Who is Watching Us?
by Ray Keck
I have always taken an interest in hacking/phreaking, but never applied anything I have learned (for either good or evil purposes)... until recently, that is. A couple years ago I started working for a manufacturer who sold home security equipment (network video recorders, IP cameras, etc.). I have had some experience with older analog systems in the past, but this would be my first foray into the IP based world. I was one of three people working in tech support helping installers and, on occasion, end users with technical issues. It wasn't the greatest work to be doing (as tech support typically isn't), but it was a decent paycheck and close to home.
During my time of employment with the company, I had a lot of time to think about and evaluate the security of the equipment we were selling. We billed ourselves as a manufacturer to the customer, but this wasn't exactly true. The truth was that we purchased hardware from a Chinese manufacturer and re-branded it with our own logo. We also customized the firmware that was being flashed to the equipment. This information wasn't publicized, and we made it a point not to talk about it with clients, even if they had brought it up themselves. Sounds like a great business to work for, huh?
Right off the bat, this job had already felt suspect to me. While shady business practices do not necessarily translate to bad product, it was the cheaply manufactured Chinese hardware (or rather the embedded software) that was the issue. This was particularly evident to me about once a year when we would go through a flood of calls regarding hacked machines and user accounts. The reason these machines would get hacked so frequently was because of vulnerabilities found in the firmware.
This, of course, isn't anything new to technology. It has always been a cat-and-mouse game between hackers and firmware developers since the dawn of time. Take, for example, the Xbox 360 when hackers modified DVD-ROM firmware to play game backups on their machines. Microsoft threw everything they could at people modifying their consoles to thwart these attempts. But what resulted was a back-and-forth game between both parties involved, with Microsoft continuously patching, updating, and swapping hardware. The difference here is that the cheap Chinese manufacturer put forth much less of an effort to secure their products.
For years they used very simple algorithms to generate backdoor passwords with information that was widely available on the Internet to those who were interested. The backdoors were intended for people who forgot their passwords. But rather than give them a way to do it on their own (like a password reset link on the web interface landing page), all they had to do was call us. The backdoor codes were generated something like this: 8888 x DAY x MONTH x YEAR, the last six-digits were the password. We only generated those backdoor passwords for installers and law enforcement, which was supposed to curb them from falling into the wrong hands.
This was a fine idea in the beginning, but ended up being half-baked in the end. This was because we had no way to verify the identity of the person calling. Anyone could call in and say that I am "Mr. SoAndSo" with "FakeCompany" and tell us "I need a backdoor for Serial Number xxxxx" and they would have no trouble getting it. This, of course, has since been patched with stronger algorithms to keep people from generating their own passwords. But people calling in to get passwords still remained an issue. Often times when companies install security equipment, they leave default settings on them. Way too many calls started out with "I can't get into my NVR anymore using the credentials of admin:admin." Is this an end user problem? Sure it is, to an extent. But when installers lack the technical knowledge to actually set the equipment up properly, there is more of an underlying issue here.
One day, I was curious as to how many of these machines were out there - machines that still were using default passwords or hadn't had patched firmware applied to them. I wanted to see if I could hack into some of them for fun and to show my company how flimsy the security actually was. One defect with these machines is that firmware updates are applied manually, which means that only people who have called us have had their machines updated. The firmware for these devices is not available publicly, which further cements the fact that there are still many machines sitting in the wild unprotected. Anyone familiar with modern security equipment is probably aware that they come with a feature called P2P (or peer-to-peer). This allows people with little or no networking knowledge to set up their equipment for remote access by scanning a 2D barcode or inputting the serial number into some software so that they can view their cameras remotely. Fortunately for me, the serial numbers were created sequentially, which made it easy to find potential targets by running through them in order.
I started with a known serial number and incremented it by one every time I made a login attempt. The admin account on the machines cannot be deleted (another vulnerability), so that all I had to worry about was getting the password correct. I started by trying the default password of "admin" first. If I couldn't get in this way, I would then try generating a backdoor. The backdoor passwords were supposed to be local access only, and didn't work through the web interface, so all logins that I performed were using the client software (yet another vulnerability).
I found that after several attempts on 30 different machines, I was able to successfully get into six of them. This is definitely a high enough number to raise some concern to management (or so I thought). I cleared the event logs on the systems before exiting so that any evidence of my entry was removed. White-hatters will sometimes change the On Screen Display (OSD) to display something like "HACKED" so that the user is aware of what happened without ever taking complete control. It also serves as a warning of potential danger if the problem is left ignored.
In theory, I probably could have maintained access to these machines for months, or even years if I were inclined to do so. But I chose to leave things alone and never again log into those machines. This only served as sort of a "proof-of-concept" approach to show how easily it could be done.
After bringing my concerns to the attention of the higher-ups, it was fluffed off as a known issue that was being worked on. My suggestion was to have the machines auto-update firmware on the fly, but this kind of functionality seemed like too much trouble to incorporate. Little has changed, and even to this day it is still easy to break into these machines.
In closing, I just wanted to emphasize that there are things that can be done to secure these machines so that any risk involved is minimal. Updating firmware, closing ports, and disabling P2P are all effective ways to beef up security. Make sure that your equipment is also behind a firewall. And finally, check event logs often. Most hackers don't bother to clear them when they are finished with their dirty work. A lot of home routers keep records of this kind of activity as well. If you absolutely have to keep ports open, avoid using port 80 for HTTP traffic, and don't use default TCP settings. Also, variants of port 80 are bad (8080, 8000, etc.) and shouldn't be used either. Keep in mind that HTTP ports aren't usually required for viewing , but for remote management purposes only.
When a security company can't seem to get "security" right, it makes you question how secure anything really is. But what makes this so significant is that it is an invasion of privacy, a scary reality of the modem world, and it has to make one ponder the question: "Who is watching us?"