With our devotion and interest in the development of the Internet of Things, and our identity as a cyber security company, we decided to use some time at the lab to delve into the state of IoT security on a typical device. We attended an IoT Security conference in October and were shocked to get a first hand account of the situation. We had a hard time believing the situation was as dire as was presented so we set out to learn for ourselves.
We started our deep dive by going to Amazon and choosing a simple, popular IoT device. Right now, IP cameras seem to be all the rage, so we picked one of the most popular ones (it had 4 out of 5 starts with a lot of reviews as well) and set off to work. We began our research in the same way we began the Echo research before…by determining what we could do out of the box with our IP camera and learning about its intended capabilities. One of the first analytic steps we took was to analyze what the camera was doing on the network. We knew later on we would break down the hardware and software of the camera as well, but the networking analysis alone provided some interesting insight.
When doing the network analysis on this IP camera it was important to look at all of the different ways the device connects and communicates to the internet as well as the varying types of traffic needed when talking to each of the different applications . With this IP camera we looked at the traffic when using the app, and the browser to see what would be helpful in fingerprinting the device in the wild.
To start off we observed some of the networking basics of our cameras and found that the cameras had the MAC address of:
MAC = 7C:C7:09:XX:XX:XX
The first 4 bytes are the same, meaning all of the cameras we purchased have the same vendor id (as expected). When doing a search on this vendor id it was found to be Shenzhen RF-link Electronics and Technology., Ltd, which is associated with the Zmodo company. If you come across this OUI in network traffic then there is a good chance you have come across a Zmodo product and most likely the IP camera.
We also performed an Nmap to see what ports were open on the device for possible access vectors. These are the ports that we discovered:
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
4444/tcp open krb524
8000/tcp open http-alt …….Browser interface
9000/tcp open cslistener …….Mobile listening port. Configurable
Next we began looking at the browser interface( Username: Admin
Password: 111111). In the traffic we noticed quite frequently your SSID and password would be sent in plain text over a TCP session with source port 8000. In a pcap we took with Wireshark we saw it being sent approx 3 times in just a one minute snap.
Next we moved on to the app that you can download for your mobile device to connect with the camera. The app advertises that it provides some added security by being able to add a password to your IP camera. Unfortunately, we found that when we set up a local password of “reallysecure” the password was actually just being sent in the traffic with an md5 hash.
While using the meshare app there were multiple sessions going to meshare.com IPs. Below is a list of some of the IPs associated with their application along with whois information.
User.meshare.com & user.zmodo.com
Hosted by EP Technology Corporation
From the camera traffic it was determined that the Zmodo app sends images of your camera to the IP 126.96.36.199, which is a server in Beijing, China.
This analysis lead us to investigate all of the different port access options and began looking into them deeper to find vulnerable attack surfaces. It also gave us a greater understanding of how the device is communicating on the internet, and provided us with the signatures to uniquely identify other Zmodo IP cameras in network traffic. For detailed analysis of the camera’s software, check out the next blog post in the series!