Matt Brown Digs Deep Into an IP Camera's Firmware — and Finds a Hard-Coded Root Password
The VStarcam CB73 is an attractive-looking compact IP camera, but it comes with some security drawbacks.
Security researcher Matt Brown, of Brown Fine Security, has demonstrated why regulation against hard-coded passwords in Internet of Things (IoT) devices might not be a bad idea — by pulling the root password out of an off-the-shelf IP security camera.
"This is made by VStarcam," Brown explains of the camera on test, a compact CB73 security camera. "These are heavily marketed in south-east Asia. I picked this up in an electronics mall in Thailand. It's definitely something that is not very popular here in the States, so I thought it would be really cool to pull apart this hardware and the software to see how it ticks."
Brown initially began with a physical examination of the hardware inside the housing, before opting to target a flash module — putting it under a hot-air rework station and desoldering it from the board in order to ensure a clean dump of its contents using an external reader.
Initial analysis of the firmware revealed exactly what you'd expect: a Linux kernel and BusyBox operating system, making a bunch of connections to servers in China. The addresses for these servers were hard-coded in the firmware, which led Brown to investigate what else might be hard-coded.
Putting the flash chip back into the camera, Brown found the pins for a UART bus and was able to interrupt the boot process. By booting into a custom environment, he gained access to the root filesystem on the camera — and the /etc/passwd file, which included the username of an account with root permissions and a password hashed using an outdated algorithm: Descrypt, which uses the old Data Encryption Standard (DES).
Rather than rely on brute-forcing the password hash, though, Brown dug still deeper into the firmware, discovering a binary that appeared to be responsible for the creation of the file. Analyzing this with the Ghidra decompilation tool, Brown was able to walk through the process and discover something that should concern anyone with the same camera on their network: a hardcoded root password, identical on every model.
The full video is embedded above and available on Brown's YouTube channel.