Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security Hardware Hacking Input Devices Linux

Cheap Web Cams Can Open Permanent, Difficult-To-Spot Backdoors Into Networks 77

An anonymous reader writes: They might seems small and relatively insignificant, but cheap wireless web cams deployed in houses and offices (and connected to home and office networks) might just be the perfect way in for attackers. Researchers from the Vectra Threat Lab have demonstrated how easy it can be to embed a backdoor into such a web cam, with the goal of proving how IoT devices expand the attack surface of a network. They bought a consumer-grade D-Link WiFi web camera for roughly $30, and cracked it open. After installing a back-door to the Linux system that runs the camera, and then turning off the ability to update the system, they had an innocent seeming but compromised device that could be stealthily added to a network environment.
This discussion has been archived. No new comments can be posted.

Cheap Web Cams Can Open Permanent, Difficult-To-Spot Backdoors Into Networks

Comments Filter:
  • by Anonymous Coward

    They've learned to tape over the webcam in their laptops but this? Oh man.

  • If you the kind of person who thinks it's a good idea to place an off-brand $20 Internet connected web cam on your network, that's probably the least of your worries.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      I agree, but:
      This article is good because it lets us (the good guys) send a link to this article to the ignorant guys (managers etc), so that a sense of urgency is formed. Then maybe we are allowed to allocate resources to protect ourselves - at least from the script-kiddies and the semi bad guys.
      (For the really skilled bad guys, even many professional organisations will fail in the long run)

      • by Barny ( 103770 )

        There is that but this is old old old news.

        https://youtu.be/B8DjTcANBx0 [youtu.be]

        And back then it was even big, high quality (and price tag) cameras that were at fault.

        Basically, these sorts of things must be on their own vlan and cut off from all access that isn't to the monitoring station/area.

    • by WaywardGeek ( 1480513 ) on Saturday January 16, 2016 @09:46AM (#51313269) Journal

      Here's a nice warm thought to keep everyone up at night: What is to keep hackers who enjoy this sort of thing from buying devices at BestBuy, hacking them to insert remote back doors, and then returning them to BestBuy the next day? If they put it back in the packaging, possibly with new shrink-wrap, they could claim they never even opened it, and it would go right back on the shelf for some unsuspecting victim to buy.

      Would it matter if the device were a $20 webcam, a $2,000 desktop PC, a $50 Wifi router, or a $100 HP printer?

      • by plover ( 150551 )

        Here's a nice warm thought to keep everyone up at night: What is to keep hackers who enjoy this sort of thing from buying devices at BestBuy, hacking them to insert remote back doors, and then returning them to BestBuy the next day? If they put it back in the packaging, possibly with new shrink-wrap, they could claim they never even opened it, and it would go right back on the shelf for some unsuspecting victim to buy.

        But ... that could never happen. There's yellow tape on the box assuring me that it was inspected and repackaged by Best Buy experts. Experts! And we all know only experts are permitted access to the yellow tape dispenser.

        I have little doubt the same experts refurbished one of the returned washing machines I was looking at. I wanted to see how the drain filter would work so I opened it, and while I looked disgustedly at the slimy lint still trapped in the filter, about a gallon of water poured into thei

      • That's a good point, though it seems like a lot of effort to get a device into a random, unknown network at a random, unknown time.

        To me, it merely emphasizes that being able to replace the OS/Firmware oneself is important, and should be done with any new device.

        Doesn't really matter if Spyware McWebcam put a malware OS on the device if I'm just going to overwrite with a good firmware of my own choosing before putting it on my network.

        Same goes for full computers, too, along with "smartphones" and tablets,

      • It's a good practice to always start by downloading and installing the latest firmware when you get your device home. In the example described here, they in claim to have disabled updates somehow. Attempting to update might at least alert you that something is amiss .
        • by mikael ( 484 )

          But how do you install the firmware? That's usually requires that you connect the device to a PC first.

  • by ChunderDownunder ( 709234 ) on Saturday January 16, 2016 @04:37AM (#51312759)

    The article mentions the d-link embeds Linux.

    Is there a dd-wrt equivalent for webcams and a list of compatible models? or are these things generally tivoized?

    • by Bert64 ( 520050 )

      A lot of the cheap chinese cameras seem to be based on the same linux distro (hilinux?) with the same crummy ui on top.. I'm not sure how the frontend actually talks to the camera hardware but it's probably not through the standard linux video apis.

      A lot of them run telnet by default (and you cant turn it off through the standard ui), and have a hard coded password although the password tends to vary by manufacturer. I hooked up mine to a TTL console and changed the passwords at least, but i'd love to be ab

      • But why does a webcam have to run Linux? Why do even the simplest of devices need full blown operating systems? Can't they just program the thing for whatever it needs to do and nothing more? No wonder al these IoT-devices are full of security holes. These days, if you ask an engineer to make you an alarm clock, the first thing he'll do is slap some chips together and install Linux on it. I wish I were exaggerating.

        • These are IP cameras, that is, a camera which runs a website that can stream whatever the camera is pointing to.

          I recently bought one of these to act as a baby monitor. It needs an OS in order to run the web software and Linux is already available, so why not use it? I'm betting the configuration used chops out almost everything apart from the absolute essentials.

          I have a Foscam FI8910W. The first thing to note is that initial configuration including a mandatory root password change /must/ be done using an

        • by mikael ( 484 )

          To have a device connect to the Internet, you need a network chip (NIC), and that requires a TCP/IP stack. In turn that requires some basic OS, like Linux (embedded, no GUI, printers or any other drivers except a network driver). It's more cost effective writing a driver in C/C++ on a Linux system than it is to hire a microcode/firmware engineer. A webcam does live JPG/MPG compression and streaming as well as received commands, so that requires multithreading. Try to optimize and write that in assembler/mic

    • I was wondering exactly that. "So, someone with physical access to your webcam can crack it open and analyse the firmware? Gosh. I'm frightened. Someone who has connected to your internal network and knows you have a specific model of IP webcam and happens to have a canned custom firmware that they can upload to it (if you've not changed the default admin password)? Slightly frightened, but not much. But 'getting root' so I can modify and more fully control my own low-cost IP cameras? Tell me more!"
  • Why webcams? (Score:5, Informative)

    by Anonymous Coward on Saturday January 16, 2016 @04:57AM (#51312781)

    Put ANY compromised hardware on your network, and it's no longer secure. This is news?

    • Re: Why webcams? (Score:4, Informative)

      by DaHat ( 247651 ) on Saturday January 16, 2016 @05:07AM (#51312789) Homepage

      How do you know if the device is compromised?

      While you hopefully won't use one sent by a known enemy (thanks for spoiling the surprise Greeks!), how do you ensure that a unit you picked up used on eBay or Craigslist wasn't backdoored?

      Opt only to buy retail or online from major vendor? Same issue. How do you know someone hasn't purchased the device, tampered with it, repackaged it with some shrinkwrap then returned it? .. Or worse, intercepted the shipment prior to you getting it?

      • by Bert64 ( 520050 )

        You don't know this for ANY device you buy..
        Even if you buy direct from the manufacturer it could have backdoors (see juniper recently).
        All you can do is take steps to reduce the risk like inspecting the firmware (or replacing it with open source firmware that you can inspect more closely), isolating devices from other things etc.

        My CCTV cameras are not on routable ips, and don't have direct internet access or access to anything else on my network here - i can connect to a vpn and view the video feed. Aside

      • While you hopefully won't use one sent by a known enemy (thanks for spoiling the surprise Greeks!), how do you ensure that a unit you picked up used on eBay or Craigslist wasn't backdoored?

        Easy. I reflash it with the original firmware image before use, or better yet, something superior. I pick up wireless routers used all the time. Sometimes they already have DD-WRT on them. I never, ever am tempted to use it. I always reflash them (with OpenWRT, but regardless) before use.

        I also don't open holes in my firewall for this stuff. If I want to see webcam output, I'll use ipsec.

        • by DaHat ( 247651 )

          Easy. I reflash it with the original firmware image before use, or better yet, something superior.

          Unless you use a JTAG to force a flash, you are trusting the honesty/reliability of the existing software to actually update the chip, which is the equivalent of trusting that user mode AV can assure you if a machine is clean or not.

          At DEFCON this year there was a demonstration of infecting the LTE modem in a tablet (OS independent) which not only would persist OS wipes, but even attempted firmware updates: htt [youtube.com]

          • While everything you say is true, that's all a long way to go to infect some random asshole's computer. There's a lot of lower-hanging fruit. If I were spending my time trying to infect things, I'd want to hack some company and infect their master image. Infecting routers and donating them to thrift stores hoping to get into an interesting network is a bit of a hopeless gambit. By definition, you aren't going to.

      • by jhol13 ( 1087781 )

        How do you know if the device is compromised?

        It has Linux inside.

        Seriously, the OS's in these systems are too buggy and make exploits far too easy. Not to mention the application programs.

    • If you want to know what consumer devices pose a security threat (whether cheap or expensive, webcam, router/modem or other device), just look at the list of devices that other people have loaded some version of a Linux based O/S on to. These are the devices that can be easily subverted. If your organisation is sensitive to security threats, the list of "hackable" devices should also be your list of products that should never be allowed to connect inside your company's security fence.

      Of course, there's pr

      • by sinij ( 911942 )
        Did you know that it is possible to hack hard disk controller and have it dial home and leak data? Know-how is way beyond hacking web cams.
      • If you want to know what consumer devices pose a security threat (whether cheap or expensive, webcam, router/modem or other device), just look at the list of devices that other people have loaded some version of a Linux based O/S on to. These are the devices that can be easily subverted. If your organisation is sensitive to security threats, the list of "hackable" devices should also be your list of products that should never be allowed to connect inside your company's security fence.

        That's a stupid argument. The devices where it's easy to replace the firmware are also the ones that are the easiest to make sure they are secure, just replace the firmware yourself and then you can do anything you want to make it as secure as ever possible. The more closed the device is the less you can actually do to secure it!

    • Good point, and why do people always think of network, singular, when common-sense security suggest that we partition physical and information into zones or layers according to the risk the potentially posed vs the need to access services. However the problem with WiFi devices that look or listen to their environment is that while they can be blocked from other parts of your LAN they can still be compromised directly and used to invade your privacy. Why even have cameras when in many cases all you need is
  • by willy_me ( 212994 ) on Saturday January 16, 2016 @05:23AM (#51312799)
    All questionable devices should go on a separate network segment that is isolated via a strict firewall. If I can not compile and install OpenWRT on my device, it does not go onto my main network.
    • You're absolutely right.

      And littering is illegal, as is drunk driving, speeding, taking drugs, robbery, destroying property, arson, maiming people and murder. Your seem to have the delusional belief that all it takes is pointing out that something is wrong and it will just not happen.

      I've never been to that universe. I've never met anyone who claims to have been there either.

      You feeling stupid yet? If you're not, then it's even more evidence that there is something really really wrong with you.

      Maybe you

    • I suggest something like an FDA or FCC that is required to give approval for any device sold in the USA that it meets security standards. There's no way most people will recognize the need for a plurality of networks, and even if they do, having a webcam on a separate network still doesn't prevent it from phoning home and sending photos of your house to criminals wanting to see if you're not there right now. Without a vetting agency of some sort, these devices are going to continuously cause problems for th

    • All questionable devices should go on a separate network segment that is isolated via a strict firewall.

      I agree, but Joe and Jane Average will never do this or even understand the reason for doing it.

      For the bad guys, the world is full of soft, delicious, blissfully unaware victims-in-waiting like them, and I don't see it getting any better anytime soon.

  • "Smart" webcams are always a risk, manufacturers insist on believing those devices should be available from the Internet and will try to use UPNP and other tricks to open themselves up for access from there. I have a need for a WiFi-enabled webcam that I can stream live-video from, but I was planning on just getting a ~$20 400MHz ARM-CPU WiFi-router with OpenWRT on it and a regular USB-webcam, and streaming the MJPEG - stream over RTP/RTSP -- since the video coming out of the camera is already encoded it do

  • In a perfect corporate environment no network equipment is trusted by default, i.e. even if you install a malicious device the network will remain secure.

    Nowadays, there's no other way due to BYOD: even though some companies may explicitly forbid the use of your own devices, realistically it's nigh impossible to implement which means you cannot and mustn't trust any devices on the intranet.

    • by Lumpy ( 12016 )

      Yes there is.

      Step 1 go to the CTO's office and kick him square in the nuts. Go to the CIO's office and do the same. While you are kicking them in the nuts keep repeating.. "quit being a dumbass and stop saying BYOD. BYOD is a security hole and I will kick you in the nuts until we stop this stupid policy.

      Step 2 once they see the light, go to the CEO's office and repeat.

  • by Anonymous Coward

    I have a cheap Chinese made ip camera and the first thing I did was ensure that it did not have access to the Internet. Sure it can access the local network and try to do something malicious if the firmware is programmed to do so but it won't be able to phone home.

    • I have a cheap Chinese made ip camera and the first thing I did was install my own backdoor

      That was the whole point of buying it!

  • There is currently a report by a German computer magazine [heise.de] (no so good Google translation [google.com]) where IP cameras sold by a large German supermarket chain had an awfull standard configuration in
    a) Not asking for a new password for external access and
    b) automatically opening (via UPnP) an existing firewall.
    Seemingly even after an update there are still hundreds of these cameras reachable on-line.

    So one does not have to wait for a malign party to 'crack' a camera. Insufficient security knowledge at manufacturer and

  • "Limitations to this type of attack are obvious: attackers must be skilled enough to create a backdoored flash image, and find a way to deliver it to the device - either by "updating" an already deployed device, or by getting their hands on it before it's installed." ref [net-security.org]
  • by Anonymous Coward

    You're buying a webcam, you're already exposing yourself.

  • Researchers from the Vectra Threat Lab have demonstrated how easy it can be to embed a backdoor into such a web cam, with the goal of proving how IoT devices expand the attack surface of a network

    This needed to be proved?

  • so I'll ask the question. Aren't there USB cameras available with sufficiently high resolution and sufficient light sensitivity to do the job? If so, couldn't one install a secure configuration of Linux on an SBC, (a Raspberry Pi perhaps), pack it into a suitable enclosure, and call the job done?

    Granted, the camera might take a little longer to boot up than a purpose-built one, but in many cases that won't be much of a disadvantage. Also, non-geeks aren't going to put these things together. So maybe there's

    • by Lumpy ( 12016 )

      So tell me where you can get weather tight USB cameras that will work on a 60 foot long cable run. If you really want to roll your own, get raspberryPi's and the camera modules. and write your own software for them as network cameras. that way you know what is running on them.

  • by Anonymous Coward

    People seem to be getting lost in the weeds on this story. This issue isn't that webcams or any IoT device is a risk if it contains a backdoor. That's obvious and not new.

    The real issue is that SO many of these webcams and IoT devices are intentionally exposed to the internet while having poor security and virtually no updates from the manufacturer. This leaves a plethora of devices directly exposed to the internet just waiting to be rooted by various vulnerabilities and then malicious actors have full acce

  • by Todd Knarr ( 15451 ) on Saturday January 16, 2016 @09:41AM (#51313249) Homepage

    This is one reason to segregate devices and have firewall rules that control which devices can make outgoing connections. That way you can insure IoT and other devices that have no business talking to the Internet can't talk to the Internet.

    I also run a monitoring job that collects MAC addresses and associated IP addresses from the router's ARP cache and reports on unexpected changes. It doesn't make it impossible to slip a device onto my network without it being noticed, but it takes a fair amount more work that the likely intruders won't be putting forth. It also helps find the MAC addresses of new equipment that doesn't like to say what it's MAC address is.

    • by Anonymous Coward

      If your switch supports it, enable port security and tie it to a single Mac address if you're concerned about Mac changes or spoofing. Different Mac address attempts to talk across the port, the switch will simply shut the port down.

      Agree with segmenting your network though. Even the home network. Firewall / ACL rules at the edge to prevent specific devices or even entire subnets from getting back out on the internet.

      Take it a step further and prevent Vlans from talking with one another unless they really

  • by Lumpy ( 12016 ) on Saturday January 16, 2016 @10:30AM (#51313381) Homepage

    I have several 1080P Onvif china security cameras that are known to send video back to China. it is trivial to make these 100% secure and hacker proof disabling all backdoors if you have education and knowledge.

    At home, I can see people having the problem as 99% of all citizens are IT Uneducated. but a business? there is ZERO excuse.

    I put them on their own VLAN separate from everything else, they can only talk to the recorder PC and that PC can talk to both networks so we can view the camera streams. Camera VLAN has zero access to the internet, Recording PC that is straddling two networks has simple rules as well to prevent data leaking.

    And this is the sad part. Most businesses don't have competent IT that even has the first clue about network security. Plus you should ALWAYS have no trust for any device on your network. Treat them all as hostile and only let them have what is needed to do what you want.

    Businesses that don't spend money on IT that is competent deserve what they get.

    • it is trivial to make these 100% secure and hacker proof disabling all backdoors if you have education and knowledge

      Good. So it will be trivial for you to post a link to the source of your knowledge. Please .... don't be shy.

      • by Lumpy ( 12016 )

        www.google.com

        Start searching and reading about ethernet, routing, VLANS, and firewalls. Then go from there reading about network security.

    • Putting stuff like this on a separate VLAN is always a good idea to protect against unknown backdoors. To protect against known backdoors, I prohibit those devices from connecting to any of my networks at all.
    • by tlhIngan ( 30335 )

      And this is the sad part. Most businesses don't have competent IT that even has the first clue about network security. Plus you should ALWAYS have no trust for any device on your network. Treat them all as hostile and only let them have what is needed to do what you want.

      Businesses that don't spend money on IT that is competent deserve what they get.

      Most businesses can't afford an IT person. Most businesses have internet access, usually provided to give customers free wi-fi and provided at a low or highly d

  • What about services which allow you to admit houseguests with access to your network? There's already been an accusation of an AirBNB host leaving surreptitious webcams about: http://observer.com/2015/01/co... [observer.com] ...but it would be pretty simple for an unscrupulous guest to leave hidden cameras about to stream other guests' activities.

    I predict a business model in selling modified routers or network attached devices that search for network behaviour indicating this.This is a specialised subset of IDS I guess.

"If truth is beauty, how come no one has their hair done in the library?" -- Lily Tomlin

Working...