Smart Device Security-synack reverse Dropcam process Finishing

Dropcam is a multi-functional wireless network video surveillance camera. With network broadcast, network storage, two-way call and other functions, you can also put the time of dynamic objects to mark down. In June 2014, Google's Nest company announced that it would buy Dropcam at a $555 million cash price. Currently, Dropcam is the best-selling security camera on Amazon's website and has entered the retail stores of Apple and blockbuster. Dropcam has become a popular baby surveillance camera. Of course, the current Chinese version of the "Dropcam" also began to have, such as small I eyes and ears, Lenovo House treasure, small ant intelligent Camera (the former lay gun, known as Dropcam in China's "partners", found the small ant Ambarella (Ambarella) A7ls processor, Dropcam A5 series), 360 smart cameras.

Smart devices or IoT devices are being researched and developed quickly, giving users a good user experience, but on the other hand, the lack of security privacy is worrying, and the Synack team's work at the Black Hat conference in 2014-implanting a Dropcam

Synack, an enterprise security research firm, tested 16 common IoT devices, from SmartThings devices to Nest and lyric thermostats. It turns out that they all have different levels of security issues, in which networked cameras are the least secure.

Although they are attacked by physical contact, they do not rule out the ability to intercept IoT devices later and replace them with accessories. Such attacks may continue to increase in the future. Especially pay attention to secondhand or rework products Oh ~ ~

Here are the steps they have for the reverse attack on Dropcam:

2. Physically open the camera, through the Dropcam serial port, USB interface to detect, physically connected to the Dropcam.
4. Then start Dropcam and try to enter bootloader. There are two ways of doing this.
   • Power on and click the "Enter" key
   • Short connection of the serial port Tx/rx pin (pin3 &pin 4)
6. After entering boot, enter the Help command, in general embedded development use Help to display the commands that the system can support. The researchers found the following command: Setenv   and setenv commands to help track setenv  . The final implementation of the boot boot parameters for Dropcam is modified as follows:

   amboot>setenv cmdline dcsecconsole=ttys0 ubi.mtd=bak root=ubi0:rootfs rw Rootfstype=ubifs < Span style= "font-family:kaiti_gb2312;" >init=/bin/sh</span> 

   ()
8. Attempt to remove root password

   # ls-l/etc/shadow/etc/shadow->/mnt/dropcam/shadow# more/etc/fstab<filesystem> <mount pt> <type >/dev/root/ext2 ... NFS configurationfor Ttys0/dev/mtdblock9/mnt/dropcam jffs2# mount-tjffs2/dev/mtdblock9/mnt/dropcam# vi/mnt/dropcam/ shadowroot:$1$sf9twhv6$hcsgeupfvigvcl7av4v2t.:10933:0:99999:7:::# More/mnt/dropcam/shadowroot::10933:0:99999:7: ::

   
   
10. View Dropcam's ARM system environment

    #uname-alinux ambarella 2.6.38.8 #80    armv6l gnu/linux# ps aux | grepconnect821 root 0:10/usr/bin/connect823 Root 0:13/usr/bin/connect              Dropcam specific binaries824 root 0:00/usr/bin/connect

    
    
    
12. Dropcam Opensssl was found to have used the previous vulnerability version 1.0.1e. use Heartleech to get the private certificate of the camera so that you can use the certificate to do bad things. ( Note: Heartleech can automatically extract the OpenSSL private key information using the Heartbleed vulnerability.)
14. found Dropcam's far Process Code execution vulnerability.
    • Dropcam uses embedded Linux, which has busybox. BusyBox is an executable program that combines the simple versions of many standard Linux tools together. A code execution vulnerability exists because the DHCP client (UDHCPC) in the previous version of BusyBox 1.20.0 did not correctly escape some shell metacharacters from the DHCP server response. A remote attacker could spoof the DHCP server to execute arbitrary code with Superuser privileges. An attacker could disassemble the Dropcam code.
16. Modify the Dropcam APP on iOS. Initiate a MITM (man in the middle) attack.
18. Clone the Dropcam Audio

    The idea is that all audio and video streams have to flow from the system's API interface and the IOCTL interface to the Dropcam cloud. So try to connect the audio card: # Arecord   (ALSA sound card-driven recording program) #LD_PRELOAD =./injectme.so/usr/biin/connectalsa (Advanced Linux Architecture) can be used to read and read audio, for example: Get audio via SND_PCM_READN () in this way, the researcher wrote an injected code that reads the audio data and sends it to its own server.

    
    
20. Get video

    A) turn on the device/dev/iavb)  get H264 parameters through the IOCTL,  Iav_ioc_get_h264_config_exc)  Find the System build (BSB) memory map via the IOCTL     IAV_ IOC_MAP_BSBD) Find the DSP memory map via the IOCTL            Iav_ioc_map_dspe)  get the state of the stream through the IOCTL   IAV_IOC_GET_ENCODE_STREAM_INFO_EXF)  Finally, the flow data is read through the IOCTL, IAV_IOC_READ_BITSTREAM_EX

    
    
    
22. Control video

Smart Device Security-synack reverse Dropcam process Finishing