LT - You Are Being Watched! - Bharat Jogi

Good. Okay. Thank you everyone. Let's start with the presentation. Uh thank you everyone for coming for this presentation on you are being watched and thank you Bides for having me over here. So before I go into the presentation let me give you a brief uh introduction of who I am. So I am Bat Chi and I work for Quis as a senior security engineer and as many of you may already know Quis is the leading information security and compliance uh cloud company and what I do on a day-to-day basis is I reverse engineer malware binaries I write signatures to identify new vulnerabilities uh released every day and recently I started digging into um firmwares and

things like that. So, I'll be uh I want this presentation to be more of a casual thing. So, if you guys have any questions, feel free to stop me uh anywhere during the presentation. And also, we have some t-shirts and really cools to give away. So if you guys if I I'll I'll be asking many questions and if you guys can answer I'll be happy to give give away this back to you. Okay. Agenda. So just to give everyone an idea of what this presentation is about and to ensure that everyone is on the same page as to what to expect from this presentation, let me give you an idea of what we'll be covering today.

So we will be talking about IP surveillance systems, their components, their workings and in particular we will be talking about network video recorders. So does anyone have any idea of what network video recorders are? Yeah, the network CCTV devices usually accessible over the internet. Yeah, certainly. and okay so network video recorders are exactly as the name sounds they are network devices and what they do is they would record and store uh the video feeds of all the surveillance cameras so usually what happens is in an organization or let's say if you are using this devices at your home what you would do is there would be like n number of IP cameras uh to surveil

uh survey of premises and what you want to do is you would like to have a central device to which you could log onto and then you know view all the videos feeds from all the surveillance cameras and also what these devices do is they would store the video feeds from all the cameras. So like let's say you decide if you want to go in time and see what happened at a particular day or at a particular time then you could uh play back all the videos So what we'll be doing is we'll be seeing uh looking at these network video recorders in detail. We'll be uh uh what we'll do is we'll see they're working.

We'll try to uh analyze the firmware which goes inside these firmware uh these devices and probably we'll try to do some manual testing and find find some vulnerabilities in this devices and later on we'll try to uh hack and uh hack one of these devices and see the uh live video feeds from all the cameras that are connected to this device. Does that sound fun? Okay, it's a IT surveillance system and even before we go into this uh uh analysis of the firmwares that goes inside this network video recorders and trying to find vulnerabilities in this devices. Uh let me point to you why this research is so important or why do we even care if

there are like vulnerabilities in this devices. Turns out that these IP server systems are increasingly used in home and in business environments. People and organizations deploy these systems in their uh environment to secure uh critical resources or they would uh what they want is uh to have a to to have a look at what is going on inside these premises. Parents do in uh deploy these systems at their home. So that they could have like an view to ensure that kids safety and these systems are usually deployed in the organization or people use the systems uh thinking that because these are devices to secure your premises these devices in turn are uh secure devices. But turns out that this is not

the case. Let me give you a couple of examples of where these devices are used. So these devices are used at you can find them at many stores. You would find them and many businesses use these uh surveillance systems. Uh what you could see over there is uh probably of a restaurant or something. People do deploy these systems in their labs and these are uh deployed uh at construction sites and there are many many uh applications for these uh devices. Now these examples are not just that I'm made up of but these the video feeds that you see these are actual screencasts from the devices from the real targets and there are like many interesting uh

uh places where we found these devices like one of the targets which we identified was in Ukraine and uh that appeared to be like a casino in Ukraine so uh that's Okay. But we were also able to find a target in central Europe and that target was actually being used in the country's uh most strategic and research center. So these devices are used manywhere and people do believe that these are security devices. They would be secure but turns out that this is not the case. So the network video recorder that we'll be dealing uh today is the Dlink network uh recorder DNR 322L and DNR326. So both of these devices are basically the same device. The firmware which goes

inside both of these devices are the same. It's just that one is an uh uh used for home edition and another is for business edition. The business edition has like more storage and a better uh better hardware but essentially the firmware which goes into these devices are basically the same and these devices do have many inbuilt features. Uh what they could do is they could do an auto backup for you. So you even these devices they have like a limited storage. Not limited storage because uh like a 1 TB or 2 TB depending upon their hard drive that you install. But what business uh uh business deployments usually do is they would also want to

have a a backup uh to an FTP site. So they could do a scheduled backup let's say at every night at 2:00 a.m. They want that all the video feeds to be back up to an FTP site. They also do have motion detection capability. So what would happen is if any of the video surveillance uh a motion has been detected from any of the video surveillance cameras, these devices could also send you email alerts. And there are many other features for these devices. Let me play a video for you if you start to see how these uh devices are being marketed out.

Revolutionary 21st century devices. [Music]

secure and convenient [Music] [Applause] and you can access it from everywhere, your smartphones and things like that. [Music] Yeah. So, revolutionary home securing devices for 21st centuries are your convenience, secure and in cost effective way. But are these devices really secure? This is what we are going to analyze in this presentation. So, let me show you how a typical installation for this device looks like. So as you can see there would be like many uh IP serverless cameras. They would be talking to the network video recorder device and you could access this device from anywhere uh over the internet. They could be accessed from your mobile devices, your smartphones also from PCs and yeah so over here you

see that these devices are talking to the router but these devices would actually directly talk to the network video recorder as well. This is how an admin UI for these devices looks like. You could do your u you can have camera setup. You could uh uh schedule an event setup. You could uh whenever a motion is detected, you could uh ask the device to send you an email and things like that. So let's uh so because all these features but that I found in this devices I was really very you know fascinated by the amount of features which this single device has. It could be accessed from anywhere your smartphones plus you have this facility

where they could send you email alerts and things like that. So I decided at this point that let me try to see how this device works. Let me try to find how secure these devices are. So our first step that that I took was to see the firmware that goes inside this product. The fungi is readily accessible. You could go to Dink's website, download the firmware. You don't need to have any account or you don't need to have this device at all to download the firmware. You just go to the website and download the firmware. I started extracting the firmware and this is what I found. So the device is basically uh the it's an you could

consider it as a strip downward running a very tiny Linux on an ARM architecture and it has an inbuilt squash file system. The squash file system is nothing but it's a compressed file system for read only files and uh you will find many of these uh embedded systems they do have the squash file systems and once you extract all the firmware this is what it looks like it's basically you if the structure if you see it's basically like any Linux uh box you'll have a bin folder you'll have like couple of drivers and some uh binaries and the entire UI that the user interacts with the system goes into the uh folder named web and all the HTML

files, the JavaScript files goes inside this folder. Let me see how uh a typical user would interact with the system. So what an uh administrator would do is he could just log into the uh web UI for the firmware of the device and the UI that he sees is basically uh HTML and some JavaScript but all the processing that is done this is done at the CGI layer. So what happens is let's say a user wants to change some settings the JavaScript will in turn call the CGI functions and those the CGI functions the CGI layer will do all the processing and it will be returned to the user. So let's see what all the

vulnerabilities that I was able to find in the system. The first vulnerability is the denial of service vulnerability. very basic but for these devices the security and surveillance devices I believe denial of service vulnerability uh takes it's a really big deal over here because what happens is let's say if you are trying to secure some premises and there's an attacker who wants to you know get into your premise the very uh first thing we could do is they could do a denial of service on the uh NVR system so that nothing gets captured in the uh video recorder device. So what you could do uh from remote is you can do a denial of service which is

a remotely you could send request to the target and it would do a reboot on the target. Sorry. Yeah. So all the vulnerabilities that we'll be discussing today these are all unauthenticated remote vulnerabilities. So he could remotely reboot the system. He could also remotely completely shut down the system and he could also do a complete factory reset on the system. So once he does that like the the your complete NPR system is is of cool use. The administrator has to go physically to the device and then he has to configure everything again. Uh yeah so it basically uh renders the device useless. Let me give you a demo of this. We'll certainly not do the remote shutdown

because I want my target to be alive for the f future the other demos. So we'll just do a remote uh restart a reboot on the target uh and that would give you guys an idea.

[Music]

So, let me show you where our device is. It's working fine. The Wi-Fi speed is too slow. So, might take a while. 10 10 35 41 is our target here.

Yeah.

[Music] Yeah.

We see that our target is alive that the uh speed is too slow. Okay, we have the target. So admin this is how this is our target. Obviously you'll see blank over here. I have like two cameras connected to the target. Those are like in my cubicle. I don't want to show every what's going on inside my cubicle inside. So these targets are like okay.

So I'll do a ping on the target and then I have this like mod tool that I wrote to exploit uh

so the IPI command to just give you some details of what the target is. If you could see over here, here is the IP address. This is the device DNR 322L, the firmware version that is running on the target. Let's try to do a remote.

Over here you see that uh that the three pin request timed out. So probably the device is going inside on the reboot. But I think it's back again. Let's try to see the target.

Okay. Yeah. So it's up again.

was demo one. So what was the other uh vulnerabilities that was I was able to find on the target? The target has multiple information disclosure vulnerabilities and what this information include is the complete configuration on the target. Second type which is of a bit of a more severity is it will give you it will spit out the uh complete configuration of the FTP server that has been configurable. Yeah. You just mentioned that there was no required right? Yeah. Uh is there a way you can show us the code? What exactly? How did you attack? Sorry, is there a way you can show the code and how exactly? I think I'll cover that in the later

part of the presentation. So, uh information disclosure vulnerabilities include complete target configuration. Second is the FTP credentials. So, if the target is configured to have like an FTP backup site, it would give you credentials of the FTP backup site including the IP addresses, port number and things like that. And another of the most severe I think of the information disclosure vulnerability is remember I told you like this target would have like n number of IP cameras connected to it. This will information disclosure vulnerability will give you the uh camera credentials of all the IP service cameras that are connected to the device. So then if suppose you want to target uh so if you want to target

individual IP cameras one by one you could do that as well. Let me give you a demo for that.

So target

[Music] as you can see it got the network uh settings of on the target the IP address if the DLCP is enabled or not what are the gateways What is the description of the target? It's MAC address. What is the up time of the target? Because it was just rebooted. The up time it just shows like 1 minute. Then the uh hard drive, how many hard drives are connected to the target. So this target has two hard drives. Use space is this total size of the target uh of the hard drives. Plus it gives all the users that are on the target. So uh besides it so this target has like six different users could access this

device uh qual. So another is the FTP uh information disposable is the FTP settings of the target. So to get the FTP settings I 101

So here you can see the uh target is configured to work for an FTP backup site. Here is the uh IP address of the FTP uh server port the root uh username root password and folders where it would be all the video files would be stored. And the most critical of uh get the camera credentials you do this. So this tells that the target has two IP cameras that are connected to the device. The name of the camera is this because the IP uh when you reset the device did I I know it's not the case for all of them but did this device default back to a default admin credentials? Is that is that a path for this? I don't want to

derail you, but I know you're showing admin credentials now, but when do you set this device and reset it to default? Reset it to default. I believe when you do the reset, it would do a factory reset. So, factory reset it has only uh the credentials are admin with blank password. So here you can see the uh there are two cameras that are connected to the device. uh the IP address the port on which it is working on the clear text password the username the password uh the brand which uh the of the the camera is dealing mind you this device could also monitor video cameras uh feeds from uh different models not just from dealing but from different vendors

as well the model number what channel are they working on and yeah so I think we have all The information disclosure will repeat

the demo. Now what you could also do is remotely you could create a new user for the uh for new user uh uh for this device. So basically once you create a new user on the device what you could do is you could log on with this newly created user the credentials that you give and then probably view all the u video feeds from all the cameras. In fact, when uh I this dlink also provides you a uh an iPhone app or also an Android app. So what you could do is once you have created this new user, you could just create a new uh like a site for this and then I not sure if the Wi-Fi is too good

but I could show you like how I was able to create a couple of users on the targets in the w and you could basically uh view the circle from all these targets right from your iPhone or your any of your smart devices. If you want to create a new user

and cumulative, right? Excuse

me.

Let's try to create a username in these size. Password has changed.

the same speed.

Yeah. Let's see. Let's first see if the if the user was created successfully.

I'm going to back. [Music]

So you see at the end there was a new user created with B site and let's try to log onto the system with credit. Can you pass any group information to that? Assign that to a group in any way. I do believe I I'm not uh assigning any group to this user but what I do is I just give it the all the credentials uh like privileges to view all the IP cameras. So the newly created user what you could do is selectively you could assign a user uh feeds to a a particular uh video feed to a from a particular camera but what I do is I just assign it all the uh you know so all the

user you created the user that you created is the slides Okay. No worries. No worries. Be slide. Yeah. Be slide. Supposed to let him just let it fail. Yeah. Sorry. Thunder party. Okay. So, here you see we were able to log into the system and if the cameras were connected, you will be able to see all the Now one of the uh this device the security of this device is so broken that like this is a uh UI which you which a user uh not an admin user would see but what the newly created user would see not an admin but if you remember that an administrator could uh access surve what this device does is before uh

checking for authentication. Before going to loading any page, what it would do is it would try to check for authentication. But what it would not do is it would it would just check if the authentication was successful or not. But it would not check if the administrator login was successful or not. So if you remember like any of the let's say just try to go on this thing because I know that an administrator once he logs in he would be able to visit this URL. If the created user if you access this URL let's see what happens.

How does the device keep session state? Does it use a cookie or no use a cookie? What it does is it would just So this let me show you. Yeah. Sorry. It's so bad he has to show it. Yeah.

So what happens is every time when there a new page is being loaded what it will do? It will do an ajax call on the server to check if the uh target is authenticated or not. But it doesn't it never checks if the target is authenticated with an admin credential or with the user credential. So what you could do is you could basically view any of the web uh any of the admin pages if you just able to happen to know the URL which the administrator would usually visit. Disgusting but yeah you could add as many users you could visit the admin html page even if you are not us.

So this is the most recent firmware. Yeah. And so this dealing guey the UI has been similar across a lot of their devices. Do all a lot of their other devices have the same I will cover in the later part of the present what other devices from D are also available.

I think we are able to create the new user successfully. Now there is another vulnerability firmware upload vulnerability. So what happens is the user interface where you could upload the firmware that page has no one no security at all. It does not even ask you for your admin credentials and even if it asks you you could always create a new user and just go to the link where you could upload the form. Now the device internally does not check if the firmware which the user is trying to upload is signed by dealing or not. There is no sort of uh yeah there is no sort of offiscation. You could just create you could just create a new

firmware. Just try to add a root to it and just create a new firmware upload it to the device. The device will readily accept the newly created firmware and then at that point it's basically up to the malicious intent of an attacker how hard he wants to hit the device, how hard he wants to go deep into the uh uh the Have you have you uploaded have you sent in uh modified firmware? Yeah. What did Dink say about that? So, cuz I'm guessing you haven't done responsible disclosure yet. No, we have. Yeah, we disclosed it to a deal and I think let's try to see what Okay sorry. What ticket number did they give you?

They did not give us any ticket number. So, all these vulnerabilities. So, what happened is I was trying to do some manual once I extracted all the firmware. What I was trying to do is I was trying because I know all the uh front end all the user interaction is done through all the files in the web directory. What I did is I was trying to go over all these files one by one just to manually to see if there are any vulnerabilities or not. So what struck me is in most of all the files that are on the uh firmware there was this one piece of code that was in all the files. So what it was trying to do is was

dynically trying to call a JavaScript uh uh function.js file and then I saw okay what's going on inside this uh function.js file. So what I saw is there was this on the very beginning of this file what happens it it makes an ajax call. So the ajax call is a post request to a page cgi bin - login manager. CGI and then it with command UI check WT0 WTO and if the function returns with fail if the server replies with fail then it will redirect you to the login page and if it does not reply with fail then it would just allow you to access whatever page you are trying to access. So basically if you could just make a

call directly to what you could do is you could always have a proxy running uh per suit running and you could always modify the request or what you could do is just make curl calls directly to the CGI pages and it will just because the CGI never checks that the user is authenticated or not. What it does it it just feels that if it is receiving the request then probably the user is always authenticated. So what you could do is just make a call directly post for calls to the uh CGI layer directly and it will readily it is more than happy to whatever you are asking to do. So to answer your question if the other

families of Tink devices are also vulnerable the answer is yes. the uh network storage devices which links uh and TLink network storage devices do also have all these vulnerabilities that we talked about and uh yeah it's basically the UI they just changed the UI which uh the network video recorders are basically some HTML and JavaScript now the uh storage devices they have a bit fancy and they use jQuery for all the uh UI stuff but basically everything the firmware which goes goes inside this product. The core is almost the same for the network video recorders and storage devices and in particular I'm talking about the DNS 320L uh yeah they are also vulnerable to other

uh patches. So we reported all these vulnerabilities to dealing uh sometime uh April and May first week and uh Dink did publish a beta firmware uh just it was less than 2 weeks back right before the uh presentation. I haven't got the time to check if all the vulnerabilities are fixed or not but they do acknowledge all the vulnerabilities and give credit to Paul for that. uh summary. So what we have seen is these devices this so-called security devices which you deploy in your environment they are not really secure. Um they do have many vulnerabilities. So if you are trying to use this devices make sure that at least go and check if these vulnerabilities these devices have

some vulnerabilities or not. If there are like vendors who have an uh an uh email alert program whenever the new word firmware is released, I think we should uh you should always try to subscribe for that. And uh yeah, I think that's it. If you have any questions on this, so what was Denny's reaction when you when you contacted them? Uh so DLink uh so DLink has this unpublicized bug bounty program so they don't really advertise it but they do have it. So when we reported all these vulnerabilities to them uh first of all it was very hard to get in touch with them because they don't have like usually all the big vendors they do have

contact information by security could give them the uh their findings. So the dealing it was a bit hard to get in touch with them. Once we got in touch with them the response was pretty quick. um they asked us to sign. So they uh they informed us about their unpublicized bounty program. Uh but they had some conditions which uh which would have and we did not want any sort of restrictions on using this information. So we've not uh signed their but I think yeah after that they in around two weeks or uh not two weeks like 2 months or I guess less than 3 months now they did publish an uh patch for that. So that was good from their

side. Yeah, at least they got Yeah. Any other questions? Do you know their their enterprise solution in uses has the ability to use active directory credentials for login? Sorry. Do you know if their their enterprise or corporate solution has the ability to use active directory for credential login? I'm not really sure for that about that. So what uh nowadays what happens is uh Dlink is not uh it is publicizing more of the my Dlink thing. What happens is what you could do is once you install these devices uh you could register it with an email id so that you could access it from you don't have to remember your credent uh these IP addresses of this devices what you could

do is you could log into the myink website and then login with your credentials and all the devices which are registered with this uh uh with the email id it would always uh show up all the and you could access this from I think that's an good way of uh accessing these devices rather than memorizing the IP addresses but I'm not sure if that solution would uh scale or would work for the business uh environments obviously home user would be more it is more easy for home users to use uh this feature but uh I'm not sure about the business uh environments any have you publish the stores around so yeah uh so I was above I was I wanted

to publish the schools but I think it's less than it's not even two weeks and we know like I work for college and we know that customers usually don't patch these systems or even any systems so soon so I think I will hold on for some time before we would release the tool but I think uh yeah I will wait some time before we publish this tool would it be reasonable ble to say we could just go grab the firmware and find the direct resources ourselves. You show. Yeah. Yeah. Is that firmware version still available to your knowledge? Is that firmware version still? Do they have backup? I think yeah, it's still available. Last time I checked, it was available because

the new firmware that DLink has released, it is still in beta phase. So, it clearly mentioned that they don't uh uh support beta firmware. Uh so, I think yeah, it's still any other questions. So any other devices manufacturers that you've looked at besides daily? Uh I haven't worked with many other devices but there are many other researchers who have found vulnerabilities in devices like this. There were I remember there were two Spanish researchers they they did a very good uh they were able to find many of the EVR targets and even they had like really simple vulnerabilities where it could if you could just go to target/ uh config dot something it will give you

all the protections to access that target. So there are like many devices who are vulnerable and uh there are there has been other research work on this as well. Any other question? Are you recommending like removing these devices completely or if that's no? No, these are like you do need this device. It's not that you don't want this devices but what are these device what you could do is you could have an uh something like an access control for this devices where you could limit uh who can use this device and I do believe this dealink uh network video recorder device they also do have uh like you could have an access control and limit

the IP yeah

any questions [Applause]