Monday, 22 May 2017

Circumventing CCTV and Web-Based Home Security Systems




(This article was a team submission with Blake Dutton, Luke Cusack and Ryan Shivashankar for an exercise as part of the Web Security and Pentesting course COMP6443, University of New South Wales. Already submitted, reprinted for your perusal.


It goes without saying that this is printed for informational and academic purposes only and should NOT be used for illegal or unethical uses. Certainly we who wrote the article see this as nothing more than a case study in the vulnerabilities in smart home security systems , done as a university assignment for an IT security course, and would never advocate or do burglary,  black hat hacking or DDOS attacks)



For a device exclusively designed for the purposes of security and surveillance, CCTV cameras (particularly wifi-based) are surprisingly easy to hack and jam. As threat vectors in themselves, they contain significant vulnerabilities - particularly easy default passwords, that provide a great opportunity for a hacker to take over and use for nefarious means.

A Case Study - Home CCTV cameras - the ultimate botnet?



In October 3rd 2016 Techworm reported about the distributed DoS trojan Trojan.Mirai.1, which infected over a million IoT devices running on Linux architectures. Of these, an unspecified large number were internet-linked “smart” home security cameras. This enormous command and control network of infected IoT devices was used on September 20th 2016 to conduct a 620GB DDoS attack on the website of web security journalist Brian Krebs.


This was followed by a 1 Tbps attack on French hosting company OVH and on October 21st two huge and well publicised targeted attacks on Internet Performance Management company Dyn which were mitigated well but resulted in significant performance impact on its managed DNS customers and their end users. The company’s blog states an estimate of 100 thousand malicious endpoints with a ‘significant volume’ originating from Marai-based IoT botnets. Armies of infected IoT devices, including smart CCTV cameras, used on demand as a botnet are a dangerous threat to web applications and infrastructure. Smart home CCTV cameras, which are designed for ease of setup and administration and whose passwords are rarely if at all changed, are a particularly soft target.

Scenario 1 - The Jamming Threat

Another weakness of many home CCTV cameras is their reliance on wireless radio transmission. More recent off-the-shelf home security devices such as the popular Ring system of floodlight cams, video doorbells and motion detectors communicate using 2.4GHz WiFi, with live video streams and interactivity accessible via phone and web apps.

Generally the FCC and other agencies restrict the frequency ranges of wireless security systems to 433MHz / 800MHz / 900MHz / 2.4GHz / 5GHz, with 2.4GHz being by far the most common. Security devices (especially in the US) are legally required to list the frequencies they broadcast on - these can be easily found via a web search.

Their use of wireless communications is a significant weakness that can be exploited by savvy burglars. The range 900MHz to 2.4GHz is the typical range of most cheaper off-the-shelf wireless signal jammers (as can be seen and easily purchased from sales sites such as JammerAll). In fairly typical tools such as the Portable 8 Bands Selectable Man-carried GSM 2G 3G 4G Cellphone Lojack WiFi & GPS Jammer, bands 2,4 and 5 would block all but the 433MHz (for motion detectors) and 5GHz ranges (although some other jammers do target these frequencies), making it effective for blocking most wireless home security cameras. The downside is that cheaper pocket-sized jammers tend to have limited range (~ 20m).

Some wireless CCTV and home security systems, particularly SimpliSafe, counteract this by using a functional anti-jamming algorithm to alert the owner of a potential jamming attack.

The Basic Jamming Attack


In 2015 CNET published an article describing a plausible attack vector that could be used by a thief looking to burgle a small, locked home using CCTV cameras and motion detectors provided with an advanced wireless security setup such as SimpliSafe.
In this case the burglar would need to know the following -

  1. The position of all CCTV cameras, doorbell cameras, smart floodlights and motion detectors in the property and the layout of walls and floors.

  1. The frequency of the wireless signal

  1. The algorithm used to distinguish a jamming signal, and thus tools for how to hide the signal. In the case of (for example) Simplisafe, the algorithm is proprietary and under regular evolution, making hacking it a difficult task.

It was presumed that the most likely burglary scenario would be opportunistic breaking and entering, which accounts for about ⅔ of all residential burglaries in the US.

In this case, a burglar would need to jam the signal right from the start, since breaking a window or opening a protected door would trigger an alarm. When inside the property, the burglar would need to maintain the jamming signal at all times to prevent discovery by motion detectors or internal CCTV. This may require several jammers positioned at different points, which would require time to set up. He would have to maintain a jamming signal outside at the same time. This would be difficult to achieve and carry considerable risk, especially considering that the burglar’s jamming equipment would also need to be configured to send a signal that would be hidden from a (proprietary) anti-jamming algorithm - something the burglar would find difficult to have advance knowledge of.

It is thought that while this kind of security attack is possible, the opportunistic nature of most burglaries of residential property does not gel with the level of sophistication involved. CNET concluded that most burglars would simply move on and target properties not containing smart CCTV security systems.

Alternate Attack Vectors

We have considered alternative attacks against wireless defence systems such as the above
  1. Cutting off Power

One possible attack is to -

  1. Cut off mains power from the outside somehow (i.e. at a street electricity box or via cutting overhead lines)

  1. Break into property without risk of setting off the alarm or being picked up by smart CCTV, motion detectors, smart locks etc

An attempt of this sort happened to properties on my (PW) street about six months ago in broad daylight. Neighbours saw a man tampering discreetly with an electricity box. He ran off when challenged and threatened with the police. A more successful approach would have been better off executed in darkness of night, having scoped out houses where occupants were away on holiday.

Some WiFi-based home security systems, including the aforementioned Ring system, get their power sources from rechargeable or replaceable batteries, which would obviously be resistant to the above.
  1. Faking Security Faults


This would work by using a jammer to provoke several consecutive false alarms to be raised by a smart CCTV / Home Security system implementing an anti-jamming algorithm (such as Securisafe). This works on the hypothesis that while the house owner would immediately call the police or raise the alarm if an intrusion is detected or CCTV reveals an unknown presence in or around the property, owners who are not computer savvy may not know how to react to repeated alarm raised by signal jamming where no obvious cause is in sight - especially at night if there is no 24 hour support. The temptation would be to regard it as a fault in the system, turn off the system and return to bed to wait until morning, leaving the house temporarily defenceless.

  1. From a safe distance and late at night, using a jammer tuned to the frequency of the CCTV home security system and having enough strength, execute a series of jamming attempts such that the alarm is triggered.
  2. After each time the owner reacts and returns to bed, check to see that there is a signal or execute the jamming attempt again (a short time after).

  1. If no more alarm is sounded, the security system may have been switched off. To the would-be burglar, this is obviously good.

  1. Break into property some time later

This obviously depends on -

  1. Knowing the brand and type of smart security system used and its broadcast frequency

  1. Having a sufficiently strong, directed and sophisticated jammer

  1. No other means of detection or raising the alarm present (i.e. by dogs or other pets or occupants still awake)

  1. A great deal of luck

Once again, the above approaches require prior knowledge and work and do not gel with the opportunistic, low-fi nature of most burglaries of residential property. Another aspect is the low range of pocket jammers, requiring a burglar to remain close to the property for long periods and risk discovery. A burglar would see more sense in simply targeting less well-protected properties nearby.

Scenario 2 - Hacking into Smart Camera Security Systems

Another option to disable smart camera security systems on linux platforms is to hack into them and either disable them or take control. As shown before in the case of Trojan.Mirai.1, smart IP-discoverable security and surveillance cameras often have their own admin security as an afterthought and more often than not will have simple, rarely if ever changed default user accounts and passwords - which are well known and targeted by malware. This is common with IoT devices generally. Brute force attacks on Symantec’s honeypot in 2016 (as reported in Symantec’s blog article on 22nd Sep 2016) show the top usernames and passwords used by malware to target IoT systems generally.

Top User Names
Top Passwords
root
admin
admin
root
DUP root
123456
ubnt (targetting ubiquiti routers and equipment)
12345
access
ubnt
DUP admin
password
test
1234
oracle
test
postgres
qwerty
pi
raspberry

The most common attack (particularly for malware distribution) is as follows -

  1. Port Scan of random or targeted IP addresses where open Telnet or SSH ports

  1. Brute Force logon attack with common credentials like those above

  1. Once access is gained, use wget or tftp to download a shell script to the device that can be used for access and control

  1. Where this is the goal, download malware and bot software corresponding to the operating system accessed.

This can be amended to disable, retrieve login data or take control of security systems as required.

Exploiting Weaknesses

There have been many instances where even the above is not necessary. In 2013 NetworkWorld posted an article stating that 406 links to vulnerable unregistered TRENDNet surveillance cameras which could be viewed without even a login had been posted on Pastebin and could be viewed on Google Maps. TrendNet stated that a fix had been released but it is very unlikely that more than a few cameras will have had the upgrade implemented. Numerous private shots from these surveillance cams have been posted on this and other articles, creating what the article described as a “Peeping-Tom Paradise”...

Another 2013 NetworkWorld article stated a vulnerability in Foscam wireless IP cameras (CVE-2013-2560) such that “remote attackers.. (can).. read arbitrary files via a .. (dot dot) in the URI, as demonstrated by discovering (1) web credentials or (2) wifi credentials” without any log stored on the camera. An attacker could “grab videostream, email, FTP, MSN, Wi-Fi credentials” or “host malware or run… botnets, proxies and scanners” or hack other IoT devices on the same network. A tool (getmecamtool) developed by the experts that uncovered the vulnerability automates these attacks.

Conclusion

This document outlines different attacks that have been proposed or successful against home wireless security cameras and other security systems. While jamming wireless security systems is possible, using it to attempt a break in is considered difficult and rare. There are however various vulnerabilities inherent in smart home security cameras and other systems that can be hacked and these have been used for privacy intrusion and DDOS botnets among other attacks.