July 17th, 2024

Reverse-Engineering an IP Camera (2019)

The author replaced an old IP camera with a new P2P camera, concerned about security. They reverse-engineered the camera, discovering its network behavior, connections to servers, and data transmission methods. The author aims to access the camera's Linux system for enhanced control.

Read original articleLink Icon
SecurityPrivacyConcerns
Reverse-Engineering an IP Camera (2019)

The author replaced an old IP camera with a new P2P camera, which connects to a server for remote access. Concerned about security and lack of control, they decided to reverse-engineer the camera. Despite difficulties in identifying the manufacturer, they discovered the camera's setup process and network behavior. The camera connects to various servers, including for firmware updates, and streams data to different IPs. The author aims to access the camera's Linux system to enhance control. They observed network traffic using tools like nmap and Wireshark, revealing connections to unexpected servers like Google and Alibaba. The camera uses UDP ports for data transmission, with potential inefficiencies in data compression. The author plans to explore accessing the camera's operating system in the next part of their analysis.

Related

Pi Gazing is a project to build meteor cameras using Raspberry Pi

Pi Gazing is a project to build meteor cameras using Raspberry Pi

A project called Pi Gazing uses Raspberry Pi computers and CCTV cameras to monitor the night sky, tracking objects like shooting stars and satellites. Users can access open-source code and observations on GitHub.

XZ backdoor: Hook analysis

XZ backdoor: Hook analysis

Kaspersky experts analyzed the XZ backdoor in OpenSSH 9.7p1, revealing hidden connections, SSH authentication bypass, and remote code execution capabilities. The backdoor manipulates RSA keys, uses steganography, and executes commands.

Pwning a Brother labelmaker, for fun and interop

Pwning a Brother labelmaker, for fun and interop

The author explores vulnerabilities in a Brother label maker, discovering outdated software and potential exploits like executing arbitrary code. Challenges arise, including unintentional device configuration issues and limited understanding of printer systems.

Reverse Engineering a Smartwatch

Reverse Engineering a Smartwatch

Benjamen Lim reverse engineered a smartwatch with geolocating capabilities, repurposing it by reprogramming the firmware through exposed programming pins. The project showcased the value of salvaging electronic devices efficiently.

Samsung's abandoned NX cameras can be brought online with a $20 LTE stick

Samsung's abandoned NX cameras can be brought online with a $20 LTE stick

Samsung NX cameras, abandoned by Samsung, can be revived with a $20 LTE stick. Georg Lukas reverse-engineered Samsung's API for direct picture posting on Wi-Fi-enabled NX models, creating a Wi-Fi hotspot with LTE uplink. Lukas' project aims to rejuvenate outdated cameras, requiring a specific 4G LTE stick with an MSM8916 processor.

AI: What people are saying
The article on replacing an old IP camera with a new P2P camera and its security concerns sparked a discussion on various related topics.
  • Security concerns with Chinese cameras and their data transmission to Chinese servers.
  • Alternative solutions like using Raspberry Pi setups or disabling internet access to avoid data leaks.
  • Recommendations for replacement firmware projects and privacy-first camera products.
  • Issues with cheap IoT devices and the need for better consumer education on their risks.
  • Examples of companies with poor internal security practices, highlighting broader privacy concerns.
Link Icon 22 comments
By @cameldrv - 5 months
These cameras are extremely suspicious -- just follow the money. I bought some cheap Chinese cameras in 2020 that by default send the video stream to a Chinese server, which you can watch with an app on your phone. The cameras were about $40 on Amazon, so my guess is the manufacturer was getting paid maybe $15-20 for them.

Bandwidth to and from China is not that cheap, and you could be running this stream 24x7. The streaming service still works 4 years later even though the company whose name is on the camera has vanished.

So, who is paying the server/bandwidth bill? The camera is too cheap to afford indefinitely providing this service, so you can only presume that you're paying in another way. Probably there is some third party in China that the camera manufacturer makes a deal with. The camera manufacturer may even be getting paid to pick a particular provider.

By @mv4 - 5 months
This may come as a surprise, but it's not just hackers (or China) that you need to worry about. I've worked at a couple of FAANGs (risk, privacy, compliance) and was shocked by the lack of internal guardrails. Here's Amazon Ring settling with the FTC - company's own employees were watching customer video feeds for entertainment:

https://www.ftc.gov/enforcement/refunds/ring-refunds

Tesla's been caught doing similar things. The list goes on.

https://www.reuters.com/technology/tesla-workers-shared-sens...

By @mv4 - 5 months
Since someone mentioned 'declouding' here, my startup (well, scaleup now) makes a few privacy-first, autonomous (no cloud) video security products - on-prem video security hub, relays for automation, cameras.

I was also getting sick of cloud-based 'smart' cameras that ping random servers in China, so we made our own 'dumb' cameras that are fast (Uniview hardware with our firmware inside).

If anyone here is interested, I will happily share more info. Always interested in product feedback.

By @tkems - 5 months
This is a great run down of the process to extract the firmware from these types of devices without desoldering the flash. I've done a fair amount of reverse engineering and a lot of devices have similar vulnerabilities.

I think more time needs to be spent looking into these commonly used, cheap IoT devices and educating consumers on the risks of using a poorly secured device on their network.

The upside of these vulnerabilities is that you can run your own code on these! 'Declouding' is great as it can extend the lifetime of these devices and make using them more private.

By @krunck - 5 months
"This first difficulty was to find information about the camera. Despite having a company logo printed on its front, I could not find any information about this company on Google. I found several identical cameras being sold online, but under different brands, all of them seem to be Chinese names."

Why does this continue to surprise people? So much sketchy garbage coming out of China is sold under numerous "brands". Just look at a lot of computer stuff sold on Amazon.

By @soylentcola - 5 months
Only thing I'd mention is that the old school "web server runs on camera" model is really dodgy when the average user just plugs it in, fires up a mobile app, and sees their camera - then assumes all is well.

So many security issues and exploits for those things. Hardcoded passwords, backdoors, and loads of exploits for gaining SSH or telnet access on very common models.

As much as I hate the current shift toward camera-remote server setups (and their inevitable subscription fees), I can't imagine expecting your average buyer at Amazon or Walmart to properly configure and lock those things down. At least if it only talks to Amazon or Google or whoever, you won't be able to find it in a port scan and pull an image using admin/admin or whatever.

By @lakid - 5 months
A new-ish project for a replacement firmware for Ingenic based cameras is here https://thingino.com/ . The developers are super active and very responsive.
By @warmedcookie - 5 months
One thing I have setup on my computer is a custom DNS server that routes traffic by default to 8.8.8.8 (Google) but allows me to route certain domains (ex. ones you want to sniff) to your own webserver. Half the time there isn't even proper SSL protocols in place, making it very easy to see what these devices are sending over.
By @Maxious - 5 months
The telltale sign of the ipc binary suggests this is probably one of the SoCs looked at in https://openipc.org/

I tore down an ankya brand device which had some fun features like setting up the wifi password by showing the camera a QR code

By @fuzzfactor - 5 months
It would be really good to see this kind of effort on the Amazon Blink cameras, I know people who are returning them because they are app-trash no differently than the no-name (multiple ghost names actually) hardware like this.

There's lots of garbage cameras now of various quality that behave the same way.

What's needed is a replacement firmware and simple flashing technique for the most popular units to appear, so it's not just one hacker getting proper performance that the hardware is capable of.

By @vivekkairi - 5 months
I faced a similar problem recently, where the IP cam I had was streaming video through the internet and it was Chinese ofcourse. But I found a much simpler solution to avoid it. The camera had rstp support and internet forums have already guessed the rstp url so I used that to hook it upto my surveillance system. Regarding avoiding transmission to internet, I just disabled internet access to that device and boom it became offline camera.
By @lemonlime0x3C33 - 5 months
This was great, I loved all the parts it was super thorough :) You have to love serial ports on embedded devices, especially non password protected root access
By @PaulHoule - 5 months
I am using an Amcrest camera to watch my feral cat Bob B when I am not there. (I am working on him getting enough trust to walk around in the floor when I am there but it is still something he does every other day)

I was amazed at how easy it is, especially the software experience. The mobile app is easy, the web app is easy, RTSP is easy. If I want to add more camers and set up a server to record (like ZoneMinder) that looks easy too.

By @hagbard_c - 5 months
I did a similar thing with the Xiongmai camera's I bought to keep an eye on a newly built barn/stable/clinic here on the farm and used the information to create a CLI tool to control the camera's:

https://github.com/Yetangitu/cam

I never allowed these camera's or the included DVR (which I do not use since I use Zoneminder [1]) access to the internet, they are confined on their own subnet which does not allow egress other than to my own networks nor ingress from other sources. That is true for any and all network-connected special-purpose hardware, e.g. the Fronius inverter - made in Austria - does not get to access the internet either. I pay for the hardware and I provide my own service infrastructure, I see no need to pay again with my data.

[1] https://zoneminder.com/

By @pettycashstash2 - 5 months
As an example Lorex, a Canadian security camera company founded in 1991, is currently owned by Dahua Technology, a major Chinese video surveillance manufacturer. Dahua acquired Lorex in 2018, which has led to some security concerns and restrictions on Lorex products' use by U.S. government agencies.

Lorex cameras aren't banned for personal use in the US, but face restrictions for government agencies due to cybersecurity concerns. If you own a Lorex NVR system:

Update firmware regularly Use strong passwords Limit remote access Consider network segmentation Monitor for unusual activity

No need to discard your system, but stay informed about developments. Alternative options exist if you're concerned.

By @ck2 - 5 months
XM cameras have been completely hacked and decompiled to the point where there is third-party firmware now for them

https://kuku.eu.org/?projects/xm530/part1

https://github.com/OpenIPC

https://openipc.org/

https://team.openipc.org/ipcam_dms/

By @beryilma - 5 months
With my limited knowledge of network technologies, I still found it relatively easy to setup a Pi Zero + Raspberry Pi Camera Module system to stream video over RTSP to VLC software on my desktop or phone. The stream quality is pretty crappy, but I am hoping that, at least, this would not send my video to some Chinese servers. Anybody else experimented with such setup?
By @Kim_Bruning - 5 months
Buy cheap cameras, stick them on a cheap smart switch with your own NVR. Make sure the cameras can never ever talk to the network.
By @iqasimov - 5 months
long story short: your data sent to china
By @telltaledev - 5 months
TL;DR: Some dude didn't spend effort identifying a product suitable for his expectations / requirements, now instead wastes it post-purchase on trying to understand the product in order to solve the situation.