Anatomy of an Internet of Things hack: Motorola security camera pwned


Rob Joyce heads up the NSA’s ‘Tailored Access Operations’ unit, or a bunch of very well resourced hackers to give it another name. Joyce has recently admitted that Internet of Things insecurity “keeps me up at night.”

Joyce is not alone, Forrester Research has said that “IoT security technologies are still in the Creation phase, with no established products.”

If proof were needed of just how broken IoT security is right now, then you only have to go looking for hacked cameras connected to the Internet. You don’t have to go far, just a visit to Shodan will do it.

Shodan is an Internet-connected device search engine; it also enables anyone with a technical bent to apply filters that will find images being streamed from webcams with open ports.

Insecure webcams are nothing new, but they are worrying in the sense that they are indicative of an emerging Internet of Things security clusterfuck.

What is new, or at least relatively uncommon, is in-depth details of the security problems that can be exploited. By which we don’t just mean badly configured ports, but vulnerabilities that can be exploited by those with the necessary hacking skills. Context is a security consultancy that has clients including blue chips and government organisations, and it provides penetration testing and red teaming services alongside incident response services.

Context researchers Alex Farrant and Neil Biggs recently took a look at a Motorola Focus 73 outdoor security camera, and soon discovered three things:

  1. It had an associated mobile app
  2. It was quick to setup
  3. It presented new security threats to the network

As you would expect, Context has a responsible disclosure policy and so contacted Motorola Monitors support team back in October 2015. The researchers were referred to Hubble (who provided cloud connectivity built upon an Amazon EC2 instance) and, working with Motorola, Binatone, Hubble, Nuvoton and software developer CVision, firmware updates have been rolled out since then.

The researchers obtained root access (root password was ‘123456’) and found the home network Wi-Fi password was in plaintext and using factory credentials

Now that Context understands the critical issues have been addressed in the latest of these, version 01.19.26, the research team decided the time was right to publish more details. And by more details we don’t mean a press release skimming the surface of what happened, although one of those is available, but rather a detailed blog that covers the entire technical process of discovering the flaw and exploiting it.

Anyone who wants to get a handle on how a connected device such as a security camera can be left wide-open to attack, should read the ‘Push To Hack: Reverse engineering an IP camera’ report. It is truly fascinating, and worrying, stuff.

The report explains how the researchers were able to:

  1. Exploit the camera without access to the local network
  2. Steal the home network’s Wi-Fi password
  3. Obtain full control of the Pan-Tilt-Zoom controls
  4. Redirect the video feed and movement alerts to their own server

Things started going badly for the Motorola Focus 73 during the setup process when the app allowed an option to pair with the camera using host mode and an insecure wireless network. That network prompted the user to connect to it with a private Wi-Fi security key broadcast unencrypted over the open network with just some basic HTTP Authentication for company.

How basic? How does username ‘camera’ and password ‘000000’ grab you?

The researchers were also rather taken aback by all of this when they realised that the camera also offered what they describe as “a host of unfiltered network services, including the network video feed (RTSP), a bespoke internal messaging service for initiating alerts and two distinct web servers (nuvoton and busybox), one of which has an undocumented firmware upgrade page.”

To cut a long story short, which you can read along with some excellent images and video on the Context blog pages, the researchers obtained root access (root password was ‘123456’) and found the home network Wi-Fi password was in plaintext and using factory credentials.

What’s more, they also found the credentials for the developers’ Gmail, Dropbox and FTP accounts; and the device’s easily accessible logs contained the AES encryption key for the remote control messages and FTP credentials for video clip storage.

Neil Biggs, Head of Research at Context IS, said “this is one more example of an IoT product getting to market with little attention being paid to security. The benefits of these security cameras are clear but it rather defeats the object if they are also open to compromise. The message is clear; companies wanting to get on the IoT bandwagon need to design in security from the outset.”