Alex Porto Ends a Five-Year Mission on Camera Security Analysis with a Clever Firmware Hack
Outdated libraries, security holes galore, and a poorly-implemented cryptographic system mean this is a very insecure security camera.
Developer Alex Porto has been hacking on a low-cost IP camera since 2019 β and in the final update to the long-lived project has come up with a way to replace the firmware with his own, pointing the cameras as a custom server in place of the manufacturer's cloud platform.
"A few days ago I had to replace the old IP camera I use to watch over my dogs and cats, and found out that IP cam technology changed a lot since I bought that old camera," Porto wrote by way of introduction to the project five years ago.
"My old camera worked by providing an internet webserver where I should connect to receive the images. Simple, but a pain in the ass when you want to access your camera from outside your home LAN. P2P camera are different: Instead of you connecting to the camera, the camera itself connects to a server, and, to see the images, you need to connect your phone to the same server."
Concerned about network security and privacy, Porto declined to install the camera β but instead set out on a multi-year mission to analyze it from the ground up. Network traffic analysis revealed connections to the manufacturer's servers in China, with a surprising amount of the traffic being zero-padded. A look at the hardware revealed a UART bus, showing the boot process of an outdated Linux distribution β followed, to Porto's surprise, by an interactive root shell.
Root access to the operating system provided more clues on how things work, including a tool for decrypting firmware updates. Reverse-engineering of the custom "IPC" software running on the camera revealed more β and further testing unveiled a buffer overflow vulnerability, with still more security holes in the camera's outdated libraries.
In the most recent project update Porto analyzed the tool used to decrypt firmware update packages, discovering both the secret key and the original source code for the RSA implementation β which, despite oft-repeated advice on only using heavily-vetted and trusted cryptography implementations, turned out to have a major vulnerability in the "quick" encryption method used on-camera.
Using this, Porto was able to create a modified version of the IPC program β changing the server to which the camera connects β and pack it into an encrypted firmware update accepted by the camera. "To make this attack even more effective, it should require no physical access to the camera," Porto notes.
"So I created a simple HTTP server in Python to simulate the camera update server, and used DNS spoofing to redirect the camera update requests to my computer instead of the actual server. This preparation would allow any person to replicate this forged update attack once connected to the same local network as the camera."
The full project write-up is available on Porto's website.