Sergey Shekyan & Artem Harutyunyan (Qualys)

PRESENTATION TITLE:  To Watch or Be Watched: Turning Your Surveillance Camera Against You

PRESENTATION ABSTRACT:

“Doesn’t matter what you see,
Or into it what you read,
You can do it your own way,
If it’s done just how I say…” – Eye Of The Beholder, Metallica

Low cost IP surveillance cameras are becoming increasingly popular among households and small businesses. As of January 2013 Shodan (www.shodanhq.com) shows close to 100000 cameras active all over the world. Despite the fact that there are many models by different vendors, most of them are actually based on the similar hardware and firmware.

Interestingly enough,  these cameras have little or no emphasis on security. In particular, the web based administration interfaces can be considered as a textbook example of an insecure web application and easily leads to an exposure of not only sensitive personal information (such as wireless network, FTP, and even email access credentials), but also provides an eye to an inside of your house.

Apart from the flaws in the web interface, the cameras also use questionable security practices when it comes to securing the firmware, which leads to even more interesting attack vectors. This presentation will cover:

- How those cameras work

- How to gain control over a camera in the wild: analysis of security malpractices

- Going deeper: Harvesting sensitive data stored on the camera

- Turning the camera into a persistent XSS backdoor

- Making cameras part of a botnet

- Automating the process: A bot that finds and owns cameras for you

- Do the vendor’s job: Making it less (in)secure

We will also release a toolkit for extracting, altering and re-packaging original components of the camera including:

- The WebUI firmware (where malicious javascript can be injected)

- The system firmware (romfs, Linux)

- The recording settings for the camera (which contains all sorts of sensitive information).

The toolkit will also include a framework for automating the modification of the software components above.

ABOUT SERGEY SHEKYAN

Sergey Shekyan is a Senior Software Engineer for Qualys, where he is focused on development of the company’s on demand web application vulnerability scanning service.
As a side interest, Sergey enjoys researching Application Layer DoS attacks and trying to fix Web browsers. Sergey holds both Masters and BS Degrees in Computer Engineering from the State Engineering University of Armenia. Sergey presented at BlackHat, H2HC, and other security conferences. Blog at http://shekyan.com

ABOUT ARTEM HARUTYUNYAN

Artem Harutyunyan is a Software Architect for Qualys. His responsibilities include design and development of distributed computing systems for storing and analyzing large volumes of data. Prior to joining Qualys Artem spent several years at CERN where he worked on the development of geographically distributed large-scale Grid computing systems. Artem holds a PhD from State Engineering University of Armenia.