IP Cameras Pentesting Report

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

This Article is a comprehensive descirption of a pentesting process regarding three IP Cameras ABUS PPIC32020, Blink-Mini and TP-Link NC200. In the further course of this Report the Methology of the Information Gathering Process will be pointed out, afterwards the gathered information will be analysed. With the analysis of the gathered information vulnerabilities will be pointed out. We will form attack vectors, exploit this vulnerabilites and recommend countermesaures for the vendors to make their systems more secure.

Requirements

In order to perform the Exploits the following tools were needed.

Description

In this chapter, we will demonstrate how we were able to extract information about the target devices, form attack vectors and exploit them afterwards.

Methodology

Step 1: NMAP

We used NMAP to gather as much information as possible about the target systems. This includes IP Addresses, open Ports, Operating Systems, Services and many more. This part is crucial to gain a better understanding of how the camera works and is neccessary to perform sophisticated attacks to extract information or gain access.

Nmap (Network Mapper) is a network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich).[4] Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.[5]

Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection,[6] vulnerability detection,[6] and other features. Nmap can adapt to network conditions including latency and congestion during a scan. [1]

To gather information about the target systems we used the following commands:

nmap -sP [Network Address/Subnetmask]                Network Scan --> To discover the IP addresses of the target system inside the LAN
nmap -sS -F [IP Address]                             TCP-SYN-Port-Scan (Host-Fast-Scan) --> Discovers open ports on target system
nmap -sV [IP Address]                                Service Scan --> To discover the services listening on the open ports
nmap -O [IP Address]                                 Operating System Scan --> Guesses the Operating System running on target host (Based on OS Fingerprints)
nmap -Pn -sV --script vuln [IP Address]              Discovers possible vulnerabilities based on already known exploits for the specific service

Step 2: Man in the Middle (MitM)

In order to get a better understanding of how the architecture of the service provided by the IP Cameras works, we mounted a Man in the Middle Attack to gain information about how and where the camera connects to and how it deliveres their service to the endpoints (in our case the ABUS Camera used a Smartphone App to connect and configure the camera and the two other used Web Services). To mount the MitM attack we utilized ARP Spoofing which can easily be done with the arpspoof command.

arpspoof -i [Your network interface] -t [Target IP] [The IP you pretend to be]

In order to be able to completely execute the MitM attack, you need to enable IP forwarding otherwise the packets would be sent to you but would never arrive at their destination. To do this, enter the following command:

sysctl -w net.ipv4.ip_forward=1

If the attack was mounted correctly, you should be able to capture the traffic between the two endpoints you mounted the attack (e.g. with Wireshark).

In our case, we mounted two MitM attacks, the first one between the camera and the gateway, the second one between the smartphone or endpoint and the gateway to understand fully where and how the service connects to to provide its capabilities.

Step 3: Reverse DNS Lookup & Geo Locator

When viewing the captured traffic we stumbled over a lot of remote IP Addresses where the communication takes place. Therefore, we wanted to know the Domain of the Webservice the Camera is communicating with. To achieve this, we used the following, free to use, tools:


Step 4: Look through the, open source, firmware of the cameras (if available)

To finish our research we searched for any open and available firmware packages of any of the given cameras provided by the manifacturer.

Firmware:

Gathered Information

NMAP

First of all, it is important to state that the ABUS Camera used two IP interfaces for their connection to the different services therefore two IP addresses needed to be investigated. Why and how this camera uses and needs two addresses will be discussed afterwards.

NMAP Information
NMAP Command ABUS PPIC32020 TP-Link NC200 Blink Mini
Port Scan ABUS Port1.png

ABUS Port2.png

We can see that all ports on both IP Addresses are closed.
TP Service.png

We can see that two ports (http and http-proxy) are open with the services lighttpd running. This indicates that the Camera hosts a web service.
Blink OS Port.png

We can see that no ports are open and accessible.
OS Scan ABUS OS1.png

ABUS OS2.png

No OS Detection available since there are to many OS fingerprints. Same result with aggressive OS Guess.
TP OS.png

OS Details: OpenWrt Kamikaze 8.09
Blink OS Port.png

No definite OS Guess, some suggestions.
Vulnerability Scan ABUS Vuln1.png

ABUS Vuln2.png

Only output: CVE-2011-1002.
TP Vuln.png

Only output: CVE-2011-1002
Blink Vuln.png

Only output: CVE-2011-1002

Man in the Middle, Reverse DNS Query and Geo Location

  • ABUS PPIC32020
    • Smartphone App connects to:
      • 142.251.39.74
        • Domain: bud02s39-in-f10.1e100.net.
        • Located in: Budapest, Ungarn
      • 35.169.53.92
        • Domain: ec2-35-169-53-92.compute-1.amazonaws.com.
        • Located in: Dallas, Texas, United States
      • 44.195.176.7
        • Domain: ec2-44-195-176-7.compute-1.amazonaws.com.
        • Located in: Ashburn, Virginia, United States
    • Camera connects to:
      • 176.34.104.236
        • Domain: ec2-176-34-104-236.eu-west-1.compute.amazonaws.com
        • Located in: Dublin, Leinster, Ireland
      • 239.255.255.250
        • Multicast Address used by SSDP

Behaviour of ABUS PPIC32020

  • Smartphone located inside Network:

InsideNetwork.jpg

If the smartphone with the app is located inside the network and wants to connect to the camera, the main data stream stays inside the LAN.

  • Smartphone located outside Network:

OutsideNetwork.jpg

If the smartphone with the app is located outside the network and wants to connect to the camera, the main data stream gets hosted to an AWS Cloud Server where the App fetches the data.

Exploitation

HTTP.jpg
Traffic capture from MitM attack. Here we can see the exposed admin user with the base64 encoded password.
Base64.jpg
Screenshot of the Base64 Decoding. This results in the password "admin". So the user used the credentials username= "admin" password = "admin".

First of all, to exploit the vunerability we have discovered for the TP-LINK camera, you have to be in the same network as the target machine. After, we found out the correct IP address of the target device, we basically did the man in the middle attack and arp spoofing. We as the attacker claimed to be the gateway for the target machine and the same the other way around. After that, we captured the data with Wireshark, between the two components. For this to work you have to capture in the same moment as the login process of the user. Because of the HTTP vulnerabilty which the TP-LINK camera has we could see on the post request, which was on the port 80,the login credentials. On the one hand, the username was transmitted in plaintext , but on the other hand the password was sent encoded in Base64. Encoding without encrypting does not ensure you security so we were able to easily decode the password by an online tool.

Now with all the data we have collected as the attacker, you basically have full acess to the camera. Meaning, you can easily change the password and lock the users account. Secondly, with the acces to livestream of the camera you can observe the victim any time. Furthermore, you have the access to all the other additional functions that the camera provides.

Conclusion, Report and recommended Countermeasures

The combined number of cameras tested are 3, all with their own functionalities.

ABUS PPIC32020:
Uses an App that is downloadable on any phone, to control it. The user has the ability to move the camera to adjust the image that is seen. It provides the user with a Full HD 1080p resolution and addtionally it has night vision and it can also activate automatically via motion detection. It has an integrated microphone and speakers. The camera uses a number of protocols, namely: TCP/IP, UDP, SMTP, NTP, DHCP, ARP. Furthermore to encrypt the transmitted data it uses AES 128bit Encryption with WPA/WPA2-PSK. As it is an IP-camera it connects to your local internet and has 2 ways of delivering data to the user, which are further elaborated in the "Behaviour of ABUS PPIC32020" section of this article.

TP-LINK NC250:
Uses an App or the web browser to connect to the camera and to control it. It provides the user with an HD 720p resolution and comes with night vision capabilities. The camera uses protocols such as TCP and UDP to transport data. To encrypt the travelling data it uses WEP and WPA-PSK/WPA2-PSK. It also connects to your local internet and creates a local web server where it fetches the data needed. This sent via HTTP which leads to some issues addressed later in this article.

Blink-Mini:
Uses an App that is also downloadable on any phone to control and get access to its functionalities. In the app the user can adjust the settings of many functions and access the live feed. The camera provides the user with a Full HD 1080p resolution with added motion detection, which captures the next 30 seconds after it was triggered. The camera is also equipped with an integrated microphone and speakers, which allows the user to talk through the camera or with the camera. It uses a number of protocols namely TCP, UDP, ARP, TLS to name a few. It uses AES encryption with WPA2-PSK to ensure the safety of the data.

Risk:
The usage of the scan tools mentioned in the article led to no open ports for the ABUS and Blink-mini camera but showed 2 open ports for the TP-Liink camera, namely Port 80 and 8080 with the versions lighttpd 1.4.32 and Streamd.A42BB014AF19. Which could not be exploited with Metasploit. The actual problem which was stated before was the transmission of data through HTTP. The port 80 communicates the login information of the user to the browser via HTTP, which leads to it being easily readable if captured. The simplicity of executing an arpspoof (if the attacker has access to the local network) leads to this exploit being a major security flaw.

Countermeasure:
The easiest solution would be to migrate from HTTP to HTTPS which leads to the user information not being in plaintext. For this you need to aquire an SSL certificate and install it. Afterwards you need to ensure that everything routes to that HTTPS link not to the previous HTTP link, done by redirecting every request to the HTTPS link.
Another solution would be to add HTTP security headers, namely HTTP Strict Transport Security (HSTS) which enforces the use of HTTPS connections if available instead ot plain text HTTP ones.

References