Тёмный

IoT Security: Backdooring a smart camera by creating a malicious firmware upgrade 

stacksmashing
Подписаться 214 тыс.
Просмотров 271 тыс.
50% 1

In this video we look at reverse engineering a basic firmware format of a commonly found IoT camera - and then creating a backdoored firmware that calls back to our command & control server and allows us to remotely control it!
Camera in the video: Wyze Cam v2
Scripts from the video: github.com/ghidraninja/wyze_s...
A lot more information on the hardware and software, as well as an awesome custom firmware can be found here: github.com/EliasKotlyar/Xiaom...

Наука

Опубликовано:

 

12 янв 2020

Поделиться:

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист
Посмотреть позже
Комментарии : 305   
@moth.monster
@moth.monster 4 года назад
Remember kids. The S in IoT stands for security.
@woodie07
@woodie07 4 года назад
eri bUt ThErE iS nO s In IoT
@AndreasDelleske
@AndreasDelleske 4 года назад
eri and the R for reliability, M for maintenance, U for upgradeability.
@hernancoronel
@hernancoronel 4 года назад
Ok deploy my IOTs please! :-)
@dk14929
@dk14929 4 года назад
@@AndreasDelleske sounds like you'd prefer some RUM
@McDonnerbogen
@McDonnerbogen 4 года назад
Well when you flash your own firmware to add security vulnerables...
@4g3v
@4g3v 4 года назад
Take a look at the access log of your server :)
@stacksmashing
@stacksmashing 4 года назад
"GET /Awesome_video_dude_Keep_up_the_great_work Hah, love it! Thanks man!
@4g3v
@4g3v 4 года назад
@@stacksmashing awesome that the message got to you :) Really enjoyed the video. Hope you have some more planned ^^
@meh.7539
@meh.7539 4 года назад
/slow clap.
@sadface
@sadface 4 года назад
haha thats awesome
@coler154
@coler154 3 года назад
@xOr Vega sent a GET request to his server saying "/Awesome_video_dude_Keep_up_the_great_work"
@woodie07
@woodie07 4 года назад
The 19 dislikes are smart camera manufacturers
@fivethreeone2132
@fivethreeone2132 3 года назад
the 20 dislikes are fucking bots
@prakharmishra3000
@prakharmishra3000 3 года назад
@@fivethreeone2132 stop blaming everything on bots probably lol, maybe people tap on it by mistake. Happenes to me sometimes too.
@wishihadablog
@wishihadablog 3 года назад
The 75 people only like cat videos
@DerrickJolicoeur
@DerrickJolicoeur 4 года назад
This is EXACTLY what I was looking for when I bought this camera. I hate that the default firmware doesn't allow video streaming via the Wise app without an internet connection [via LAN]. So finally I have a means to circumvent their servers while still attaining live video footage. We don't need to see the baby-monitors when we're out of the house.
@erinkourelis7430
@erinkourelis7430 10 месяцев назад
We’ve only had the cameras up and running for a short time. ru-vid.comUgkxOXxsTZ3ptV_Pk0fFl8bNZvVqeoqBQFwe So far we love them! I got the outdoor mounting kit for them and they were easy to install. Once you download the app, it walks you through the very easy set up. The clarity, and range is awesome. I am thinking seriously about adding another camera or two to my 3 camera system. The price is lower than a lot of comparable systems.
@nastysdsi
@nastysdsi 4 года назад
So if you buy one of these used, you should flash the official firmware. Apart from that, not restricting firmware flashing is not a big deal, since flashing it requires physical access to the camera anyway, and having the ability to flash a custom firmware means one can make custom security updates after the camera is discontinued and no longer receives official updates.
@DerrickJolicoeur
@DerrickJolicoeur 4 года назад
And hope that a return doesn't get repacked as new
@robk5969
@robk5969 4 года назад
" not restricting firmware flashing is not a big deal" if this was the only way to install firmware, that might be true, BUT, it can also be upgraded remotely, without touching the camera. i dont know if that has any extra security or not.
@statinskill
@statinskill 4 года назад
It's a big deal because I can tamper with that camera and then sell it on ebay. Then as luck will have it that camera winds up somewhere important.
@thilotech
@thilotech 4 года назад
@@statinskill but then the app won't work anymore.
@motsgar
@motsgar 4 года назад
@@statinskill also because now it is in the local network, any other not so secure home device can be hacked
@rakeshchowdhury202
@rakeshchowdhury202 4 года назад
Exactly what I was searching for, a well detailed CCTV firmware reversing tutorial. Hey Ninja, I really like your work and your way of explanation, Please Upload more videos, please make it a bit frequent like 1v/month.
@williamwatkins6669
@williamwatkins6669 4 года назад
Through all the video I was like '' ok that's very theoretical, how would you install the firmware in real life's and the you gave the example at the last second and my blood turned cold 😱
@maddoggLP
@maddoggLP 4 года назад
same for me haha
@nolangelinas3566
@nolangelinas3566 3 года назад
@@mshthn It would be perfect for a semi-targettted attack on someone by simply selling them a camera on ebay. You could just set up an ebay account that sell compromised cameras and no one would figure it out unless you sell one to an IT guy.
@INTJames
@INTJames 4 года назад
That was a lot easier than it should've been lol..
@nullpwn
@nullpwn 4 года назад
That was so easy to watch and learn, no extra and unnecessary steps, no stupids and distractive ads. simple and awesome iot exploit. Keep up the good work
@neilyoung6671
@neilyoung6671 3 года назад
A German Engineer. Nothing more to say :) Ah, wait. A German Reverse Engineer :)) Well done.
@popcorny007
@popcorny007 4 года назад
Really fantastic video, well done. Your explanations and visuals are easy to follow, and we can all tell that you have a good understanding of what you're doing.
@jacobyoung6876
@jacobyoung6876 3 года назад
Wow this was really interesting to see a demonstration by someone willing to explain the thinking process along the way. This is very inspiring!
@matteog7579
@matteog7579 4 года назад
Awesome video! Exactly the type of hands-on example I love to see/learn from.
@AlmightyGauss
@AlmightyGauss 4 года назад
It's good to see this channel is still alive, I love your content! Thank you for sharing your knowledge, hope to see more updates in the future
@ashishpatel350
@ashishpatel350 4 года назад
I would back up your channel on another platform like Bitchute or library. RU-vid has been deleting channels like yours.
@d1v1ne312
@d1v1ne312 4 года назад
I really liked the style of this video, because it was "just right" for the knowledge I have. You explained it very well and with not too much or too less informations. thx!
@cocosloan3748
@cocosloan3748 4 года назад
Yeah-the level of knowledge we have is much lower then we think we have!.Try explaining this to someone or to replicate it..You will need to watch this video 100 times over :)
@EnWeee
@EnWeee 4 года назад
Great to see you back. Hope you'll post more videos.
@EtienneLouw
@EtienneLouw 3 года назад
Found your channel watching the new Game and Watch hacks and enjoying the content library, this video was awesome to watch and might try to do this myself on my own Wyze cam.
@PyPylia
@PyPylia 4 года назад
Can we quickly laugh at how stupid their way of stopping telnetd is? Instead of uninstalling it and or removing it from the rcS file, instead, they just kill it (And not even stop the service, just use killall.)
@Acorn_Anomaly
@Acorn_Anomaly 4 года назад
Based on where the killall is from, I'm guessing the telnetd was a backup access point for testing. If the camera starts up, but can't load the camera app for some reason, it won't kill the telnet daemon, and they can log in to figure out what broke.
@ArnaudMEURET
@ArnaudMEURET 3 года назад
@@Acorn_Anomaly Shouldn’t make it into prod FW though
@Acorn_Anomaly
@Acorn_Anomaly 3 года назад
@@ArnaudMEURET No, but taking advantage of it in this instance would still require either an already compromised or non-functioning device. There have been worse backdoor incidents. Ideally, they'd have removed it or disabled it, but after they had an already working image, they may not have wanted to mess around too much with it, especially since, as I said above, taking advantage of that isn't generally achievable remotely.
@MygenteTV
@MygenteTV 3 года назад
maybe is used for support from the company
@RobertHallIV
@RobertHallIV 2 года назад
me thinks they be lazy
@mhmek7324
@mhmek7324 4 года назад
Really good video with good explanations! Love it dude! Keep up the good work!
@redpillcommando
@redpillcommando 4 года назад
Ghidra Ninja - It's been a while. I love your work and want to see more. Thanks of the video.
@AndrewMcOlash
@AndrewMcOlash 4 года назад
Great job on this! I actually have one of these hacked cameras to use a security cam (but keep it off of the wyze network). Crazy how simple it is to hack the firmware and can't wait to see more. Might be time for me to start hacking some of my IoT devices. Makes me a bit nervous of how vulnerable my network might be though!
@user-oj7hf2qc9u
@user-oj7hf2qc9u 3 года назад
i just found your content yesterday, and I am HOOKED. Keep up the awesome work :)
@theleopards4198
@theleopards4198 4 года назад
Amazing to see you back.Loved the video
@FunnyPantsTV124
@FunnyPantsTV124 3 года назад
I loved this video! i plan on picking up a camera to play around with myself! Im glad I'm not the only one who thought "what if it has been backdoored and returned to the wild" you're a legend man!
@chadiusmaximus9350
@chadiusmaximus9350 4 года назад
Awesome. I actually have one of these sitting around.
@alexscarbro796
@alexscarbro796 3 года назад
What an fantastic video! Excellent content and perfect pace.
@patrickm9953
@patrickm9953 3 года назад
Great tutorial, lots of new utilities I have never heard of before
@BroodPitt
@BroodPitt 4 года назад
Welcome Back! Finally a new video! 🙌
@origamitaco
@origamitaco 2 года назад
I was able to get into a Faleemi outdoor camera with this exact same method (except they have an option to only update the rootfs so I only needed to repack the squash file with no UBoot header). Works like a charm, and with telnet/wget I can update my camera remotely with my custom firmware. Thank you so much for my first IoT hack! I was also able to get a UART terminal to it on the hardware side.
@BrandonHall916
@BrandonHall916 4 года назад
Such a great video! Very informational
@harshitjoshi3082
@harshitjoshi3082 4 года назад
You should make more such videos, you have the potential to grow your channel
@youssefabdelkhalek2499
@youssefabdelkhalek2499 2 года назад
Your videos are amazing, please never stop posting videos, I am now a student of yours.
@ChrisWhalen00
@ChrisWhalen00 3 года назад
Great note about zero padding the modified filesystem image before you bundle it to keep it the same size as the original!
@CyReVolt
@CyReVolt 4 года назад
This is awesome, I can perfectly use tooling such as jefferson right now for firmware modification. To split up flash image partitions, I am simply using dd though and cat things together again. Edit: Since it looks like jefferson is for extraction only, I'll stick with mounting the rootfs through the mtd + jffs2 kernel modules, which is a bit of work and annoyance, but solved. =) I will still keep jefferson in mind for extraction-only/analysis use-cases though, makes sense also to have something portable. Thank you!
@attilapal3786
@attilapal3786 3 года назад
very cool i have always been thinking about repacking modified firmwares
@TheSurvivor4
@TheSurvivor4 3 года назад
Amazing video. I love the "hack" where you get it into ram where there was more space. I was just wondering though: The need to store the extra binary was to get the reverse shell, but if bash was there, could you then use that instead? I do really like you went the NC way, because I learned a lot about what to do if the situation arose. Amazing!
@somehow_sane
@somehow_sane 4 года назад
Awesome Video! Keep up the good work!
@jmchichstudio9145
@jmchichstudio9145 2 года назад
Thanks for the tip! Gonna try and modify an init script, pack the squashfs and update the camera. Should be similar to your model
@mohamedisaac924
@mohamedisaac924 3 года назад
dude this channel teach a lot better youtube channel easy tips and learn everyday
@nrdesign1991
@nrdesign1991 3 года назад
interesting to see the miio client on there, same thing is running on my vacuum. Thanks for the very informative video
@deppy2165
@deppy2165 4 года назад
This was really interesting, do you have any plans on uploading more IOT videos?
@stevecross9159
@stevecross9159 3 года назад
From the UK 🇬🇧. Great stuff
@colfaxschuyler3675
@colfaxschuyler3675 3 года назад
No doubt, you've already had countless people recommending the Wyze Cam V3. The low light image capability seems very good. What it doesn't have is RTSP, and Wyze doesn't seem very anxious to provide that capability. But it's a swell cam.
@wawied7881
@wawied7881 4 года назад
Nice video, keep up the good work! But are you planning on uploading more regularly? And do you have any plans in doing more Ghidra related videos?
@rogerf3622
@rogerf3622 3 года назад
This could all be avoided if the customer had all cameras on their own network (vLAN) with no internet access and no access to the main network. But this was a very informative detailed video.
@leonardo9259
@leonardo9259 3 года назад
I'm taking some courses in IOT, I still can't understand everything here but I'm enjoying it a lot
@More_Row
@More_Row 4 года назад
Welcome back-
@mikeydk
@mikeydk 4 года назад
Might have to get a few of those cams now :D
@minecraftzombie4120
@minecraftzombie4120 4 года назад
Great content bro 👍😀
@fabiorj2008
@fabiorj2008 2 года назад
This video is AMAZING. Thx
@ricardojlrufino
@ricardojlrufino 2 года назад
Very good Job. I liked reverse Shell using netcat , i'm using reverse ssh , bit this is more easy
@i_am_dumb1070
@i_am_dumb1070 4 месяца назад
Learned a lot thanks 👍🙏
@MinhNguyen-kv2mz
@MinhNguyen-kv2mz 4 года назад
Amazing video :) Please make more
@JLK89
@JLK89 4 года назад
Awesome video!
@KF4IXM_Mike
@KF4IXM_Mike 3 года назад
Would this work on the newer v3's? Awesome video and explanation. I'm looking to set one up as a weather webcam for weather underground.
@ramondunker4981
@ramondunker4981 3 года назад
Awesome video 😍
@edgeeffect
@edgeeffect 3 года назад
That's the best RU-vid sponsorship I've ever seen.... "this video is sponsored by ME" ;)
@GnobarEl
@GnobarEl 4 года назад
I love your videos!
@HenryTonoyan
@HenryTonoyan 3 года назад
I'm going to start checking the firmware on every device I buy from now on. On the plus side it will keep me from buying too many things :D.
@xtdycxtfuv9353
@xtdycxtfuv9353 4 года назад
hey i love you. this was a fun video to watch
@nsns7993
@nsns7993 3 года назад
Amazing vid!
@seba123321
@seba123321 3 года назад
Thank you that knowledge!
@neoXXquick
@neoXXquick 4 года назад
Amazing video...
@niklasgs1470
@niklasgs1470 2 года назад
This is so cool!
@Rafacz
@Rafacz 4 года назад
T.Hanks We need more videos xD
@njnicho
@njnicho 4 года назад
Dude! Amazing!
@RawApeFromAlbion
@RawApeFromAlbion 5 месяцев назад
Awesome video
@AmnesiaPhotography
@AmnesiaPhotography 3 года назад
The oh s*** moment at the end... love it
@Laflamablanca969
@Laflamablanca969 4 года назад
Whoever disliked this is either an idiot or they accidentally clicked the wrong button. Great video man and it would be good to see more videos like this that give us novices guidance in exploiting devices. It’s also good that you’ve shown it with a device we have access too, so yeh much appreciated 👍
@userPrehistoricman
@userPrehistoricman 4 года назад
Or they wanted to see disassembly and Ghidra.
@cocosloan3748
@cocosloan3748 4 года назад
Wow...Just wow!
@v380riMz
@v380riMz 2 года назад
This is seriously impressive. How long did this take?
@juancarlosmartinezhernande7777
Awesome video very usefull =)
@karubabu
@karubabu 4 года назад
finally !YAY
@geekionizado
@geekionizado 4 года назад
Could you extract the firmware for Vstarcam cameras? They're not available online and the updater inside the camera only downloads a diff of what needs to be updated. I tried extracting from the flash using a raspberry pi but it didn't work. These cameras are one of the most sold on aliexpress and I can't find a way to telnet to them. Their RTSP server keeps crashing and I wanted to write a custom script to restart this server. Would be nice if you managed to crack these cameras. Thanks!
@p0isN
@p0isN 4 года назад
"shameless plug", not sure why but I laughed my ass off at that haha
@keganpowers3430
@keganpowers3430 2 года назад
Doom on a wyze camera can't wait to see that
@soulife8383
@soulife8383 3 года назад
It's been a few years, but I believe I used to use squashfs as the system image on the good ol' T-Mobile G1 (HTC Dream), the first Android device. But I thought it wasn't read-only once mounted as I used to manipulate the system partition all the time... I may be mistaken tho, that was 2009
@DrDre001
@DrDre001 4 года назад
Heck ya new vid
@drozcan
@drozcan 4 года назад
15:50 Thanks for the advice :)
@desubakadesu
@desubakadesu 4 года назад
12:50 *
@MrGTAfan93
@MrGTAfan93 4 года назад
Once i backdoored my neighbour's security cam. He was backdooring his wife...
@cocosloan3748
@cocosloan3748 4 года назад
Now you are "backdooring" us? (lying)
@rocco0x415
@rocco0x415 4 года назад
@@cocosloan3748 boomer
@ciaobello1261
@ciaobello1261 4 года назад
cool video..👍👍👍
@EpicLPer
@EpicLPer 4 года назад
I once bought a shady cam on Amazon just for the fun of it and did a port scan, found out they simply had the Telnet port open with no root password set so yeah... I'd love to flash a custom firmware on the camera since the hardware itself is nice but it doesn't provide RTSP (open Telnet port wouldn't be much of an issue just in my local LAN and behind a separate VLAN) but it seems like that my camera has almost no Google entries at all :(
@4g3v
@4g3v 4 года назад
Since around three years I've been seeing you all over RU-vid videos I watch. You have some fine taste haha.
@arshaver
@arshaver 4 года назад
There is an official Wyze firmware that supports RTSP
@NGHVEVO
@NGHVEVO 3 года назад
Great job :)
@sRCx0sweetRusHC0d3r
@sRCx0sweetRusHC0d3r 4 года назад
Can you do one similar reverse engineering on a Huawei 4G dongle , that could be a nice tutorial
@AlexMarkessinis
@AlexMarkessinis 3 года назад
Great video! Is there a way to repack the JFS2 directory like you did with the squashfs folders? I took a look at jefferson but the docs only mention the ability to extract.
@Wythaneye
@Wythaneye 3 года назад
You can re-pack the JFFS2 filesystem by using mkfs.jffs2. The problem I'm running into is that the repacked filesystem (no modification) is larger than the original so my offsets are wrong when I go to re-pack the bin file. I'm not terribly skilled in Python so I'm trying to figure out how to mod the wyze_extractor script to build the image properly using a modified JFFS2 filesystem. Hopefully I'll be able to post my fixes here, as I'm working on a mod for my own purposes.
@MygenteTV
@MygenteTV 3 года назад
man, you are a genius. i can only wish to know a half of a half of what you know. can you do some alexa hacking? my brother in law have one and i would love to do some pranks to him
@foosabraun2461
@foosabraun2461 4 года назад
Yay! :)
@crystalsheep1434
@crystalsheep1434 Год назад
Nice video
@AbdelrahmanRashed
@AbdelrahmanRashed 4 года назад
Most devices have some sort of checksum of the firmware binary, how do you usually bypass that?
@NortelGeek
@NortelGeek 3 года назад
Thank you for this video. Tell me, please, is it possible to edit files within a SBN (signed binary) file and then repack with this method? I can open the archive and see the files inside but I'm not sure how to repack it.
@TheWlr9
@TheWlr9 4 года назад
Where does the reverse shell point to initially? If you were to run PWD for example. Is it just the home dir of the user? (In the case of the video the user would be root)
@SimonsSolarShed
@SimonsSolarShed Год назад
Is there any way I can make use of swann wwhd-intcams stuck on the old firmware? As it does not work with swanns new app? Due to the cameras not being in operation at the time of new firmware update
@MiniArts159
@MiniArts159 3 года назад
I had a friend whose mom purchased a cheap Walmart IoT camera. This camera has two-way communication features and makes an alert when the owner rings in. One time it made the alert sound but no audio on the other end. They literally believed it was caused by ghosts as the camera ". . . doesn't connect to the internet, it goes through my mom's phone."
@heycherry100
@heycherry100 4 года назад
a good video after another and another and another ... good job! Open a patreon if you need a little motivation to upload more frequently. I would sign up just like I'm on the LiveOverflow patreon...
@zsoltsator5433
@zsoltsator5433 4 года назад
Would you please help a noob (little knowledge in navigation with Linux) how to check if any suspicious activity is going on on the devices (CCTV) - for instance how to check if any of the cameras or devices connected in my network having connections established outside of my network? How do I distinguish if the connection is due to cloud functionality (aka mobile access) or due to a malicious SW running in background. Thanks to every comment on this.
@minecraftzombie4120
@minecraftzombie4120 4 года назад
Can I ask how did you learn so much about Linux and other commands that you have used and python ? Please mention any resources that you used while learning.
@stacksmashing
@stacksmashing 4 года назад
Honestly - I've been using UNIX/Linux just for a long time as my daily driver. Nowadays there is a ton of great introductory material on the net, same for Python. A lot of the embedded knowledge also comes from having written own embedded firmwares etc - I think knowing how to build something drastically helps with taking it apart :)
@minecraftzombie4120
@minecraftzombie4120 4 года назад
@@stacksmashing thanks for the response !
@westernvibes1267
@westernvibes1267 4 года назад
I am dumb i couldn't understand the packing part a bit. Do you have any course online? Or any resources that would help. I come from web and Network exploitation background am getting into firmware reversing and stuffs i couldn't understand a bit while packing the firmware. :(
@SabretoothBarnacle
@SabretoothBarnacle 3 года назад
What's the method for downloading the firmware already install on the device to see if it has been compromised?
Далее
КТО ПЕРВЫЙ ДО МОСКВЫ / 3 СЕМЬИ
29:30
Best tutorial💞🤗🕺🏻 #tiktok
00:11
Просмотров 179 тыс.
Introduction to Firmware Reversing
11:32
Просмотров 301 тыс.
How To Hack IoT Cameras - Vulnerability Demonstration
20:26
Hacking the Game Boy cartridge protection
10:01
Просмотров 551 тыс.
How the Apple AirTags were hacked
8:38
Просмотров 1,6 млн
I Made a Neural Network with just Redstone!
17:23
Просмотров 542 тыс.
don't throw your faulty fan
0:24
Просмотров 2,5 млн
wireless switch without wires part 6
0:49
Просмотров 3,6 млн
iPhone 15 Pro vs Samsung s24🤣 #shorts
0:10
Просмотров 13 млн