Low cost commodity IP surveillance cameras are becoming increasingly popular among households and small businesses. As of April 2013 Shodan (www.shodanhq.com) shows close to 100000 cameras active all over the world. Despite the fact that there are many models by different vendors, most of them are actually based on the identical hardware and firmware setup. Moreover, there are even other devices (such as Internet TV boxes) that use the similar firmware.
Interestingly enough, those cameras have little or no emphasis on security. In particular, the web based administration interfaces can be considered as a textbook example of an insecure web application. This easily leads to an exposure of not only sensitive personal information (such as wireless network, FTP, and even email access credentials), but also provides an eye inside victim’s house. It can be used to alter the video stream with an external stream or a still picture.
Our contribution will cover how those cameras work, as well as how to gain control over a camera in the wild. Furthermore, we will present analysis of security malpractices that that make it possible to harvest sensitive data stored on the camera, as well as to use a camera as an attack platform inside victim’s private network. The presentation will conclude with the introduction of toolkit for extracting, altering and repackaging original components of the camera, as well as a live demo during which we will show how a camera (that was set-up following vendors’ recommendations and tutorials) can be compromised. Last but not least we will share recommendations on how the setup of the camera can be made less insecure.