IoT IP camera teardown and getting root password
This post will describe how I inspected the IP traffic of a cheap pan/tilt IP camera. Then continued to open the camera up, connect to the serial console of the SoC; extracted the root password and logged in via telnet over the wireless interface. My goal was to have a look at the security of these very cheap IoT devices, and see how they could be improved.
Let’s have a look at our victim:
IP Cameras have become extremely cheap in the last couple of years. Mass production made the prices of decent quality image sensors, and very capable SoCs, drop significantly. Our victim in question is currently still available for about €43, but clones/copies/similar models are available from China for even cheaper.
The cheap price is great if you want a cheap alarm system or an easy way to spy on your neighbors/pets, but it also means that the included firmware and software isn’t very well developed (you get what you pay for). Accompanying apps are buggy, features are lacking, the firmware is buggy and tends to crash and the security was an afterthought.
Security in cheap IoT devices is becoming a big issue. Manufacturers don’t really care about the personal data belonging to the users of their products, and the users themselves don’t have the technical knowledge to asses the security of the device or to secure it (which sometimes means to just not use it).
As a quick example you can have a look at this simple Shodan search query (Shodan is a search engine for the Internet of things, or basically it indexes everything Google doesn’t), and be amazed at how many shops, living rooms, playgrounds, parking lots, kitchens, stairwells, gardens, factories, bedrooms (???), classrooms, pools, hotels and even the mourning-hall of a funeral home, have an unsecured live video feed for you to stare at.
Before I was going to use the above mentioned IPcam I wanted to have a look at how much data it leaked and to whom, and how hard it would be for someone to hijack the video feed and get a live view of my dog. (I was going to use this camera to remotely witness my puppy destroying my living room)
The Logilink Logilink WC0030A has a 0.3 MP sensor, a wired ethernet interface, a WiFi radio (wired and WiFi can’t be used at the same time), some IR LEDs up front, 2 way audio, it can pan and tilt and has a trigger input and output (for alarm type things). All-in-all a fairly standard (low resolution) IP camera.
The camera comes with a web-interface accessible through a browser on its build in web-server and a seems to be compatible with a plethora of mobile apps that all come in a different flavor of buggy. The manual mentions two different logins in two different sections (admin:000000 and admin:1234), trying them at random at all the different login prompts seems to yield the best results.