I Spy With My Little Eye

test test nice good stuff hello everyone my name is mike this is vangelis our talk is obviously i spy with my little eye can you hear us back there all good fantastic so this is who we are this is mr api jesus over here you can find also online have a look at our blog usually drop o days then there's the next one all right we're generally going to look at cloud cameras today as opposed to cctv cameras so iep cameras that use back-end networks to send their fees to the actual devices and to the users more than anything else and no cameras were hard during this endeavor whatsoever a lot of people had problems with that

all right so van gaal is going to tell us how the actual cloud network works uh so we have gone to the cloud cameras which they usually have three a three-step process so that you can see it you can see on the right side on the left side the camera app and on the right side the actual camera the first step is the application actually asking of the cloud where's the camera and request the the camera to get ready for sending video then the cloud is giving to the app the actual camera address it reaches out to the camera and says get ready for send the video and follow me to complete nut reverse and the ptp

cloud connects with camera and there we have the actual connection between the application and the camera and traversing of the nut so stun one of my favorite acronyms look at that session traversal utilities for nat now what it originally stood was simple traversal of udp over nat and this is similar to what we used to do on cctv cameras we would open tcp ports outbound on the internet so people can actually pick up these streams this is how the backend networks are actually doing this stun lovely acronym so what's the problem with stan the problem that stan tried to solve is this one uh if you search for kickvision or any other camera you are going to see

10th tense if not the hundreds of thousands of open cameras into the open internet so you can actively scan them and do whatever you feel like with them with probably with outdated cameras but this has opened a really different kind of forms and as you are going to see in here we're going to see the prawns the pros and cons of the actual stun inclimidation the process is that as we said before nothing is exposed directly on the internet so there is no sit down in there it's behind not the configuration is really easier so you can avoid port forwarding or any other config configuration on the router level you can scale easier with multiple

viewers and it could possibly hide the not updated devices and as we all know they usually the users usually don't upload their devices the con the cons is that it usually has a web application that can easily be tested the it's way easier to test a web application than to actually do any hardware i personally love apis and web applications so it's a really nice good good thing for me uh the firewalls you cannot really firewall the the machine the camera to be to accept only certain ip addresses because it's going through the cloud and last but not least if it has a vulnerability it's going to be a really massive one so we went on a little showdown safari

to see what we can find so you're going to see mostly unauthenticated cameras from our sudan safari uh this one is some random john doe just arriving at his job you have some dogs at the dog park you have anendras which is being guarded by some plastic animals you have some agricultural monitoring i would say someone who wanted to see his plans over the internet and then again as you can see here we also know his name it's ray who decided to get naked in his bedroom i think all of us are naked in our bedroom but he really didn't know that he had a camera in there and that that camera didn't require any password so long

story short don't be ready first of all don't don't point cameras at things you don't want to see and this is our first cloud provider this is hikvision and as you can see in here hikvision is a chinese manufacturer and the world's largest supplier of video surveillance products which is based in china and its controlling shares are owned by the chinese government so yeah who wants to be on deaf consignor either way everything that you are going to see on this stock is already published via on the hashtag hack vision there are a couple of blog posts that explains most of the things and this is the actual cloud service that hikvision is doing it's called heat connect it was an

implementation that replaced its previously dynamic domain name service long story short in order to do that you go to your camera or your dvr you enter it you say connect to the hit connect service you create an account and then you log in in here on hitconnect.com or on your he connect camera with your username and password and you just view your uh your devices so we took our usual web recognizance procedure we configured the application to use a proxy we looked at the request we looked on our javascript source code for any strange endpoints and last we look for cookies and yeah i think chinese people have an issue with cookies because all the web apps

have more than 50 cookies and that one had 80 cookies as you can see there are a lot of things that seem strange but one really stands out it's user id and the user id had an md5 value and who wants to eat cookies i hear you saying that nobody in the right mind would use a cookie to authenticate and even if he did he would have all the flags in there secure same site and everything so you wouldn't be able to change it yeah let's try it so register a new account with a new email login to that account and then change your s user id with the previous one and this is my device

so someone just wanted just needed to know my md5 value and it would be easily to control have full access of my account now that's the good parts for the pentester the bad parts is that the user id was not reversible it was an md5 but i couldn't find we couldn't find a way to reverse it to something meaningful so we had to take another way to find the user's user id by some leaky endpoint we tried really hard on heat connect and every endpoint was bound to that used to our own user id so we couldn't find any other user id then it came to our attention that there was a subsidiary of equation which is easy

this and they had a totally different cloud application and cloud provider and based on the notion and that notion alone that they were a subsidiary of heat vision we tried our logins in their cloud and well it works so if my login works i'm going to log in and try that cloud too as you can see in there in there it's probably an outdated cloud service and in here you're going to see something really strange it's active x so yeah it's activex it's like we're in the 200 2000 this thing has died over a decade ago but they're still using it it has more functionality that hit connect so more endpoints they took a rather strange turn for me they tried to

do a social network thing with their cloud so you can friend someone you can send messages to your friends and an extra step the first time that i came there i saw that i have to run something that says to do file description on their public website so that's a sign of they didn't really took any care of their application so the actual endpoint is this one when you try to friend someone you could use either the email address or the mobile phone and the other party would not have to accept or do anything else you would just friend the other and you would be considered a friend with him that's the actual uh end point it's the query by mobile json

which retains data of anyone as i said and you just had to provide an email a phone or a username it wasn't on the ui but i tested it personally and it was also accepting usernames and as i already said friending requires no interaction by the other party now comes the good part that's the response that you get when the other user doesn't exist so you're trying with an existing user you get an error code of two zero zero zero two if the other user exists but is not your friend you're getting a zero so you already have user enumeration but if the other user exists and it is your friend so you just have requested a friendship

you get all this and i guess you all see that there is an md5 in there right so it's the md5 that we were looking for and yeah victory we have we just need a username a pass an email or a mobile phone and we could view other people's devices so how how we could exploit that first of all we could use any user's devices uh as long as we had the the one of those three things the email there or anything else you could change the email reset the password and take over the device this cannot be reversed and you cannot bind the device even if someone factory resets it you have to go to heat vision

and request to unbind it and high vision is really not responsive in this kind of things we could enumerate the users and get any personality file information and hikvision states that they have more than 40 million users on the platform so this would be a really big leak and we could enumerate the admin users and take platform and do anything we want we didn't do that because that would be a bridge of the cma but you could find the admin users md5 laying around somewhere i don't know the disclosure well hikvision was pretty good in the in that department uh we actually disclosed disclosed on 21st of april and they fixed it in two days so

they were really good in that and i got a back bounty of etiquette so that's an innovative gift i guess yeah so the next all right picking up from there about a year ago we were approached by the bbc um one of their employees had the camera and they started getting notifications on their phone that they were getting motion in their house knowing that there was no one home they opened the stream to see what was going on and they were picking up someone else's house someone else's child in their room just sat there so they approached us and said can you have a look at this and see what's going on we think there's

something amiss here so we said sure why not so we started digging into the actual provider the manufacturers of those cameras in this case there was a company called swan i'm not mistaken an australian company they do various devices mostly ip cameras but when we dug deeper and using the knowledge from the previous test we realized that the platform itself was a company called autovision in israel and they had this massive platform where all the cameras would speak back and forth to now they state they have over three million active camera accounts on their platform that's quite a lot so um yeah we picked up the devices we followed our normal methodology we started going at a hardware level trying

to exploit this devices but we realized well the actual use of it is on the platform itself so why don't we try and manipulate that so with vangelis help we started looking at the api endpoints themselves now the first one we came across very interesting called user list assets which would quite literally you could query the system and it would give you back all the assets that you owned in your camera system so if you had five cameras it would respond with those five cameras so we dug a bit deeper to see you know how the authentication was done what it was actually doing and we noticed in the request that quite simply the device

with id so and such that was the unique identifier it was literally just a nine hexadecimal value with a bit of padding in the beginning swn swan and that was the only way the device identified uniquely with the back end we're like well that can't be true that can't be the only thing that's going on but it was it was the only thing that was happening and it just kept coming out it was swn and a nine hexadecimal value talking in the office we had a couple of colleagues that had similar devices and we asked them what do you think that number and he's like well dude that's the serial number of the device i can see it from the

application itself so now we had our own serial number and we had a colleague serial number we're like all right let's try and do something with that so we set up charles you could use burp it's an http man in the middle proxy and effectively what we did was we said if you see one value just play the other one back so this is a man in the middle tech from us to the cloud service our stream when you see one value just give us the other one our colleague has some very nice lego we were quite jealous we wanted to see what other lego is out there in the world three million accounts on this platform

how do you enumerate three million accounts we can't call all of them and say give us your serial number so as i said before it was a bit of padding and a nine value hex decimal number that means we've got over 69 billion combinations that's a lot and they only have three million active accounts on their platform now dug a bit deeper and realized another endpoint was there called devices owned which literally would just return a value of one if the device device was registered active and being used so it was a simple matter of asking the back end one by one for each one of these devices 69 million of them if it's there

or not now unfortunately to do this you need two million hours so we were able to do a single post request for each account and get a one or zero value back if you break this down that takes close to 80 000 days i'm going to be honest with you ain't nobody got time for that seriously no one's got time for that so we were a bit stuck because all we would all we could do is hijack other people's streams with a device's serial number and we had to enumerate all these devices then we noticed the post request would accept an array so we started pumping arrays through single post requests a thousand two thousand five thousand ten thousand we

maxed out at thirty thousand requests through one post in the end we managed to pull out 300 000 cameras every second from their back-end database now obviously they're not using 69 billion serial numbers they might have an intent to they obviously won't but this is how we enumerated them so that means we managed to pull this off in under 75 hours and hijack any stream okay it's not so with the help of the bbc we actually approached them and said these are our findings this is what we can do we can hijack any one of your streams any time of day they're like all right give us the information we'll have a look they said they fixed it so we tested it

they didn't so we told them again they said hang on we'll fix it this time six days later to be fair they genuinely fixed it in six days which is not a bad turnaround really and everything is right in the world now now angeles we have some suggestions because we understand that you want to have cameras on your house monitoring your stuff so whatever you have on any iot device segregated it with your right in the regular network with via vlans for client iploud change your default password don't leave it as admin or one two three four five six there are a lot of online services that regularly discount these things and take over devices

use a strong unique password by a camera of the high self both of our examples had a really good response rate we have gone with chinese cloud but they just don't care if you have if you look at the track magazine you are going to see that there are companies that don't respond to disclosures for more than a year and you don't want a camera that has a cloud with an issue more than a year and patched update update your devices update anything that has an update because it's usually a security update and disable any services you don't need and for the love of whatever is holy don't be right don't point the things you

really don't want to see on the internet uh for the vendors have an easily found security conduct respond to that contact uh more often than not we are we find a security conduct and the conduct just doesn't respond to our issues don't threat people with legal actions it rarely ends well for anyone and then test your environments regularly that's for mike when you say you fix something be sure you fixed it because the pen testers are going to retest they're not going to take your word for it and please validate your access requests as mike told you that's mike i'm vigil stikas if you want follow us on twitter you can also follow pandas partners

regularly visit our blogs we regularly post our research in there and that's all any questions

is

[Music] i do care because i don't want to break cma repeat the question yeah so i was asked if a sudan safari is breaking cma and if i care about cma first of all i personally really care about cma and try not to break it try really hard and i think it falls under not an issue because it is not password protected and it's a public stream but i'm not a lawyer so take this with a pinch of salt please and don't do it if you feel like you're breaking cma usually i take the approach that if i feel that i'm breaking cma i'm not doing the doing it because i'm breaking cma so other question

so you talked about the especially in the mitigation to change the credits and lots of other ways segregated but did you go to the

that would be breaking me and i don't breaks yeah but i wouldn't know if anyone else have break have changed their credentials so i would have been accessing someone else's device which is breaking cma so no i didn't do it did you no no okay any more questions good stuff i guess that's all thank you thank you very much