security analysis and case reference of smart camera

Posted by punzalan at 2020-02-24

Based on the analysis of the network structure and equipment characteristics of the smart camera, this paper summarizes several kinds of common attack methods of the smart camera, and makes a comprehensive security analysis combined with the actual cases. Because oneself also just begins to contact this aspect knowledge, so involves the content to be quite shallow, big guy ignores can.

The traditional camera generally refers to the traditional honest camera that can only store the monitoring picture. If you need to find the abnormality in the picture in time, you need to look back at the picture for a long time. For example, several people who appeared in some police and bandit films were watching the computer roll back the monitoring video with their faces in front of their faces.

The reason why smart cameras are called "smart" is that smart cameras can actively capture abnormal images and automatically send alarms, which greatly reduces the energy input of users, is convenient and simple. The core of smart camera is the combination of Internet of things and cloud application. One of them is indispensable: in order to realize real-time and anytime anywhere monitoring, the camera needs to be connected to the mobile phone through the mobile phone app, and click open to view the real-time pictures taken by the camera; at the same time, when there is abnormal dynamic or sound in the pictures taken, the camera can automatically capture the abnormalities and start the cloud video recording and automatically go on It can also send alarm information to users through SMS or mobile app, so as to realize all-weather intelligent monitoring.

At present, smart cameras on the market include cloud, mobile phone and camera device.

Camera device terminal: mainly stores device password, information interacting with cloud, protocol related information;

Mobile terminal: manage smart devices, user registration, password modification, binding devices, management devices, etc. through Bluetooth, WiFi, etc;

Cloud: provide storage space for uploading video storage, user management, APP management, API interface, etc.

According to the three parts of the network structure: cloud, mobile phone, camera device and communication protocol, it can be divided into four types of attack methods (part of the content refers to the security analysis report of the Internet of things of Lvmeng technology and baimaohui).

Attacks on camera devices

1. Attacks against physical devices: debug interface exposure, firmware extraction, device serial number tampering, tampering with storage media, access to common user rights, privilege escalation, etc;

2. Attacks against firmware: access to sensitive data, access to hard coded passwords, reverse encryption algorithm, access to sensitive API interfaces, FTP or SSH and other service attacks, firmware degradation, etc;

3. Attacks against memory: obtain sensitive data in memory (such as user name, password, etc.), obtain encrypted key, etc.

Attacks on mobile phones

The attacks on mobile app are relatively common, and combined with the particularity of camera, we can start from the following aspects.

1. Static decompilation: shelling app, using decompilation tools to obtain source code, local sensitive data storage, logcat log, WebView risk test, etc;

2. Communication security: man in the middle attack, access control is reasonable, data encryption strength, etc.

Attacks against the cloud

The risks faced by the cloud server are similar to those of the regular application server, which are listed briefly.

1. Web application security: various problems of user registration, arbitrary user registration, user enumeration, verification code defects, all kinds of ultra vires, password complexity, single sign on, password modification, etc.

2、 Service Security: attack the defects of various open services of the server, such as weak passwords such as FTP, SSH, mysql, and various Nday and 0day of the operating system;

3. Others: all kinds of C-segment, subdomain, etc. can also enter the camera company's internal office network before coveting the server. DDoS is also a way to disrupt the deployment of the other party.

Attacks against protocols

In addition to the three important nodes of camera device, mobile terminal and cloud server, the communication security among them is also very important.

1. Generally, app and cloud communicate through HTTP and HTTPS. In the analysis, it should be judged whether the traffic is encrypted and whether it can grab and hijack the communication data;

2. Mqtt, XMPP, COAP and other protocols are generally used for communication between equipment and cloud, HTTP and HTTPS are also used for communication, and private protocols are used for communication between some manufacturers' equipment, such as JD, Xiaomi, broadlink, etc;

3. The communication between app and device generally uses short-distance wireless network for communication, such as ZigBee, Wi Fi, Bluetooth, etc.

Situation brief

This case is for an Internet small camera manufacturer. In the early stage of the test, it has communicated with the relevant person in charge and signed the authorization and confidentiality agreement. After the test, it has completely delivered the test results, and after the manufacturer's rectification, it has retested to ensure that all risks have been repaired. After a year and a half, it has been ensured that the old version of the camera has been basically delisted. Only with the consent of the manufacturer can we share this case with you. Because some encryption algorithms and protocols are still in use, some of them are desensitized and confused. At that time, I was just in touch with this knowledge, so the content involved was relatively simple, don't spray.

This analysis mainly includes three aspects: camera equipment, service cloud and data communication. In addition, it also involves some mobile app and website systems.

Firmware upgrade packages can be reversed

Through the analysis of the firmware upgrade program provided by XX official website, it is found that most of the upgrade packages can be reversed out of the source files. In the firmware package, you can obtain SSH and FTP login accounts and passwords as well as some important API interfaces and encryption algorithms. Take SSH password acquisition as an example.

Two firmware packages are downloaded for testing, and binwalk is used to analyze the firmware.

It can be seen from the above figure that the firmware contains LZMA compressed data, squashfs file system and other system information, but binwalk fails to extract the data directly.

The firmware uses squashfs file system, which is a set of GPL open source read-only compressed file system for Linux core. Squashfs file system starts from 0x40040 and has a size of 4605584 bytes. The file system is extracted with DD command and unpacked with unsquarshfs.

Extracted system files

Can view system file information

You can directly view the system passwd file

The password can be easily cracked by using John the Ripper.

Risk analysis:

1. The default camera root password can be cracked according to the passwd document, through which the camera equipment exposed in the intranet or the Internet can be directly logged in;

2. According to the encryption algorithm of file reverse password in the system, the communication data between camera and cloud can be cracked.

Encryption algorithms can be reversed

Through the analysis of mobile APK, it is found that although some versions use encryption and obfuscation, most of the APK can be directly reversed out of the source program after decryption and decompilation.

Use JD to decompile SmalI into Java source code, and view the program code more intuitively.

Then the so file in the Lib directory is reverse analyzed.

According to the key words, locate several related functions of the encryption algorithm.

Due to the general reverse ability, it also combines the sctrl file in the directory of / Progs / bin unpacked by the camera firmware in the previous section for reverse analysis.

Based on the decompilation analysis of APK and camera firmware, the encryption logic of user password is deduced. MD5 (Unix) + salt is used to encrypt the user password. Salt uses function generation, but the generation algorithm is very simple.

The decryption algorithm compiled according to the encryption algorithm is as follows:

Use this algorithm to encrypt password 123456

The ciphertext is exactly the same as the encrypted password when the user logs in to APK on the mobile terminal.

It also proves that the decryption algorithm derived from the reverse encryption algorithm is correct.

Risk analysis:

1. Apk is not confused, shelled or protected by simple shelling, so it is easy to decompile and repackage APK;

2. The weak salt generation algorithm can be decompiled and restored to decrypt the algorithm, and then use the program to simulate the user login.

User passwords can be cracked in batches

When the user logs in using the mobile terminal, the data is analyzed.

Several key TCP packets can be obtained after packet analysis.

According to the previously written decryption algorithm, use socket to test the data contract

It can simulate APK for user login and other operations. Such as obtaining device list, adding device, modifying device password, etc.

Analysis shows that when the user password is correct and wrong, the information returned is different.

According to this difference, dictionary can be designed to crack users and passwords. The program uses the mobile phone number dictionary to enumerate and test users. After a simple test, it is found that more than 150 mobile phone numbers use 123456 as the mobile phone login password.

Write a program to simply enumerate and test the mobile cloud ID number. After ten minutes of testing, we found that there are 2300 mobile cloud ID numbers online and using the default device password.

Risk analysis:

1. There is no more verification for the data sent by APK in the cloud, which leads to the mass cracking of user name and password by programming, leading to the theft of user identity.

2. Through the analysis of communication data, targeted programs can be written to add devices in batches and crack device passwords in batches.

3. Theoretically, this method can traverse all users, passwords and mobile devices.

Internet devices can be detected

Through the analysis of camera equipment, it is found that the following ports are opened by default when the camera works normally.

Port 80 is the web management port and port 11010 is the data forwarding port.

While some XX camera devices deployed on the Internet will open a web management terminal, and also open 11010 port for VCR management.

Using zmap to scan the National IP, we found that there are about 3.5W servers with 11010 ports open in China.

Through analysis, when accessing web management, the server will return the following information, in which the header information server: thttpd / 2.25b 29dec2003 can be used as fingerprint for camera identification:

Through web fingerprint, the IP with port 11010 is filtered again, and more than 3800 hosts are found.

Using the default password admin / 123456, the IP address is tested:

Risk analysis:

1. The default and special ports are easy to identify, which leads to the exposure of devices on the Internet;

2. The default weak password of the camera is more convenient for users to remember and manage, but it will also bring a great threat of information leakage to users.

Device can be controlled without authorization

When the camera is connected to the Internet, the communication data between the camera and the cloud is analyzed and it is found that the camera will first request the IP address of the mobile server.

After getting the IP address of the server, carry out the data transmission test.

After choosing the server, UDP protocol is used for the transmission of audio and video.

Through several analysis, it is found that the camera will send configuration information to the cloud server in the data stream.

Including the cloud ID number, port, SMTP account, password and other clear text information. In the subsequent password modification test, through the mobile app to modify the device password, we found that the packet format is:

Analyze the data string: 6a7ea9b5c000004a31b1add1515c0000008600000000000000000000000000040000000000061646d696e00000000000000000000000000000000000003132334353600000000000000000000000b9dcc0ed4b1d5b1d5cabba7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 found that the characters after 6a7ea9b5c000004a31b1add1 are control fields and password fields. Write a script to simulate the cloud to modify the password of the device.

The password can be changed to 123456789 successfully. In subsequent tests, it was found that the camera could also be controlled to restart or shut down.

Risk analysis:

1. UDP is used to transmit audio and video stream and control data stream, so it is easy to realize man in the middle attack, which leads to the leakage of sensitive information;

2. After monitoring the communication data of the camera, it is easy to forge the data to modify the camera password, restart the equipment and control the PTZ;

3. When the camera requests the IP address of the server, it is found that the system uses DNS to resolve the domain name. At this time, DNS spoofing can easily hijack the camera, and then control and manage the camera illegally, such as pan tilt control, shutdown, firmware upgrade, etc.

Multiple web servers have vulnerabilities

At the same time of security detection of the camera, it is inevitable to contact the web server. Although there is no targeted test, some problems are still found. Here are just a few.

S2-045 command execution vulnerability on the official website of mobile phone

The server with IP of x.x.x.x is found to have struts 2-045 vulnerability in the test. The domain names of and are resolved to the server, and there is a struts 2 command execution vulnerability on one of the servers.

Http:// Deviceguid = XXX, the POC program can directly execute system commands.

Execute whomai, using the root user.

View the shadow file.

The attacker can easily execute arbitrary system commands on the remote server by using this vulnerability, which will cause serious impact on the affected site, and lead to data disclosure, webpage tampering, backdoor implantation, and becoming a chicken and other security events.

Cloud ID number can be enumerated

An interface for cloud ID number query is provided on the camera official website Id = s12923021

The interface can directly query all cloud ID numbers and display whether they are online.

When the device does not exist, the return value RT = - 1:

When the device is offline, return RT = 1, DSLs = 0; when the device is online, RT = 1, DSLs = 1

According to different return values, violent enumeration of cloud ID numbers can be performed. The online mobile devices enumerated to can be added and viewed with the default password.

There is a loophole of exceeding authority in the management background

During the APK test, it was found that the APK advertising management platform exceeded its authority. Visit the URL: to view all advertising information.

It is also easy to modify or delete the advertising information through the ultra vires, thus affecting all the advertisements received by APK. Another dealer query interface, there are also ultra vires. Visit the URL to view all vendor information directly.

Multiple databases use the same password

Through the execution of the struts 2 command, the authority of a server is obtained, and the password of the database is obtained. Later, it is found that the database on multiple cloud servers of the company uses the same password, including the most important user management database and cloud ID number management database, as well as two important video storage cluster devices.

Risk analysis:

1. Compared with the vulnerability of the camera device, the attacker may be better at starting from the web server. Once the server has problems, all users and device information will be threatened;

2. Unauthorized access may lead to information disclosure of suppliers, malicious tampering of advertisements, and even password theft of administrators.

Test summary

Through the test, it is found that the data communication among camera, cloud and app adopts certain protection measures, but there are still many security weaknesses.

1. The algorithm can be reverse analyzed. The security of the private algorithm depends on the non publicity of the algorithm. Once the algorithm logic can be reverse analyzed, the security foundation established on this will no longer exist.

2. There is a flaw in identity verification. When using self contracting control camera or connected server, the camera and cloud server do not check the control data, resulting in direct response to any data.

3. The security risks of web server are great. Although this test is not aimed at web server, it has found as many as seven or eight high-risk vulnerabilities in the test. If we carry out targeted web security test, there should be more problems. Moreover, more user data and device information are stored in the web server.

1. Platform security: adopt security isolation mode to physically separate the private network from the public network, which is the most effective security measure to prevent camera exposure on the Internet;

2. There should be a perfect authorization mechanism, which can flexibly allocate the cameras that users can view, executable function modules, executable specific functions, etc. Therefore, the user can only view the camera within the scope of authority and perform the granted functions.

3. Communication security mechanism: in network communication, the system provides end-to-end (client system platform device firmware) SSL authentication and data encryption. In order to prevent the video stream from being intercepted by the illegal users, the video file can be encrypted for transmission. Generally, the symmetric key system can be used for encryption. Each video stream is encrypted with a different key. Only the users who have the right to watch the video stream have this key. The video stream can be decrypted to ensure the security of video transmission.

4. In addition to avoiding traditional web vulnerabilities, the cloud server backs up and encrypts the videos and files of the cloud server, so as to prevent the user data from leaking due to the contribution of the server.

5. Mobile app should be security enhanced and code confused to prevent the app from being reverse cracked and causing algorithm or business logic leakage.