Reverse-Engineering an IP Camera (2019)

These cameras are extremely suspicious -- just follow the money. I bought some cheap Chinese cameras in 2020 that by default send the video stream to a Chinese server, which you can watch with an app on your phone. The cameras were about $40 on Amazon, so my guess is the manufacturer was getting paid maybe $15-20 for them.

Bandwidth to and from China is not that cheap, and you could be running this stream 24x7. The streaming service still works 4 years later even though the company whose name is on the camera has vanished.

So, who is paying the server/bandwidth bill? The camera is too cheap to afford indefinitely providing this service, so you can only presume that you're paying in another way. Probably there is some third party in China that the camera manufacturer makes a deal with. The camera manufacturer may even be getting paid to pick a particular provider.

This may come as a surprise, but it's not just hackers (or China) that you need to worry about. I've worked at a couple of FAANGs (risk, privacy, compliance) and was shocked by the lack of internal guardrails. Here's Amazon Ring settling with the FTC - company's own employees were watching customer video feeds for entertainment:

https://www.ftc.gov/enforcement/refunds/ring-refunds

Tesla's been caught doing similar things. The list goes on.

https://www.reuters.com/technology/tesla-workers-shared-sens...

Since someone mentioned 'declouding' here, my startup (well, scaleup now) makes a few privacy-first, autonomous (no cloud) video security products - on-prem video security hub, relays for automation, cameras.

I was also getting sick of cloud-based 'smart' cameras that ping random servers in China, so we made our own 'dumb' cameras that are fast (Uniview hardware with our firmware inside).

If anyone here is interested, I will happily share more info. Always interested in product feedback.

This is a great run down of the process to extract the firmware from these types of devices without desoldering the flash. I've done a fair amount of reverse engineering and a lot of devices have similar vulnerabilities.

I think more time needs to be spent looking into these commonly used, cheap IoT devices and educating consumers on the risks of using a poorly secured device on their network.

The upside of these vulnerabilities is that you can run your own code on these! 'Declouding' is great as it can extend the lifetime of these devices and make using them more private.

"This first difficulty was to find information about the camera. Despite having a company logo printed on its front, I could not find any information about this company on Google. I found several identical cameras being sold online, but under different brands, all of them seem to be Chinese names."

Why does this continue to surprise people? So much sketchy garbage coming out of China is sold under numerous "brands". Just look at a lot of computer stuff sold on Amazon.

Only thing I'd mention is that the old school "web server runs on camera" model is really dodgy when the average user just plugs it in, fires up a mobile app, and sees their camera - then assumes all is well.

So many security issues and exploits for those things. Hardcoded passwords, backdoors, and loads of exploits for gaining SSH or telnet access on very common models.

As much as I hate the current shift toward camera-remote server setups (and their inevitable subscription fees), I can't imagine expecting your average buyer at Amazon or Walmart to properly configure and lock those things down. At least if it only talks to Amazon or Google or whoever, you won't be able to find it in a port scan and pull an image using admin/admin or whatever.

A new-ish project for a replacement firmware for Ingenic based cameras is here https://thingino.com/ . The developers are super active and very responsive.

One thing I have setup on my computer is a custom DNS server that routes traffic by default to 8.8.8.8 (Google) but allows me to route certain domains (ex. ones you want to sniff) to your own webserver. Half the time there isn't even proper SSL protocols in place, making it very easy to see what these devices are sending over.

The telltale sign of the ipc binary suggests this is probably one of the SoCs looked at in https://openipc.org/

I tore down an ankya brand device which had some fun features like setting up the wifi password by showing the camera a QR code

It would be really good to see this kind of effort on the Amazon Blink cameras, I know people who are returning them because they are app-trash no differently than the no-name (multiple ghost names actually) hardware like this.

There's lots of garbage cameras now of various quality that behave the same way.

What's needed is a replacement firmware and simple flashing technique for the most popular units to appear, so it's not just one hacker getting proper performance that the hardware is capable of.

I faced a similar problem recently, where the IP cam I had was streaming video through the internet and it was Chinese ofcourse. But I found a much simpler solution to avoid it. The camera had rstp support and internet forums have already guessed the rstp url so I used that to hook it upto my surveillance system. Regarding avoiding transmission to internet, I just disabled internet access to that device and boom it became offline camera.

This was great, I loved all the parts it was super thorough :) You have to love serial ports on embedded devices, especially non password protected root access

I am using an Amcrest camera to watch my feral cat Bob B when I am not there. (I am working on him getting enough trust to walk around in the floor when I am there but it is still something he does every other day)

I was amazed at how easy it is, especially the software experience. The mobile app is easy, the web app is easy, RTSP is easy. If I want to add more camers and set up a server to record (like ZoneMinder) that looks easy too.

I did a similar thing with the Xiongmai camera's I bought to keep an eye on a newly built barn/stable/clinic here on the farm and used the information to create a CLI tool to control the camera's:

https://github.com/Yetangitu/cam

I never allowed these camera's or the included DVR (which I do not use since I use Zoneminder [1]) access to the internet, they are confined on their own subnet which does not allow egress other than to my own networks nor ingress from other sources. That is true for any and all network-connected special-purpose hardware, e.g. the Fronius inverter - made in Austria - does not get to access the internet either. I pay for the hardware and I provide my own service infrastructure, I see no need to pay again with my data.

[1] https://zoneminder.com/

As an example Lorex, a Canadian security camera company founded in 1991, is currently owned by Dahua Technology, a major Chinese video surveillance manufacturer. Dahua acquired Lorex in 2018, which has led to some security concerns and restrictions on Lorex products' use by U.S. government agencies.

Lorex cameras aren't banned for personal use in the US, but face restrictions for government agencies due to cybersecurity concerns. If you own a Lorex NVR system:

Update firmware regularly Use strong passwords Limit remote access Consider network segmentation Monitor for unusual activity

No need to discard your system, but stay informed about developments. Alternative options exist if you're concerned.

XM cameras have been completely hacked and decompiled to the point where there is third-party firmware now for them

https://kuku.eu.org/?projects/xm530/part1

https://github.com/OpenIPC

https://openipc.org/

https://team.openipc.org/ipcam_dms/

With my limited knowledge of network technologies, I still found it relatively easy to setup a Pi Zero + Raspberry Pi Camera Module system to stream video over RTSP to VLC software on my desktop or phone. The stream quality is pretty crappy, but I am hoping that, at least, this would not send my video to some Chinese servers. Anybody else experimented with such setup?

Buy cheap cameras, stick them on a cheap smart switch with your own NVR. Make sure the cameras can never ever talk to the network.

long story short: your data sent to china

TL;DR: Some dude didn't spend effort identifying a product suitable for his expectations / requirements, now instead wastes it post-purchase on trying to understand the product in order to solve the situation.