(no) IP camera security

Recently, a cheap Chinese IP camera fell into my hands. As I like to know how the equipment works, it ended up in my fuse workshop. Results below.

What the ports squeak

A quick nmap scan of the device indicated several open ports:

nmap camera scan
  • Port 80 : Here is a web interface for camera management. It is secured with a login and password. It is interesting that the manual does not mention it (it speaks only of the camera support dedicated to the application). He has a few security bugs, but I didn't spend too much time with him.
  • Port 554 : service rtsp Hipcam IP camera rtspd 1.0. Real Time Streaming Protocol is used to transfer data in real time, in this case video from the camera. The biggest pain from a safety point of view, but about it further.
  • Port 1935 : Real Time Messaging Protocol – a protocol created by Adobe Systems for streaming audio, video and data, between flash player and server.
  • Port 8080 : Onvif (Open Network Video Interface Forum) – soap communication. The standard for communicating devices on a network as part of video surveillance.

Big brother is watching – share your home life with the world

In my opinion, the main problem of cheap Chinese IP cameras is poor technical documentation and dangerous default settings. Namely, we will not find in it information about the fact that the port 554 by default is enabled RTSP and thus streaming video. Additionally, by default, the option is selected that access to such a stream does not require authentication:

IP camera RTSP

Non-technical persons, and even technical ones dealing with the professional topic of installation of monitoring do not know about it. Connecting such a camera to the Internet with a public IP address causes both the image and sound from such a camera to be involved in the world.

In addition, these cameras will by default have another service running to access each other from the network. This is done via P2P. Here, however, to access the video is already required authentication and possession of a unique Camera UID. But what if the unwitting user doesn't change the default access data?

ip camera soft

The problem is global and the risks are real

Shodan has induched 99,469 cameras worldwide, of which 489 in Poland make their streaming available online via RTSP on port 554.

shodan ip camera

There are both cameras located in shops, service establishments and those from private homes. There is no shortage of cameras located behind the computer screen (you can see the user's password) or above the payment terminal (leakage of pin codes). What scares me the most is those located in the homes of older people or children's rooms.

I will not save the whole world, but I managed to reach two unwitting users. I informed them about the incorrect camera configuration. One of them was a high-ranking employee of a "green" bank. A camera placed in the living room, streaming both sound and video:

hacking ip cameras

Lucky in the misfortune that in addition to the camera, the unaware user shared his website with his name:

director's website

A message using Linkedin was enough:

linkedin conversation

The second case was streaming from the dentist's office several cameras:

cabinet ip camera
cabinet ip camera

In identifying the source of the "leak" helped the shipment located on the reception counter and linking several facts. The phone call fixed the patient privacy situation.

stream ip camera

Chcesz wiedzieć więcej?

Zapisz się i bądź informowany o nowych postach (zero spamu!). Dodatkowo otrzymasz, moją prywatną listę 15 najbardziej przydatnych narzędzi (wraz z krótkim opisem), których używam przy testach penetracyjnych.

Nigdy nie podam, nie wymienię ani nie sprzedam Twojego adresu e-mail. W każdej chwili możesz zrezygnować z subskrypcji.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *