Cheap Web Cams Can Open Permanent, Difficult-To-Spot Backdoors Into Networks 77
An anonymous reader writes: They might seems small and relatively insignificant, but cheap wireless web cams deployed in houses and offices (and connected to home and office networks) might just be the perfect way in for attackers. Researchers from the Vectra Threat Lab have demonstrated how easy it can be to embed a backdoor into such a web cam, with the goal of proving how IoT devices expand the attack surface of a network. They bought a consumer-grade D-Link WiFi web camera for roughly $30, and cracked it open. After installing a back-door to the Linux system that runs the camera, and then turning off the ability to update the system, they had an innocent seeming but compromised device that could be stealthily added to a network environment.
I still don't get why people use these (Score:1)
They've learned to tape over the webcam in their laptops but this? Oh man.
You get what you pay for (Score:2, Offtopic)
If you the kind of person who thinks it's a good idea to place an off-brand $20 Internet connected web cam on your network, that's probably the least of your worries.
Re: (Score:3, Insightful)
I agree, but:
This article is good because it lets us (the good guys) send a link to this article to the ignorant guys (managers etc), so that a sense of urgency is formed. Then maybe we are allowed to allocate resources to protect ourselves - at least from the script-kiddies and the semi bad guys.
(For the really skilled bad guys, even many professional organisations will fail in the long run)
Re: (Score:3)
There is that but this is old old old news.
https://youtu.be/B8DjTcANBx0 [youtu.be]
And back then it was even big, high quality (and price tag) cameras that were at fault.
Basically, these sorts of things must be on their own vlan and cut off from all access that isn't to the monitoring station/area.
Re: (Score:3)
How is this different from _any_ device these days?
Re:You get what you pay for (Score:5, Interesting)
Here's a nice warm thought to keep everyone up at night: What is to keep hackers who enjoy this sort of thing from buying devices at BestBuy, hacking them to insert remote back doors, and then returning them to BestBuy the next day? If they put it back in the packaging, possibly with new shrink-wrap, they could claim they never even opened it, and it would go right back on the shelf for some unsuspecting victim to buy.
Would it matter if the device were a $20 webcam, a $2,000 desktop PC, a $50 Wifi router, or a $100 HP printer?
Re: (Score:3)
Here's a nice warm thought to keep everyone up at night: What is to keep hackers who enjoy this sort of thing from buying devices at BestBuy, hacking them to insert remote back doors, and then returning them to BestBuy the next day? If they put it back in the packaging, possibly with new shrink-wrap, they could claim they never even opened it, and it would go right back on the shelf for some unsuspecting victim to buy.
But ... that could never happen. There's yellow tape on the box assuring me that it was inspected and repackaged by Best Buy experts. Experts! And we all know only experts are permitted access to the yellow tape dispenser.
I have little doubt the same experts refurbished one of the returned washing machines I was looking at. I wanted to see how the drain filter would work so I opened it, and while I looked disgustedly at the slimy lint still trapped in the filter, about a gallon of water poured into thei
Re: (Score:3)
To me, it merely emphasizes that being able to replace the OS/Firmware oneself is important, and should be done with any new device.
Doesn't really matter if Spyware McWebcam put a malware OS on the device if I'm just going to overwrite with a good firmware of my own choosing before putting it on my network.
Same goes for full computers, too, along with "smartphones" and tablets,
Re: You get what you pay for (Score:2)
Re: (Score:2)
But how do you install the firmware? That's usually requires that you connect the device to a PC first.
webcam distro? (Score:3)
The article mentions the d-link embeds Linux.
Is there a dd-wrt equivalent for webcams and a list of compatible models? or are these things generally tivoized?
Re: (Score:2)
A lot of the cheap chinese cameras seem to be based on the same linux distro (hilinux?) with the same crummy ui on top.. I'm not sure how the frontend actually talks to the camera hardware but it's probably not through the standard linux video apis.
A lot of them run telnet by default (and you cant turn it off through the standard ui), and have a hard coded password although the password tends to vary by manufacturer. I hooked up mine to a TTL console and changed the passwords at least, but i'd love to be ab
Re: (Score:1)
But why does a webcam have to run Linux? Why do even the simplest of devices need full blown operating systems? Can't they just program the thing for whatever it needs to do and nothing more? No wonder al these IoT-devices are full of security holes. These days, if you ask an engineer to make you an alarm clock, the first thing he'll do is slap some chips together and install Linux on it. I wish I were exaggerating.
Re: (Score:3)
These are IP cameras, that is, a camera which runs a website that can stream whatever the camera is pointing to.
I recently bought one of these to act as a baby monitor. It needs an OS in order to run the web software and Linux is already available, so why not use it? I'm betting the configuration used chops out almost everything apart from the absolute essentials.
I have a Foscam FI8910W. The first thing to note is that initial configuration including a mandatory root password change /must/ be done using an
Re: (Score:2)
Or you can buy a second hand one with the 40MB hard drive still in it for the same dollar! (Might cost $5 per month for the electric bill, though).
You might want to update to WIn98 - or NetBSD for security: I can't imagine MS trying to install Win10 on it will leave it working.
Re: (Score:2)
To have a device connect to the Internet, you need a network chip (NIC), and that requires a TCP/IP stack. In turn that requires some basic OS, like Linux (embedded, no GUI, printers or any other drivers except a network driver). It's more cost effective writing a driver in C/C++ on a Linux system than it is to hire a microcode/firmware engineer. A webcam does live JPG/MPG compression and streaming as well as received commands, so that requires multithreading. Try to optimize and write that in assembler/mic
Re: (Score:2)
Why webcams? (Score:5, Informative)
Put ANY compromised hardware on your network, and it's no longer secure. This is news?
Re: Why webcams? (Score:4, Informative)
How do you know if the device is compromised?
While you hopefully won't use one sent by a known enemy (thanks for spoiling the surprise Greeks!), how do you ensure that a unit you picked up used on eBay or Craigslist wasn't backdoored?
Opt only to buy retail or online from major vendor? Same issue. How do you know someone hasn't purchased the device, tampered with it, repackaged it with some shrinkwrap then returned it? .. Or worse, intercepted the shipment prior to you getting it?
Re: (Score:2)
You don't know this for ANY device you buy..
Even if you buy direct from the manufacturer it could have backdoors (see juniper recently).
All you can do is take steps to reduce the risk like inspecting the firmware (or replacing it with open source firmware that you can inspect more closely), isolating devices from other things etc.
My CCTV cameras are not on routable ips, and don't have direct internet access or access to anything else on my network here - i can connect to a vpn and view the video feed. Aside
Re: (Score:2)
While you hopefully won't use one sent by a known enemy (thanks for spoiling the surprise Greeks!), how do you ensure that a unit you picked up used on eBay or Craigslist wasn't backdoored?
Easy. I reflash it with the original firmware image before use, or better yet, something superior. I pick up wireless routers used all the time. Sometimes they already have DD-WRT on them. I never, ever am tempted to use it. I always reflash them (with OpenWRT, but regardless) before use.
I also don't open holes in my firewall for this stuff. If I want to see webcam output, I'll use ipsec.
Re: (Score:3)
Unless you use a JTAG to force a flash, you are trusting the honesty/reliability of the existing software to actually update the chip, which is the equivalent of trusting that user mode AV can assure you if a machine is clean or not.
At DEFCON this year there was a demonstration of infecting the LTE modem in a tablet (OS independent) which not only would persist OS wipes, but even attempted firmware updates: htt [youtube.com]
Re: (Score:2)
While everything you say is true, that's all a long way to go to infect some random asshole's computer. There's a lot of lower-hanging fruit. If I were spending my time trying to infect things, I'd want to hack some company and infect their master image. Infecting routers and donating them to thrift stores hoping to get into an interesting network is a bit of a hopeless gambit. By definition, you aren't going to.
Re: (Score:1)
How do you know if the device is compromised?
It has Linux inside.
Seriously, the OS's in these systems are too buggy and make exploits far too easy. Not to mention the application programs.
Webcams just an example ANYTHING that runs OpenWRT (Score:2)
If you want to know what consumer devices pose a security threat (whether cheap or expensive, webcam, router/modem or other device), just look at the list of devices that other people have loaded some version of a Linux based O/S on to. These are the devices that can be easily subverted. If your organisation is sensitive to security threats, the list of "hackable" devices should also be your list of products that should never be allowed to connect inside your company's security fence.
Of course, there's pr
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
You are a sparrow, oh, wait...
Moo!
Segment the network. (Score:3)
Re: (Score:1)
And littering is illegal, as is drunk driving, speeding, taking drugs, robbery, destroying property, arson, maiming people and murder. Your seem to have the delusional belief that all it takes is pointing out that something is wrong and it will just not happen.
I've never been to that universe. I've never met anyone who claims to have been there either.
You feeling stupid yet? If you're not, then it's even more evidence that there is something really really wrong with you.
Maybe you
Re: (Score:2)
I suggest something like an FDA or FCC that is required to give approval for any device sold in the USA that it meets security standards. There's no way most people will recognize the need for a plurality of networks, and even if they do, having a webcam on a separate network still doesn't prevent it from phoning home and sending photos of your house to criminals wanting to see if you're not there right now. Without a vetting agency of some sort, these devices are going to continuously cause problems for th
Re: (Score:2)
All questionable devices should go on a separate network segment that is isolated via a strict firewall.
I agree, but Joe and Jane Average will never do this or even understand the reason for doing it.
For the bad guys, the world is full of soft, delicious, blissfully unaware victims-in-waiting like them, and I don't see it getting any better anytime soon.
Re: (Score:2)
Re: (Score:2)
Shouldn't matter (Score:1)
In a perfect corporate environment no network equipment is trusted by default, i.e. even if you install a malicious device the network will remain secure.
Nowadays, there's no other way due to BYOD: even though some companies may explicitly forbid the use of your own devices, realistically it's nigh impossible to implement which means you cannot and mustn't trust any devices on the intranet.
Re: (Score:2)
Yes there is.
Step 1 go to the CTO's office and kick him square in the nuts. Go to the CIO's office and do the same. While you are kicking them in the nuts keep repeating.. "quit being a dumbass and stop saying BYOD. BYOD is a security hole and I will kick you in the nuts until we stop this stupid policy.
Step 2 once they see the light, go to the CEO's office and repeat.
Block off access to the internet (Score:1)
I have a cheap Chinese made ip camera and the first thing I did was ensure that it did not have access to the Internet. Sure it can access the local network and try to do something malicious if the firmware is programmed to do so but it won't be able to phone home.
Re: (Score:2)
That was the whole point of buying it!
No need to crack the camera (Score:2)
There is currently a report by a German computer magazine [heise.de] (no so good Google translation [google.com]) where IP cameras sold by a large German supermarket chain had an awfull standard configuration in
a) Not asking for a new password for external access and
b) automatically opening (via UPnP) an existing firewall.
Seemingly even after an update there are still hundreds of these cameras reachable on-line.
So one does not have to wait for a malign party to 'crack' a camera. Insufficient security knowledge at manufacturer and
Linux webcam compromised .. (Score:2)
Nothing surprising... (Score:1)
You're buying a webcam, you're already exposing yourself.
IoTcattack surface area (Score:2)
This needed to be proved?
Don't know enough about available cameras, (Score:2)
so I'll ask the question. Aren't there USB cameras available with sufficiently high resolution and sufficient light sensitivity to do the job? If so, couldn't one install a secure configuration of Linux on an SBC, (a Raspberry Pi perhaps), pack it into a suitable enclosure, and call the job done?
Granted, the camera might take a little longer to boot up than a purpose-built one, but in many cases that won't be much of a disadvantage. Also, non-geeks aren't going to put these things together. So maybe there's
Re: (Score:2)
Re: (Score:2)
So tell me where you can get weather tight USB cameras that will work on a 60 foot long cable run. If you really want to roll your own, get raspberryPi's and the camera modules. and write your own software for them as network cameras. that way you know what is running on them.
People Missing The Real Issue (Score:1)
People seem to be getting lost in the weeds on this story. This issue isn't that webcams or any IoT device is a risk if it contains a backdoor. That's obvious and not new.
The real issue is that SO many of these webcams and IoT devices are intentionally exposed to the internet while having poor security and virtually no updates from the manufacturer. This leaves a plethora of devices directly exposed to the internet just waiting to be rooted by various vulnerabilities and then malicious actors have full acce
Router lockdowns and monitoring (Score:4, Insightful)
This is one reason to segregate devices and have firewall rules that control which devices can make outgoing connections. That way you can insure IoT and other devices that have no business talking to the Internet can't talk to the Internet.
I also run a monitoring job that collects MAC addresses and associated IP addresses from the router's ARP cache and reports on unexpected changes. It doesn't make it impossible to slip a device onto my network without it being noticed, but it takes a fair amount more work that the likely intruders won't be putting forth. It also helps find the MAC addresses of new equipment that doesn't like to say what it's MAC address is.
Re: Router lockdowns and monitoring (Score:1)
If your switch supports it, enable port security and tie it to a single Mac address if you're concerned about Mac changes or spoofing. Different Mac address attempts to talk across the port, the switch will simply shut the port down.
Agree with segmenting your network though. Even the home network. Firewall / ACL rules at the edge to prevent specific devices or even entire subnets from getting back out on the internet.
Take it a step further and prevent Vlans from talking with one another unless they really
Easy to protect against. (Score:4, Informative)
I have several 1080P Onvif china security cameras that are known to send video back to China. it is trivial to make these 100% secure and hacker proof disabling all backdoors if you have education and knowledge.
At home, I can see people having the problem as 99% of all citizens are IT Uneducated. but a business? there is ZERO excuse.
I put them on their own VLAN separate from everything else, they can only talk to the recorder PC and that PC can talk to both networks so we can view the camera streams. Camera VLAN has zero access to the internet, Recording PC that is straddling two networks has simple rules as well to prevent data leaking.
And this is the sad part. Most businesses don't have competent IT that even has the first clue about network security. Plus you should ALWAYS have no trust for any device on your network. Treat them all as hostile and only let them have what is needed to do what you want.
Businesses that don't spend money on IT that is competent deserve what they get.
Re: (Score:2)
it is trivial to make these 100% secure and hacker proof disabling all backdoors if you have education and knowledge
Good. So it will be trivial for you to post a link to the source of your knowledge. Please .... don't be shy.
Re: (Score:2)
www.google.com
Start searching and reading about ethernet, routing, VLANS, and firewalls. Then go from there reading about network security.
Re: (Score:2)
Re: (Score:2)
Most businesses can't afford an IT person. Most businesses have internet access, usually provided to give customers free wi-fi and provided at a low or highly d
Beware houseguests (Score:2)
What about services which allow you to admit houseguests with access to your network? There's already been an accusation of an AirBNB host leaving surreptitious webcams about: http://observer.com/2015/01/co... [observer.com] ...but it would be pretty simple for an unscrupulous guest to leave hidden cameras about to stream other guests' activities.
I predict a business model in selling modified routers or network attached devices that search for network behaviour indicating this.This is a specialised subset of IDS I guess.