I am continuing the research I provided in this post. I have some notes before we go into this, as I’d just like to point a few things out.
I’ve censored the hosts because I don’t have money for a lawyer, but I think it is vital to release this information. This post is aimed to wake people up that embedded devices are no joke, I haven’t been looking at these for too long and already have a realisation how disastrous a lot of these products are. Without such security the biggest victim in all of this is the end user, the people who bought the product, that do not know the technicalities of these problems and stay unaware that they are at risk. This is why I decided to release this research, not for ego or 1ups. I should say right now I did not modify or change any values within this system.
In the main folder is some ARM bins which are dynamically linked. We have the lib folder which I assume is used with the dynamic linking for the bins. I decided to run “strings” on all the bins and put them into a text file for further analysis. I was pretty surprised and interested with the results.
While I had extracted the strings from one of these bins I found “DDNS” servers and “Check IP” servers. As with many pieces of firmware from other embedded devices I was not comfortable to see so many different hosts being defined in firmware, I have the view that defining many third party hosts is a bad idea for firmware. If you are going to make contact to the outside (although some of these need users to enable a setting) make sure it’s you, the manufacturer. This idea is not similarly shared with the provider of this firmware.
DDNS allows a static domain name for when a device constantly changes IP addresses. You may be aware of a service called No-IP, this is a DDNS service. Most people would use DDNS to remotely access their devices, in this case CCTV. What this DDNS provider had for security baffled me, and worried me that other services were similar. As I’ve said before I won’t be showing the names of the services, but you can email me if you’re worried because you have a CCTV system. First of all I decided to look a little bit more into one DDNS provider and was given a nasty surprise..
The first thing I do when visiting pages I’m interested in is look at the robots.txt file, which provided a 404. I then looked around Google and only found one page really that was indexed so decided to guess some page names. My first guess provided me with a page. It was one of them moments where I didn’t whether to laugh or cry. I received an admin page with little to no security, I’ll let the picture talk (the page name is the login)
So by simply stopping the page load I was provided with the admin panel. It provided me with a lot of information, some of which I haven’t shown within the screenshot, even the additional columns. Before I hear that I should of stopped here, I was interested to see why there was such a lack of security and how bad it was, could it get any worse? I wanted to see how many users were affected by this and to what extent could an attacker use this for. I have made sure to keep the companies name and many parts of this process out of view.
I could also view all hosts in system, and see the type of CCTV product, great for if I wanted to specifically target a vulnerable group of products.
I could edit these hosts and even disable them, potentially providing a blackout on remote access to every CCTV in system. You had to view them as a single entry but nothing that python could not automate.
I would also be able to modify the admins password to get in correctly but obviously didn’t. As an attacker though, this would be quite a fruitful find as it would become easier to access or create automated tools with the correct password. The lack of security doesn’t stop there, within this panel was some backup functionality in which you could download full logs, user list and server list. These links provided for these backups provided another folder which didn’t have an index and allowed me to see all the page names available within this directory. One of them allowed me to create or drop tables amongst other SQL commands.
I think we can all understand how wrong that could possibly get, to put the cherry on top, you could get the admin password from this page. Another page from the list in the folder gave me a login page for FTP which could be potentially bruted. It also gave me the full web path which potentially could allow me to inject some PHP code within SQL to make it easier for me to take over the server.
All emails could be potentially harvested as the passwords are given as plain text, again, a automated script could do this very well. The amount of users who are from big CCTV companies is quite worrying too (the lack of password security too, hello ‘1234’). There is another case of a complete lack of security or logic towards an admin panel which I’ve found which I fear to disclose, these are not one offs , I’ve seen these type of errors many times on the internet and they need to be stopped. The last time some of these pages were edited were in 2009, that’s a long time for a public DDNS service.
The SQL script was also made in 2003 (provided for me by the comments), this shows either two things; 1, abandonment, in which the provider simply doesn’t care anymore about this project and just has simply let it run. Or 2, complacency, has not decided to take security seriously and thought that no one would look for this service. Whatever the actual reasoning is, hundreds of cameras if not thousands, could be simply affected by someone not loading the page correctly.
I just want to point out at the end that this isn’t region specific, CCTV companies from every region of the world have provided this DDNS as a server to use for your CCTV system.
Thanks for reading 🙂 (PS. DDNS Server People, If you read this, please don’t hate me, I wish to work with companies not destroy)