Hacking Video Surveillance Networks

Wed, 30 Jan 2008 11:05:48 GMT

The usual suspects: George Clooney, Brad Pitt and Matt Damon. The plot: rob a casino. The method: hijack the vault's security camera video stream and replace it with a static image. "Fiction?" I don't think so.

This post is not going to be about how to hack into the video surveillance networks of your local government but rather about my personal opinion about the current state of security implemented by the latest video technologies. I hope that the post is as entertaining as enlightening and helpful in your work. I also hope that it gives you the edge to go ahead and implement better, more secure surveillance systems that will actually protect whatever needs to be protected.

Over the past week, I've been heavily involved with exploring several techniques for attacking IP-based video cameras. Apart from the usual vulnerabilities that you find across these types of embedded devices (XSS, CSRF, Authentication Bypass, Brute force attacks that really work, Overflows, etc.), I've come up with some quite interesting observations, which may come as a no-surprise to some of you, but nevertheless they worth to be mentioned as we are often unable to comprehend the simplicity of the matter). So here you go:

The concept of TRUST is fundamentally broken!

Simply put, there is no way of knowing whether the camera on the other end is the device that is expected to be. Currently, there is no trust model that is implemented by IP-base video surveillance systems. The attack method is rather simple. Go ahead and disconnect the camera and hook a notebook on its place. Done! The Video surveillance software will never know that the camera has bee replaced by a static video stream produced by another device. "Is that surprising?" I hope not because this is the reality.

The next time you watch a movie where the bad guys replace a video stream from the security surveillance system by hooking a device to the network, count it as a real and very possible hack!

Installing rogue video cameras is easy!

Many of the IP-based video surveillance solutions are based on simple discovery protocols such as mDNS and UPnP. Both of them work on multicast addresses. Therefore, it is extremely easy to fake as many cameras as we want.

Here is how to do this. The [register.py](/files/2008/01/register.py) script will register a brand new AXIS 206 camera, while the [server.py](/files/2008/01/server.py) will feed MJPG video stream from an external source. This is how we use them:

register.py **[your mac address here]** &
server.py http://152.1.130.216/mjpg/video.mjpg **# MJP video stream**

Keep in mind that we can register as many video cameras as we want and as such cause a panic or a simple misdirection. We can also do funky thinks like making the video surveillance system to believe that the camera at the back of the casino is actually the camera installed at the entrance?

Barefoot computer networks are flawed, so does IP-based surveillance systems

Computer networks are vulnerable to all sorts of attacks: ARP spoofing/hijacking, rogue DHCP servers, rogue DNS servers, routing issues, subnet hopping, eavesdropping, etc. The list goes on and on. In order to mitigate these problems, we often rely on higher (mostly level 7) encapsulation mechanism that guarantee the integrity of the lower encapsulation levels (think of SSL). IP-based surveillance systems simply does not have these types of security layers yet. They are largely based on the assumption that no one has access to the network where these devices are located. It might be harder to physically access a video network, but it is not impossible. Think about it. Every camera is a potential entry point, no matter how high on wall you will put it. Given the fact that a lot of these video surveillance systems have WiFI these days, the situation becomes even more concerning.

Administrative functions are handled over ancient security mechanisms

All embedded devices can be accessed via their HTTP server with the need of Basic Authorization credentials. Basic Auth is sniff-able and easily reversible-able. This is why it is called basic. Moreover, it can be easily used for stealing access credentials of the video surveillance system. For that to work, the attacker needs a fake "credentials-hijacking" camera. The [stealing_server.py](/files/2008/01/stealing_server.py) script part of the PoCs comes into play. This is how we launch the attack:

register.py **[your mac address here]** &
stealing_server.py http://152.1.130.216/mjpg/video.mjpg "AXIS 206" 5 **# MJP video stream, realm AXIS 206, 5 consequent tries**

Upon execution, the register.py will register a new AXIS 206 camera. Then the stealing_server.py will activate. It won't take long until the video surveillance software calls for video initialization. At this stage a Baisc Authentication realm will be provided. Since most video surveillance systems provide facilities to store all your camera credentials so that it is easy to manage them all, these credentials will travel to the rouge camera server, where they will be decoded and displayed to the attacker. The chances that the same credentials are used across all devices are pretty high. So, there you go. Now the bad guys have access to all your video resources.

Mitigations

I don't know where to start really. I guess that when thinking about embedded devices we should really think of something that is extremely flawed. Therefore, they endangers the surrounding clients and the network to which they are connected.

pangpang
Don't you mean Ocean's Eleven? We got lots of AXIS cameras in the subway here in Sweden. Really nice cameras. I think they run some kind of linux. You can get telnet running on them anyway. They got a nice API via the web also. Now that I think about it I think AXIS headquarters are located here in Sweden.
pdppdp
pang, yes AXIS is linux based. In fact, if you have the credentials (often obtained by bruteforce), you can FTP in and look at the file structure.
agent0x0agent0x0
Very good post pdp. Do you know if using another camera that supports something like 802.1x authentication might help mitigate this risk perhaps? I think I read somewhere that Cisco IP cameras support this and can be configured more secure then your AXIS types (Cisco will cost you $$$ though..).
pdppdp
I guess the 802.1x authentication based mechanism makes a lot more sense, since the port on the switch will be marked as unauthorized, and therefore will be blocked, unless you send the right EIP credentials. However, as far as I am aware, 802.1x is vulnerable to man in the middle attacks (MITM). Please correct me if I am wrong. On another note, if the attacker has a physical access to a camera they might be able to read the creds from the device. But definitely, it is a lot better then what AXIS currently has. The truth is that, like everything else, you have to find the golden balance between security and accessibility and layer the security models in a way that they make sense for the setup you have.
IxIx
Interesting post. This looks like it's almost easier than it is in movieland, which is amusing considering their idea of hacking a Gibson (yeah, that's a reference to the "Hackers" movie for all it's horrible hacking portrayal). Heh, anyways it was interesting to see proof that this is more than do-able in the real world. I know a few family friends have had these types of things set up to watch their small family business while they were on a vacation but one has to wonder if any of the more technical employees set up something like this and held parties in the break room.
pangpang
I believe AXIS cameras has support for 802.1x and even if they didn't I would configure the switch to notice if the camera was unplugged. AXIS cameras can also be configured to larm if the picture is changed a lot like if you would spraypaint it or something.
Jason MacphersonJason Macpherson
Yep Axis cameras run linux alright. These things are very Geek/Hacker friendly. You can even enable telnet by editing "/etc/inittab ". and uncommenting the following line: "tnet:35:once:/usr/sbin/telnetd"
hackathologyhackathology
pdp, this is a very good post. I would like to know how can i be sure if a video cam network is using the IP network when in the first place i don't even have access to the network. I can see the video cam, but there is no way i can guess if it is using the IP network
pdppdp
well the easiest way is to try to spot the camera model and check it on the Web. Also observing any network-type infrastructure around it could also lead to the conclusion that it is IP-based. On the other hand, if you have access to the network but you are not sure whether there are some IP-based cameras, simply query for mDNS and UPnP.
marchinermarchiner
Hi citizens... Since i saw i IP based cam using wireless i started to think about deathentication atacks and please correct if i am wrong but.. its something extremaly easy to be made in wireless word... if you spoof the target MAC andress and got signal force to send the correct packages. So... theres any kind of protection against this deauthentication? And what about Broadcast Deauthentication pckts? If i am right.. and i hope so that i´m wrong.. its easy to confuse any Ip cam video system based on wireless. Nice post pdp... keep going! :D
srcasmsrcasm
@marchiner, You are absolutely right. It's a scary thought but deauths and broadcast deauths are available to anyone to use. One of the only ways of protecting from is it to contain your radio signals but this seems like a far-fetched idea for most people/companies. Maybe one day we'll have a system that is a bit more secure.
Vasile BujorVasile Bujor
Hi, I am the IT Manager at a division of BMCO Romania - not Barton Marlow Company - . This article it is interesting, congruatulations. I am a surveillance solutions integrator and I use wireless cameras only for amateur use, and budget limited where the costs of mounting cameras exceed budget. For professional installation I only use FTP and patch cord FTP, and one ideea of using shielded cord is that no startreck technology can be used to interferate with the system and hack it. The only way is to phisically cut the wire or the exterior shield and connect. BUT to have acces at this technology it is expensive and the only way to succed is that the instalaltion could be made by some moron that has no knowledge of cable routing.
pdppdp
interesting... :) never say impossible! most of the hacks happen because of human mistakes.
axis.hat0raxis.hat0r
very inspiring text, thank you. would be also very great to have a glimpse over the python scripts, anyone still got them?
pdppdp
yep, updated the post to outline the correct location of the scripts.
BasharBashar
need to know the device that can be surround the utp cable to get the video inside the cable.
MeToMeTo
Sheilded cables are not as shielded as most of you amateurs think! I can sit outside your house about 75ft away and see what is on your screen and your keystrokes. I use a small yagi antenna centered on the 1.25Ghz band. Again that is about the center of the bandwidth needed. I'm not going to mention the technique or software. There is enough crap out here without me contribuing.Yes I am a professional and in law enforcement.