Vectra Threat Labs, part of Vectra Networks has invested time testing some IoT solutions available in the market, and one of the most interesting products its always the Wi-Fi security web cameras. According to experts from Vectra Threat Labs, web cameras, designed to improve the physical security, can be hacked and reprogrammed to be used as a backdoor.
“Consumer-grade IoT products can be easily manipulated by an attacker, used to steal an organization’s private information, and go undetected by traditional security solutions,”… “While many of these devices are low-value in terms of hard costs, they can affect the security and integrity of the network, and teams need to keep an eye on them to reveal any signs of malicious behavior.” Said the CSO of Vectra Networks, Gunter Ollmann.
It is technically possible to exploit an IoT device, including web cameras, as a backdoor, that means that the attackers can have access to an organization / home network 24x7without infect any internal workstation or server, bypassing firewalls and other intrusion prevention systems.
“Most organizations don’t necessarily think of these devices as miniature computers, but essentially they are in that they can still give attackers access to sensitive company information, particularly because they are connected to the corporate network,”… “Unlike the computers people regularly interact with, these devices do not have the processing power or memory to run antivirus or other security software. Since they don’t have usable persistent storage, attackers use NVRAM to store the configuration and flash ROM to store the malicious code.” Added Gunter Ollmann.
Researchers at Vectra Threat Labs tested a popular Wi-Fi camera in the market, the D-Link DCS 930L, that costs roughly $30, and was able to reprogram the device as a network backdoor, without disrupting its operation as a camera.
“Consumer-grade internet-of-things products can be easily manipulated by an attacker, used to steal an organisation’s private information, and go undetected by traditional security solutions.”
The researchers were able to access the memory chip of the web camera and dump its content to analyze it.
They discovered that the format of the firmware on this model of web cameras consists of a u-boot and a Linux kernel and image.
“We could have used dd, lzma or cpio to extract the content of the firmware or we can let binwalk do this work. We still need to extract the last step of the cpio image to see the content of the image.” States the post published by the experts.
The researchers were so able to access the Linux image filesystem and add a service to make the “dirty job” and remove the capacity to reflash the device in the future to avoid update.
“At this point, adding a backdoor roughly devolves to adding a service inside a Linux system – in our case, all we want is a simple connect-back Socks proxy. This can either be accomplished with a srelay and netcat in the startup script or more optimized C code, or one could go with a simple callback backdoor with a shell using netcat and busybox which are already present on the system. “
As a last note, D-Link has not fixed the vulnerability exploited by Vectra Threat Labs, and researchers are not expecting for a fix to come up soon, because a fix would need a Trusted Platform Module or a specialized chip to verify software updates.
If you want to know more about the all process used by Vectra, please check out their blog here.
About the Author Elsio Pinto
(Security Affairs – D-Link DCS web cameras, hacking)