, and it should probably rise a huge flag on the firewall.) also if you lock definitely an ip after 50 or 100 fails, it would be impossible to brute force unless you are lucky.
Better still, set up a personal VPN to your home network and only make it accessible from that and the LAN, or alternatively, use SSH port forwarding to get to it. Don't make it accessible directly from the Internet - even with port knocking
This guy hacks into security cameras for fun. It looks simple, but it took some brain power to figure out. Although some of these exploits are patched by now, hardly anybody updates their firmware, and someone could conceivably download new firmware and find more of these exploits in a debugger, without even having to buy the camera.
they're almost all gone by now, you have to remember that ipv4 is rather small and that people fuck up the hosts or a white hat comes and plant a flag, fixing the cve.
13:28 Well, they use "high security" as one of their marketing points. Additionally, their main business focus is networking infrastructure hardware. So this networked camera insecurity fiasco is pretty relevant and pretty embarrassing for them even when "they are not a camera company".
I used to work for a CCTV software company and the vast majority of cameras had default passwords still in use (I still have a list, and a map of all the camera clones) We always stood be the "we don't have a default/backdoor password" when people called us after getting locked out.
only issue is that if it had low video quality , when pausing or freezing the image, you will notice that from the user side that there are no artifacts, meaning that the user could detect that the image has been paused, such things which would add noise to a basic low video quality camera are nearby computers, other machines, maybe cleaning machines, or noise from the outside...
This is great! Scary but great. Ive read about several companies doing half assed jobs doing these kinds of things. This man just showed how easy it is (for the people with the technical skill).
It's almost 2020 and these days I see automated scans on my router from all kinds of national IP's that scan automatically on every port available and try default FTP passwords etc, with access denied errors hence how i found out about this. This video is great security motivation for anybody, especially with the new generation of minecraft kids setting their routers DMZ to their local PC so their servers run easily consistent, but also opening a whole world of AI scanners that will get into much worse once they've found local admin / root.
@@haveaniceday7950 Well, I use Virtual Box for loading the virtual machines. However, lately, Hack the Box is a great site for practicing pen testing. You learn a lot and see some real material. If you really want to learn, go to Udemy, they have classes really cheap and some of those folks are very detailed.
It's 2019 and my friend told me that there are still cameras out there with version 1.4.13 that can be easily searched for and yet none of these exploits work. Strange...he said.
would anyone be so kind as to explain the grep command in terms of the command injection during 16:00 when he's talking about the IQinvision cameras? i think i understand the actual command injection appended to the end of the string entered into the URL (apart from the addition of "$IFS"), but how does the next command, "grep -i ...." come into play after that? it seems /oidtable.cgi and /oidtable.html give the same results in terms of the info they pull and list. thanks for any leads.
18:47 how do i view the source code of a password field such as that one thats using java script, or anything else like php or whatever. Is it as easy as using inspect element in a web browser?
yeah you can just rightclick -> inspect to see the code, if they use js. you cant see any php code since its executed by the webserver but in this case the js evaluates if you authenticated successfully and redirects to the firmware dl page.. so you can just go there manually since you can see the needed GET param :)
they have a new site now, with a new security scheme for the firmware. instead of a password, they want the name of your sales person. brute force attack worked pretty well here, 2 guesses and i found out that 'Mike' gets you in. it's amazing how they can even come up with such password authentication and login systems.
*So there is one big problem: Even if you can break through all these pseudo-walls and stuff, HOW THE HECK CAN YOU FIND OUT THE IP ADDRESS OF THE CAMERA?*
every vendor has programs that will scan for cameras on the network. it will even allow you to change the ip... without autentication... there are some models that lock this out though after a period of time after start up
I think your confusing his nerdy colloquialisms (which he let show multiple times in his presentation) with ignorance of the letter "O" not being the same thing as the number "0". But to be fair, your not wrong still lol.
@Joe Blow Yeah this is true. And while i do think he was doing it on purpose to some degree, I was thinking about another example where it's considered the norm. I live here in Denver, Colorado and if you ask almost ANYONE what our area code is, they will tell you its "3-Oh-3" or 303. Almost nobody will ever say "3-Zero-3", and i've never really given it much thought as to why until now...... Conclusion: People are weird.
@@GoogleUsedToLetThisNameBeLong that's pretty common around me also. Somewhere along the line someone subbed Oh for Zero and it's been like that ever since. In fact the only time i ever say zero as opposed to oh is when I'm on the phone confirming some type of number or code.
"OH" is one syllable and is arguably the second easiest, after "AH." compare that to zero, which has two difficult consonants as well as vowels that vibrate at very different tones and in different parts of the oral cavity. in other words, it's just easier
i really didn't understand a word, but somehow I still found it to be quite interesting to hearing him explain all this fancy stuff. I am highly confused yet entertained
cracking the old way, I wonder about the creators of an IP cameras, what did they wanted to get at the end of a result, the next conference of a Black noob 2013 ? ^^
I have one question, all the admin pages IP adresses was accessed through google search i think right? How i can find out what IP adress is on one specific camera for example? Imagine this: I have camera on my house, i can see exact model of camera, how i can determine IP. Just interested how can be this done, in movies they know IP of everything imediately somehow :D
@Marvin blue i would like to know how to find IP address. I just want to know how it is done. I dont need to hack something. i am interested in IT security. i never saw this concept on intermet somewhere of how to find IP of one specific hardware.
With how much money these companies make, why do they not invest in the security of their products? It's sad to think people are able to tap into schools, hospitals, financial institutions, government agencies, etc and see anything that want; not to mention having access to the local network. Maybe instead of being so tight with their money, they should hire people such as the speaker to find vulnerabilities for them. I know there are companies that do such work, but there are more skilled individuals than what any company has. Put a bounty out for vulnerabilities... Awesome presentation.
And let me guess: the panel that covers the SD card slot on those cameras that have them is held in place by a lock that has "CH-751" or "C0106" stamped on it! Right?
What beats me is the admins throwing their security cameras out in the wild right on the internet. It's common and best practice to firewall them and hide them behind a secure VPN. Also VPN software gets patched and evaluated for vulnerabilities more than embedded firmware does. But these guys are like "nope, just throw that shit right on the open internet."
Huh, this reuse of code across several brands of networked cameras reminds me of keyed-alike locks as described by "Deviant" Ollam! So even though this code isn't exactly keys (public, private, SHA, hash, etc.), it seems similar.
I'd love to see a walkthrough of how he ran his Qemu. I wonder if he's just emulating the programs individually or if he's booting the full system with a kernel in a VM. I'd assume it's the former, but would love to see it regardless.
Can sb explain the 'tab=4' part? I don't get it EDIT: I guess I understood he used 'tab=4' as a password, when what he really meant was just that he appended four tabs to the password-prompt-URL for the product?
The page literally directs every signed in user to the same specific website url and the cherry over the top was that url was listed in the php for the code so tab=4 was like a query after the initial url.
So all of this is only possible if the model of the camera is known, correct? Then looking up the firmware sand going from there. Well in Hollywood they just do it without that😉
I get his point, but in order to do that, you have to access the same network the camera is on. Can someone point me in the direction why that would be the case? How do you get access to these? Even if the camera is accessible from the internet, how would you find it?
Having checked it, their page still has the following bit in their source code: else if(par == 2) location.href = "prod_info.php?pid=" + pid + "&tab=4";That's a bad sign.
to make it a little easier for you: you can get the pid by brwosing to the product (in this case in the url it says :"prod_info.php?pid=11") so you already know half of the code ^^ just copy that and add "&tab=4" and there ya go
I found this fascinating, but have absolutely zero experience in coding or scripting or whatever, and am a total newb when it comes to computer use in general. It seems like I need to learn a new language to do this, and I've always wanted to be bilingual.... If I wanted to be able to understand more to do things like this myself, where do I start? What resources do I use? are there specific training courses I can sign up to to learn this stuff? How long would it take to go from knowing nothing, to understanding how to do something like this?
First step I recommend is dont learn ANY coding, put that aside for now. First, read up on linux & find like 3 different distrubutions & learn how to install them & setup a multiboot setup, understand the boot process, the file system & the structure of linux. Learn how to get comfortable at the command line, basically just have a command line reference for your distribution & start playing around getting comfortable. Learn as many command line tools that u can & really try to learn how the operating system works. After you get comfortable with a linux environment, and really this doesnt take as long as u think with todays resources with books, youtube tutorials, etc, then u can begin learning some coding & I suggest learning the C programming language since that is what linux is written in & dont be afraid of learning just a little bit of assembly, at least the basic idea, sincr that will deepen your understanding of computer hardware in general & how software communicates with it. But before learning C, maybe u can learn Python first or perhaps a scripting language or shell scripting. Good luck!
Can somebody please explain this whole "tab=4" thing again? I'm not a coder, but literate enough to understand most of these talks. But bypassing that java login page, I did not understand what happened there or what's so funny about "tab=4"? Is it some kind of known trope? Or something he simply read out of the java code of the page? And what did it actually enable him to do? Hit tab 4 times on the password field to get a login? Not that i want to break into anything, i just don't understand the joke, when i usually do, so i feel kind of bummed out :(
(18:00) The JavaScript code does two things: Check if the password is correct by asking the website, and If the password is correct, navigate to the same exact page, except at the end of the URL, add "?&tab=4" which means the entire login mechanism can be bypassed just by adding "?&tab=4" to the end of the URL in the address bar. Showing that they are truly incompetent at security, or that they don't care about it at all.
While watching this video, my computer's RAM was very suddenly overloaded (98%), basically everything crashed. I didn't see what it was because on Task manager I was looking for a program to close (while usually it is sorted by RAM or CPU usage). I am getting concerned...
press Alt+F4 a few times repeatedly, then check task manager if the problem is solved yet. if not, delete system32. Check again, if still not solved, install Linux
Joseph Brownfield try first to understand the basics of network and how it's works always start with the basics so you not get confused because network world is huuuuuuuuggee bro
really that's weird !! you should have knowledge about networking now but no problem just start with the easy parts and if you find yourself enjoying what you do then the network world is your place just don't lose hope because that's common thing to the newbies just keep going and you will keep getting better every day. try www.cybrary.it they have an excellent vedios trainning and great teachers in every module in network from hacking to switching and routing and it's all free just create an account and start learning and if you need anything just ask me glad to help :)
+coloc antoine It's not really a joke, people are chuckling because the exploit was so prolific. It's kind of funny because the only directory not protected by a password happened to be a vector through which you could issue any command to the system. He didn't really have to do anything that special, just edit the query, and as you saw, was able to get full admin access to the web server.
When a user normally authenticates they will be taken to the firmware page specified by the tab=4 at the end of the URL. The problem was that you could completely skip the authentication and just redirect to the URL
I was listening, not watching. After the exploit, I heard him take a drink. I was disappointed he wasn't swigging the beer that was being guarded. Phrase of the video: "Epicly trivial" Hoping the state of the art has improved in the last decade.
On the 3S Vision website there is now, a new level of lame! Seriously, you don't even need to "?&tab=4", just view the page source on the Download page when the JS /usr/pwd box pops up, ALL the links that you need to download are RIGHT there, just scroll all the way down. ALSO for the ultimate level of stupidity, the JS Box ONLY blocks a certain part of the download page, meaning IF you scroll all the way down you will see the LINE of the JS Box end and you can click the links, not even need to check the Source page for these parts. Seriously...this is really bad.
Simulation Nomad It's terrifying how bad web sites are. The clueless contract with the unaware and put something in front of the public that's just plain awful. I've come across two monumentally bad UK government web sites this week, that have obviously been only superficially tested.
Their code may not be GPLd. The base os is normally a standard distro like uclinux, running other open apps like apache. They don't have to release their own code.
@@DeannaEarley yes they do, according to the linux license they have to open all of their modifications to the kernel, it doesn't say anything about The rest of the software
Pretty cool stuff but since one having implemented/instaled surveliance Cams, one should also install or supervise the sensors of the objects e.g. the motor of the elevator or some kind of nearfield/capacity sensor or temperature sensor to verify the picture at the scene with some eventually intruding or invading. Therefor I would recommend to install a nearing sensor at the cam to at least use the beam-coil to redundant survaile the cam's direction. But perhaps hacking this would be working the same way as showen. But this solution is cheaper than installing a IR-interface in a second Cam cause just using a filter wound't exploit IR-RAW-Data and I guess these data are much harder to fake if you haven't hacked the Cam before. In my opinion a picture must also have a different check-in sum than a live-stream but I don't know. If the check-sum would differ from the stream-sum a attack is eventually going on and you could deploit some allerd. But since got the firmware you can also read-out the expected sum and my deliver the expected data to the handler. But this is not my field of expertise therefore I am just guessing. And you all know "Invaders Must Die" :-D don't consider this to be to serious
I don´t know if they fixed that bypass because I couldnt do that, but I discovered another one. After analysing the javascript, I found out that if u put the URL+?pid= product&tab=4# and you send it that way, after the page refreshed you will be able to close the login page and download the firmware :). What is it doing? they replace everything after the # with a blank space using a regex. Try it out and tell me if you guys could do it.
Were can i try this please give me a link im new n desprate to learn if i knew a geek id teach him swag sex street how to make money on the streets he can teach me pc hacking ;) :)
The speakers should always repeat the questions asked.
I regularly speak every year, and I always forget to do this! You're at the end, the tough part is over (only questions left), and it's so easy to miss it.
(I've written this so I engrave it into my brain)
you can infer the question from the answer
xl Not if the answer is something like "yes" "no or "maybe"
Good speaking practice, but to be fair, I really liked this speaker's mannerisms, his talk presence and clarity so I let it pass because his talk was extremely interesting and very entertaining.
Or you could just ascertain the questions by listening to the answer. Lemme help you out. (and yes I know this was commented 3 years ago) First person asked if these were the only cameras he had looked at for his research, or if he had an opportunity to look at some other more secure vendors. And second question asked if it was possible to replace the .cgi with something other than a still image, such as a video file. Luckily, there were no questions that were simply answered with a "Yes' or "No", but that's just offering half ass answers anyways, which most presenters are going to try their best not to do.
Alrighty then!
Makes D-Link joke.
*laughs*
*nervously realize I also have D-Link products*
some places that make cameras, expensive and inexpensive, use the same stuff it doesn't matter.
I have a router, I am powned. Simple as that. Mode, make etc makes no difference. But the only webcam I have is connected through USB when used and otherwise physically disconnected.
@@MrDoboz would work for blackmail purposes
@@nogo7277 unless the hacker can automate the blackmailing (which is not an easy thing to do), it's probably not worth their time. They could work on some ransomware instead which brings some shitton of money, or just get a real job at some security testing team.
You see those are the big money, not individual person's wallet. Those are not big, and many would still refuse to pay.
the toaster laughs!
Some of these are so blatant, you have to wonder if they're on purpose. Oops, the one script we forgot to password-protect happens to have a trivial root command injection exploit...
I think the vast majority of these backdoors rely on complacency - "we know way more than the average user, and that makes this device secure" - or security through obscurity - "let's make it difficult to defeat this security by throwing a few things in there they can't possibly know already".
Lamentably, as a manufacturer it's far easier to deliberately write a backdoor into every device you produce than to try and provide the customer service to all of those who actually manage to lock themselves out of their own devices. This talk serves to demonstrate that if you (accidentally or deliberately) make your design vulnerable to attack, somebody will attack it. Because if they can attack it with the right reasons in mind, anybody can attack it for any purpose they want to.
@@omardude39 Ahh yes, the classic "We know more than you and our customers are bound to be ignorant. Let us accommodate easy troubleshooting solutions that don't ask too much of our privileged position!" No idea why anyone thinks this is good logic, as something that is only secure to the ignorant masses isn't actually secure from any threat that matters.
A bugdoor, as we like to call it
@imdahG What does this have to do with the talk? It doesn't take a government to take advantage of these types of vulnerabilities. Anyone with a decent undestanding of RE and exploitation can utilize them, and anyone that watches a talk like this and has a basic understanding of computers can follow along and utilize the bugs that security researchers publish. Furthemore, going back to your actual point, what makes you think the government even takes advantage of these? The employees have more important things to do than watch random video feeds. The speaker also made a note to say that he discovered these on his own - this wasn't work he was doing for the government.
Mr. Patato head! Mr. Patato head! A bug door is not a secret!!!!
This is better than comedy.
That's fine, Olf, it's OK to like tech stuff more than comedy.
true, but it's actually sad too, now what the fuck am I gonna do? I can't buy a fucking camera that can't be exploited by anybody who has a brain and some free time to work out the exploits
exactly my thoughts.....I swicthed stand-ups with blackhat videos :D
This is some form of comedy, to my eyes.
6 6 better than douchery and pretentiousness.
Every single time that I worry that technology is moving too fast for us security types, there's a million dollar company to prove me wrong. Every, single, goddamn time. I love it.
is that podium comically large or is he comically small
both
Schrodinger's poduim
Could be neither, camera might just be really low and close
Comical camera angle !
He's just comically far away from it
He failed to guard his corona now there’s an outbreak.
haha i just realised that and its now 2020 woah
lol
Dude you know it doesn't come from the beer right? also this talk was from 7 years ago...
@@Rico-iz8mb joke went miles over your head huh?
Simplicity is key: Want to be safe? Just get a camera physically connected to a hard drive. Almost 10x cheaper and definitely more secure.
+NikkiDiamond Or put your IP cameras on a locked down vlan with no internet access.
Darthane I'm too flinstone for that shit
NikkiDiamond
Damn you, now I have that theme song in my head.
Darthane That was all part of my evil plan
+NikkiDiamond hahaha too flintstone for that shit hahaha
I barely know how to script, but I actually understood a good amount of that. This guy is great :D
I agree. He's fantastically good at explaining things in understandable terms.
You're AWESOME! dont give up
omg same!
Can someone tell me what he uses to read the firmware code?
@@simplekindofman8867 binwalk. He said it at 31:22
Six years later, and this shit is still happening... CVE-2019-15498
OMFG LOOOOL
Of course. No one cares about these things.
NSA want these backdoors.
Russian equivalent want them.
Customers (even when running nuclear plants) does not know enough about these thing.
I as an professional programmer with more than a few decades worth of experience and enough interest to see a few of these videos do not know _enough_ about these things.
And most people, programmers and customers alike, can't be bothered.
I'd even argue there are two reasons. Innovation and profit. Flaws=room to improve=Selling "Better" equipment with different flaws. After all, the media basically suffers from the same security through "obscurity" bias.
Wtf still?
This is why I drop all traffic to and from my IP cameras at my edge firewall. If I want to view them remotely I will VPN into my network. It's old school but I don't trust any hardware running embedded Linux on my network. To many companies have no idea what they are doing code wise and these cameras are essentially computers to be abused.
yeah i don't run anything other than openwrt, the main router can be whatever the fuck but i won't connect without a good router.
For anybody wondering whether or not the byte code is x86, it is ARM. (now things make sense lol)
Very good presentation. The presenter is also very good with public speaking, and knew this subject very well. Also was experienced with good audience eye contact, and body language. As a former instructor/trainer myself, public speaking is not for everyone. Interesting subject, I didn't understand a lot about the coding and software values, but nonetheless it was fun/scarey to listen to what can be done. Job well done.
Get this man a glass of water.
He was saving room for Corona
11:58
hell no, take his water... his loud ass gulping
Moral of the story: don't put your surveillance system on the Internet. And if that is impossible for you, put it behind a firewall that has been beefed up to eliminate such exploits (I'm not sure this is even realistically possible, but I'm just suggesting a possible way to deal with insecure devices of which we have no shortage).
I don't think a firewall will protect you, unless you are blocking all traffic to the camera.
If there is a firewall rule allowing incoming http traffic to the camera, to the camera it will be the same to have video feed streaming out from strings coming in or out, and those strings can be malformed urls or command injections.
Yeah. So again, don't put your system on the internet. What little having an internet-connected system buys you (a bit of convenience), is not worth the risk of easy exploits.
the easiest way to block from the firewall is to use port knocking.
that means trying for example to connect on port 30506, then 18365, then 28435, then the firewall allow http packets to the webcam from your IP only, if you don't connect in this exact sequence, it blocks you for 5 seconds.
if you wanted to brute force a 3 port port knocking pattern with a 5 sec timeout, you'd have to wait about 21 990 232 555 520 seconds or about 696 828 years. Still doable, but if you change the pattern every 2 months, that might be almost impossible (you'd need a 4 million ip botnet working on it, and it should probably rise a huge flag on the firewall.) also if you lock definitely an ip after 50 or 100 fails, it would be impossible to brute force unless you are lucky.
Better still, set up a personal VPN to your home network and only make it accessible from that and the LAN, or alternatively, use SSH port forwarding to get to it. Don't make it accessible directly from the Internet - even with port knocking
Or you just put a second password between the camera and the internet. The backdoor doesn't work anymore then.
This guy hacks into security cameras for fun. It looks simple, but it took some brain power to figure out. Although some of these exploits are patched by now, hardly anybody updates their firmware, and someone could conceivably download new firmware and find more of these exploits in a debugger, without even having to buy the camera.
they're almost all gone by now, you have to remember that ipv4 is rather small and that people fuck up the hosts or a white hat comes and plant a flag, fixing the cve.
13:28 Well, they use "high security" as one of their marketing points. Additionally, their main business focus is networking infrastructure hardware. So this networked camera insecurity fiasco is pretty relevant and pretty embarrassing for them even when "they are not a camera company".
Isn't this the same guy that developed Reaver, the tool built into Kali Linux/Parrot Sec used for recovering WPS PIN Registrars?
I used to work for a CCTV software company and the vast majority of cameras had default passwords still in use (I still have a list, and a map of all the camera clones)
We always stood be the "we don't have a default/backdoor password" when people called us after getting locked out.
Share the list
only issue is that if it had low video quality , when pausing or freezing the image, you will notice that from the user side that there are no artifacts, meaning that the user could detect that the image has been paused, such things which would add noise to a basic low video quality camera are nearby computers, other machines, maybe cleaning machines, or noise from the outside...
Why in the world would someone possibly do Javascript Authentication?
They write firmware for camera's but they don't know how to write PHP?
Why not have the firmware available and pay bounties?
@@MazeFrame You answered it with the question. "pay"
This is great! Scary but great. Ive read about several companies doing half assed jobs doing these kinds of things. This man just showed how easy it is (for the people with the technical skill).
Well a good nmap scan is pretty valuable too.
Even though this was miles above my nerd level, it was still interesting to watch.
What's that B64 non-standard key string encryption he's talking about? I have no clue what this is nor was I able to google it successfully.
Every camera manufacturer ceo face rn:
PIKACHU FACE
Actually rofling at the "Ron Burgundy" exploit.
It's almost 2020 and these days I see automated scans on my router from all kinds of national IP's that scan automatically on every port available and try default FTP passwords etc, with access denied errors hence how i found out about this.
This video is great security motivation for anybody, especially with the new generation of minecraft kids setting their routers DMZ to their local PC so their servers run easily consistent, but also opening a whole world of AI scanners that will get into much worse once they've found local admin / root.
I. AM. ROOT
Somebody needs to make a shirt of that.
I am Groot
Winner of UA-cam 2019!
This was fun.
Also funny was when he said 0day and I realized that the video was uploaded years ago haha
I am new to the cyber world and I have to say this video is amazing. What great presentation and knowledge. Thank you.
Have you got Kali Linux? If not, get it.
Peter Maddison I’ve got it. Using it on Virtual Box. This security stuff is so complicated. I had no idea how traffic could be manipulated.
Simplekind Ofman any update for a fellow absolute beginner?
@@haveaniceday7950 Well, I use Virtual Box for loading the virtual machines. However, lately, Hack the Box is a great site for practicing pen testing. You learn a lot and see some real material. If you really want to learn, go to Udemy, they have classes really cheap and some of those folks are very detailed.
26:26 In this case I believe the answer to "who is vulnerable" is "everyone"?
Excellent demonstration 👌 Anything nice for 'hikvision' lately?
It's 2019 and my friend told me that there are still cameras out there with version 1.4.13 that can be easily searched for and yet none of these exploits work. Strange...he said.
I've seen them behind WAFs.
Thanks for the post. I love watching Craig's stuff. Very well explained and makes me actually want to look through firmware
It’s been 6 years... are these patched yet?
Not for D-Link, good luck!
would anyone be so kind as to explain the grep command in terms of the command injection during 16:00 when he's talking about the IQinvision cameras?
i think i understand the actual command injection appended to the end of the string entered into the URL (apart from the addition of "$IFS"), but how does the next command, "grep -i ...." come into play after that?
it seems /oidtable.cgi and /oidtable.html give the same results in terms of the info they pull and list.
thanks for any leads.
+chris kaprys oh nevermind. i missed that very quick slide that shows it's the camera's code itself that creates that line
18:47
how do i view the source code of a password field such as that one thats using java script, or anything else like php or whatever. Is it as easy as using inspect element in a web browser?
yeah you can just rightclick -> inspect to see the code, if they use js. you cant see any php code since its executed by the webserver but in this case the js evaluates if you authenticated successfully and redirects to the firmware dl page.. so you can just go there manually since you can see the needed GET param :)
they have a new site now, with a new security scheme for the firmware. instead of a password, they want the name of your sales person. brute force attack worked pretty well here, 2 guesses and i found out that 'Mike' gets you in. it's amazing how they can even come up with such password authentication and login systems.
*So there is one big problem: Even if you can break through all these pseudo-walls and stuff, HOW THE HECK CAN YOU FIND OUT THE IP ADDRESS OF THE CAMERA?*
every vendor has programs that will scan for cameras on the network. it will even allow you to change the ip... without autentication... there are some models that lock this out though after a period of time after start up
Landan Hughes
Now that is surprisingly (in a scary way) easy.
*ahem* github.com/robertdavidgraham/masscan
shodan
10:40 I think the crowd didn't get the war games picture. lol
I realize he's 1000x as brilliant as I am, so is it wrong it bugs me when he says "oh-day" instead of zero day?
I think your confusing his nerdy colloquialisms (which he let show multiple times in his presentation) with ignorance of the letter "O" not being the same thing as the number "0". But to be fair, your not wrong still lol.
@Joe Blow Yeah this is true. And while i do think he was doing it on purpose to some degree, I was thinking about another example where it's considered the norm. I live here in Denver, Colorado and if you ask almost ANYONE what our area code is, they will tell you its "3-Oh-3" or 303. Almost nobody will ever say "3-Zero-3", and i've never really given it much thought as to why until now...... Conclusion: People are weird.
@@GoogleUsedToLetThisNameBeLong that's pretty common around me also. Somewhere along the line someone subbed Oh for Zero and it's been like that ever since. In fact the only time i ever say zero as opposed to oh is when I'm on the phone confirming some type of number or code.
yeah I fucking hate when people say four oh four error too /s
"OH" is one syllable and is arguably the second easiest, after "AH." compare that to zero, which has two difficult consonants as well as vowels that vibrate at very different tones and in different parts of the oral cavity.
in other words, it's just easier
i really didn't understand a word, but somehow I still found it to be quite interesting to hearing him explain all this fancy stuff. I am highly confused yet entertained
cracking the old way, I wonder about the creators of an IP cameras, what did they wanted to get at the end of a result, the next conference of a Black noob 2013 ? ^^
I have one question, all the admin pages IP adresses was accessed through google search i think right? How i can find out what IP adress is on one specific camera for example? Imagine this: I have camera on my house, i can see exact model of camera, how i can determine IP. Just interested how can be this done, in movies they know IP of everything imediately somehow :D
@Marvin blue i would like to know how to find IP address. I just want to know how it is done. I dont need to hack something. i am interested in IT security. i never saw this concept on intermet somewhere of how to find IP of one specific hardware.
I love the Bob Evans product placement of the podium
With how much money these companies make, why do they not invest in the security of their products? It's sad to think people are able to tap into schools, hospitals, financial institutions, government agencies, etc and see anything that want; not to mention having access to the local network. Maybe instead of being so tight with their money, they should hire people such as the speaker to find vulnerabilities for them. I know there are companies that do such work, but there are more skilled individuals than what any company has. Put a bounty out for vulnerabilities... Awesome presentation.
Any updates to this talk? Have you looked at Ubiquiti's cameras?
Those cameras are all on the WAN and behind the WAP and firewall. If you’re already on the network you can just use Wireshark to watch existing feeds.
He makes that tisking sound a lot.
So?
And let me guess: the panel that covers the SD card slot on those cameras that have them is held in place by a lock that has "CH-751" or "C0106" stamped on it! Right?
no, it has MasterLock stamped on it
Would've been swell if he swigged the beer instead of the water at the end of that haha.
Isn't 100% of this avoided by separating your DVR IP network from the client? I use more Wisecom, but have used others the same.
nop, as long as you have a public address you can hack the camera and use the camera as a relay to hack the router or mess up with the network.
Great talk. Impressive that products not designed to receive updates are shipped in this conditions. We need better ethic in the industry.
Are there parts in the video that you don’t understand ?
What beats me is the admins throwing their security cameras out in the wild right on the internet. It's common and best practice to firewall them and hide them behind a secure VPN. Also VPN software gets patched and evaluated for vulnerabilities more than embedded firmware does. But these guys are like "nope, just throw that shit right on the open internet."
Funny, I always thought it was "0-day (zero-day)" instead of "O-day (oh-day)".
Both are right.
Is he using ubuntu? and what specific chromium did he use as his "hacker browser"? what made it a "hacker browser"?
Huh, this reuse of code across several brands of networked cameras reminds me of keyed-alike locks as described by "Deviant" Ollam! So even though this code isn't exactly keys (public, private, SHA, hash, etc.), it seems similar.
I'd love to see a walkthrough of how he ran his Qemu. I wonder if he's just emulating the programs individually or if he's booting the full system with a kernel in a VM. I'd assume it's the former, but would love to see it regardless.
Can sb explain the 'tab=4' part? I don't get it
EDIT:
I guess I understood he used 'tab=4' as a password, when what he really meant was just that he appended four tabs to the password-prompt-URL for the product?
The page literally directs every signed in user to the same specific website url and the cherry over the top was that url was listed in the php for the code so tab=4 was like a query after the initial url.
So all of this is only possible if the model of the camera is known, correct? Then looking up the firmware sand going from there.
Well in Hollywood they just do it without that😉
I hope to know as much as this guy does one day.
XD 3SVISION hasn't patched that yet
chuck norrisonefivesix now it is ^^
There are still cameras accessible tho
Don't forget that absolute nobody on this planet updates surveillance camera firmware
I get his point, but in order to do that, you have to access the same network the camera is on. Can someone point me in the direction why that would be the case? How do you get access to these? Even if the camera is accessible from the internet, how would you find it?
Google.
That's what the Shodan stuff was for. You can find internet connected devices using it.
you tried any Bosch cameras? in my country they are the most expensive cameras sold and they sell a tone of them.
Made in China, china has access.
How does he managed to get to the download page at 18:58.
What did he entered?
Having checked it, their page still has the following bit in their source code:
else if(par == 2)
location.href = "prod_info.php?pid=" + pid + "&tab=4";That's a bad sign.
ye i saw that too. But the question was what i have to enter to access?
prod_info.php?pid=productid&tab=4
to make it a little easier for you: you can get the pid by brwosing to the product (in this case in the url it says :"prod_info.php?pid=11") so you already know half of the code ^^ just copy that and add "&tab=4" and there ya go
what is the name of the software used to analyze the binaries?
nvm it's IDA
"This Camera has a list price of *CONTACT US* Which is how i KNOW i can't afford it" LOL THAT SHIT HIT HOME *HARD!*
How does he find the web servers, I know about SSH, but still tho how.
can someone explain how he gets root after getting admin access didn't quite understand that bit
Decoded the configuration file...then pass command new user=root......basically escalated privelges initially as default admin
Reminds me when i gave myself root over win 10
I found this fascinating, but have absolutely zero experience in coding or scripting or whatever, and am a total newb when it comes to computer use in general.
It seems like I need to learn a new language to do this, and I've always wanted to be bilingual....
If I wanted to be able to understand more to do things like this myself, where do I start?
What resources do I use?
are there specific training courses I can sign up to to learn this stuff?
How long would it take to go from knowing nothing, to understanding how to do something like this?
First step I recommend is dont learn ANY coding, put that aside for now. First, read up on linux & find like 3 different distrubutions & learn how to install them & setup a multiboot setup, understand the boot process, the file system & the structure of linux. Learn how to get comfortable at the command line, basically just have a command line reference for your distribution & start playing around getting comfortable. Learn as many command line tools that u can & really try to learn how the operating system works.
After you get comfortable with a linux environment, and really this doesnt take as long as u think with todays resources with books, youtube tutorials, etc, then u can begin learning some coding & I suggest learning the C programming language since that is what linux is written in & dont be afraid of learning just a little bit of assembly, at least the basic idea, sincr that will deepen your understanding of computer hardware in general & how software communicates with it. But before learning C, maybe u can learn Python first or perhaps a scripting language or shell scripting. Good luck!
What makes me happy is when someone laughs at his jokes that normal people wouldn't understand. We smart!
Can somebody please explain this whole "tab=4" thing again?
I'm not a coder, but literate enough to understand most of these talks.
But bypassing that java login page, I did not understand what happened there or what's so funny about "tab=4"? Is it some kind of known trope? Or something he simply read out of the java code of the page?
And what did it actually enable him to do? Hit tab 4 times on the password field to get a login? Not that i want to break into anything, i just don't understand the joke, when i usually do, so i feel kind of bummed out :(
(18:00) The JavaScript code does two things:
Check if the password is correct by asking the website,
and
If the password is correct, navigate to the same exact page, except at the end of the URL, add "?&tab=4"
which means the entire login mechanism can be bypassed just by adding "?&tab=4" to the end of the URL in the address bar. Showing that they are truly incompetent at security, or that they don't care about it at all.
Nicholas Rizzio Aahh now i get it! Thank you so much for taking your time to explain that again :)
No problem.
It doesn't work anymore..
Everyone knows tab actually = 8
What a stupidily large podium, really the adverse of what a podium is for🤦
While watching this video, my computer's RAM was very suddenly overloaded (98%), basically everything crashed. I didn't see what it was because on Task manager I was looking for a program to close (while usually it is sorted by RAM or CPU usage). I am getting concerned...
press Alt+F4 a few times repeatedly, then check task manager if the problem is solved yet. if not, delete system32. Check again, if still not solved, install Linux
Anybody know stuff about how to view firmware code like the lines he showed in the presentation?
Can't find anything new on the internet
Oh right, go to the website and download the firmware update
Didn't watch the whole talk
Dude you are the man. I am still new to "security world". I really want to become a solid Penetration Tester. What would your recommendations be?
Joseph Brownfield try first to understand the basics of network and how it's works
always start with the basics so you not get confused because network world is huuuuuuuuggee bro
Thank you. Graduation with my dual major in networking technology and information security and still haven't scratched the surface.
really that's weird !!
you should have knowledge about networking now but no problem
just start with the easy parts and if you find yourself enjoying what you do then the network world is your place just don't lose hope because that's common thing to the newbies
just keep going and you will keep getting better every day.
try www.cybrary.it
they have an excellent vedios trainning and great teachers in every module in network from hacking to switching and routing and it's all free
just create an account and start learning
and if you need anything just ask me
glad to help :)
..... What does tab=4 mean?
I don't understand what did Craig said at 4:47, I don't understand the joke, can one help me?
+coloc antoine It's not really a joke, people are chuckling because the exploit was so prolific. It's kind of funny because the only directory not protected by a password happened to be a vector through which you could issue any command to the system. He didn't really have to do anything that special, just edit the query, and as you saw, was able to get full admin access to the web server.
Anyone able to explain what tab=4 means?
When a user normally authenticates they will be taken to the firmware page specified by the tab=4 at the end of the URL. The problem was that you could completely skip the authentication and just redirect to the URL
@@christoffrossouw2923 thank you
I bet police and security officials are all over this convention
I was listening, not watching. After the exploit, I heard him take a drink. I was disappointed he wasn't swigging the beer that was being guarded.
Phrase of the video: "Epicly trivial"
Hoping the state of the art has improved in the last decade.
On the 3S Vision website there is now, a new level of lame! Seriously, you don't even need to "?&tab=4", just view the page source on the Download page when the JS /usr/pwd box pops up, ALL the links that you need to download are RIGHT there, just scroll all the way down. ALSO for the ultimate level of stupidity, the JS Box ONLY blocks a certain part of the download page, meaning IF you scroll all the way down you will see the LINE of the JS Box end and you can click the links, not even need to check the Source page for these parts. Seriously...this is really bad.
Simulation Nomad It's terrifying how bad web sites are. The clueless contract with the unaware and put something in front of the public that's just plain awful. I've come across two monumentally bad UK government web sites this week, that have obviously been only superficially tested.
+Simulation Nomad Can you describe that to me how he could got access to the page with the &tab=4 code section. I couldnt follow him
They changed the JS, cuz it doesn't work anymore... :/
Playing Watch_Dogs and seeing this afterwards is really mindblowing...
I have just finished the campaign and then discovered this video :)
Me too!
watch dogs is literally the worst game of this year.
Josh Kelly I agree
Josh Kelly You're opinion, but it is basically the modern AC
What is he using to view the cgi stuff??
3:30 How did he get into the webserver of the camera?
and these directories at 4:07 ?
He says it later, he downloaded the firmware upgrades from the vendor's site and decompressed them.
How would he then access it in an actual camera?
+Deoxys Danderson (DjOxys) go to tour vendor's website, download the firmware upgrade and use binwalk.
I mean, if there was a camera on the network and he wanted to explore it, how would he do that?
He finds out the model, gets the firmware, find vulnerabilities, exploit them. Then take what he learned and exploits the target camera.
How does he find/access the code he displays and analyzes?
Explained near the end:binwalk and ida are the magic sauce.
Since they are all running GPL licenced software, why didn't he just request the source code? The GPL says it is his right to do so.
that's hella suspicious
and legal
Their code may not be GPLd. The base os is normally a standard distro like uclinux, running other open apps like apache. They don't have to release their own code.
@@DeannaEarley yes they do, according to the linux license they have to open all of their modifications to the kernel, it doesn't say anything about The rest of the software
@@fss1704 that's what I said. Thank you for explaining it back to me.
Does anyone really believe these back doors were left accidentally by the firmware programmers?
How I can tell you read my notes
Excellent talk! Thanks for uploading
What language is this stuff in?
Where did he get the firmware code and all the info about it
From the manufacturers website
How do you see the codes? Does it open on cmd? noob here lol
Isn't it called zero-day? Not oh-day.
I had all the respect to this guy till he called the Corona a beer.
Pretty cool stuff but since one having implemented/instaled surveliance Cams, one should also install or supervise the sensors of the objects e.g. the motor of the elevator or some kind of nearfield/capacity sensor or temperature sensor to verify the picture at the scene with some eventually intruding or invading.
Therefor I would recommend to install a nearing sensor at the cam to at least use the beam-coil to redundant survaile the cam's direction.
But perhaps hacking this would be working the same way as showen.
But this solution is cheaper than installing a IR-interface in a second Cam cause just using a filter wound't exploit IR-RAW-Data and I guess these data are much harder to fake if you haven't hacked the Cam before.
In my opinion a picture must also have a different check-in sum than a live-stream but I don't know.
If the check-sum would differ from the stream-sum a attack is eventually going on and you could deploit some allerd.
But since got the firmware you can also read-out the expected sum and my deliver the expected data to the handler.
But this is not my field of expertise therefore I am just guessing.
And you all know "Invaders Must Die" :-D don't consider this to be to serious
I don´t know if they fixed that bypass because I couldnt do that, but I discovered another one. After analysing the javascript, I found out that if u put the URL+?pid= product&tab=4# and you send it that way, after the page refreshed you will be able to close the login page and download the firmware :). What is it doing? they replace everything after the # with a blank space using a regex. Try it out and tell me if you guys could do it.
Were can i try this please give me a link im new n desprate to learn if i knew a geek id teach him swag sex street how to make money on the streets he can teach me pc hacking ;) :)
Jokes to future hackers,
I now have an obscure east-european router.
Even I don't know how it's performing, but it's the sturdiest rock I ever owned.
Mikrotik, I'd guess?
That's pretty popular in Eastern Europe
@@adrianalexandrov7730 my secret has been compromised, roll the delete everything scene from wolf of wall street
$get password.....
>ok why not
they almost fucking leave that in blank text...