In today’s age of constant connectivity the allure of remotely checking on your home and loved ones is appealing and manufacturers of Wifi Cameras promise a “second set of eyes around the home or office.” However, you may not be the only one peeping in. The dangers of unsecured webcams and baby monitors have been reported in 2014 with cautionary tales warning consumers to change their default passwords. So that’s the end of the story, right? Adding a password will protect me from creepy strangers looking into my home. Not so fast. Researchers at Senrio discovered a vulnerability in a popular Wifi camera that lets attackers overwrite the administrator password.
Using Stack Overflow Loophole to Remotely Overwrite Device Administrator Password
As part of ongoing security research into consumer and enterprise device vulnerabilities, the Senrio research team discovered and exploited a remote code execution vulnerability in the latest firmware of the D-Link DCS-930L Network Cloud Camera. It is the result of a stack overflow in a service that processes remote commands. The vulnerable function copies data from an incoming string to a stack buffer, overwriting the return address of the function. This vulnerability can be exploited with a single command which contains custom assembly code and a string crafted to exercise the overflow. The function first copies the assembly code to a hard-set, executable, address. Next, the command triggers the stack overflow and sets the value of the function’s return address to the address of the attacker’s assembly code. The vulnerability allows code injection which lets the attacker set a custom password, granting remote access to the camera feed. Thus, even if users create a strong password, this type of exploit can override it. Instead of setting a new password as the exploit, an attacker could just as easily add a new user with administrator access, download firmware or otherwise re-configure this device.
Looking at the architecture of the product line and where the vulnerability was found in the software stack, the bug is likely not confined to a single model but prevalent in other products using the same sub-system. So far, the research team has confirmed five cameras in the D-Link product line that are vulnerable. This vulnerability points to a bigger issue of poorly written firmware components used in cheap Systems on Chips (SoCs).
Implications Beyond the Home
While the thought of strangers watching your sleeping baby is disturbing, the implications for enterprise and infrastructure environments are downright scary. We typically associate the term ‘Internet of Things’ with the consumer world, smart toasters and WiFi fridges; however, a large part of our life depends on networked embedded devices that have been around for decades. Adoption is driven by business rationale but the security exposure is often overlooked. The techniques used to find the WiFi Camera vulnerability are also used to identify vulnerabilities in medical and industrial devices used in hospitals, nuclear power plants, and factories. And often those devices receive just as little security scrutiny as this webcam.
As part of ongoing security research into consumer and enterprise device vulnerabilities, the Senrio research team discovered and exploited a remote code execution vulnerability in the latest firmware of the D-Link DCS-930L Network Cloud Camera. It is the result of a stack overflow in a service that processes remote commands. The vulnerable function copies data from an incoming string to a stack buffer, overwriting the return address of the function. This vulnerability can be exploited with a single command which contains custom assembly code and a string crafted to exercise the overflow. The function first copies the assembly code to a hard-set, executable, address. Next, the command triggers the stack overflow and sets the value of the function’s return address to the address of the attacker’s assembly code. The vulnerability allows code injection which lets the attacker set a custom password, granting remote access to the camera feed. Thus, even if users create a strong password, this type of exploit can override it. Instead of setting a new password as the exploit, an attacker could just as easily add a new user with administrator access, download firmware or otherwise re-configure this device.
Looking at the architecture of the product line and where the vulnerability was found in the software stack, the bug is likely not confined to a single model but prevalent in other products using the same sub-system. So far, the research team has confirmed five cameras in the D-Link product line that are vulnerable. This vulnerability points to a bigger issue of poorly written firmware components used in cheap Systems on Chips (SoCs).
Implications Beyond the Home
While the thought of strangers watching your sleeping baby is disturbing, the implications for enterprise and infrastructure environments are downright scary. We typically associate the term ‘Internet of Things’ with the consumer world, smart toasters and WiFi fridges; however, a large part of our life depends on networked embedded devices that have been around for decades. Adoption is driven by business rationale but the security exposure is often overlooked. The techniques used to find the WiFi Camera vulnerability are also used to identify vulnerabilities in medical and industrial devices used in hospitals, nuclear power plants, and factories. And often those devices receive just as little security scrutiny as this webcam.
For instance, Senrio looked at a remote power management (RPM) system and found a vulnerability that lets attackers remotely control the devices. This might be benign in instances in which the RPM is connected to signage but attackers could intentionally or accidentally power down more critical systems like servers, water pumps, or traffic systems. Devices "go places" and "do things" and thus the threat is different from a software vulnerability.
Manufacturers often rely on “security through obscurity” and a belief that medical and industrial devices are not vulnerable because they are not connected to the internet. This is simply not true. The Senrio team has a strong security research background and trains manufacturers on mobile security exploitation and protection in an effort to make embedded devices more secure. Warnings about the “laughable state” of industrial security have been around for years but the the “uncanny valley”, the knowledge gap between software and hardware interactions, keeps widening. Lack of hardware knowledge (even within the hacker community) coupled with legacy systems that cannot be patched or updated make security exposure for networked embedded systems a tier one problem for consumers and industry alike.
We have sounded the alarm bells for years but teaching and research are not enough. Industry needs a comprehensive answer to address the inherent vulnerabilities in Networked Embedded Devices and Senrio offers a much-needed new approach.
Manufacturers often rely on “security through obscurity” and a belief that medical and industrial devices are not vulnerable because they are not connected to the internet. This is simply not true. The Senrio team has a strong security research background and trains manufacturers on mobile security exploitation and protection in an effort to make embedded devices more secure. Warnings about the “laughable state” of industrial security have been around for years but the the “uncanny valley”, the knowledge gap between software and hardware interactions, keeps widening. Lack of hardware knowledge (even within the hacker community) coupled with legacy systems that cannot be patched or updated make security exposure for networked embedded systems a tier one problem for consumers and industry alike.
We have sounded the alarm bells for years but teaching and research are not enough. Industry needs a comprehensive answer to address the inherent vulnerabilities in Networked Embedded Devices and Senrio offers a much-needed new approach.