Cheap Web Cams Can Open Permanent, Difficult-To-Spot Backdoors Into Networks

An anonymous reader writes: They might seems small and relatively insignificant, but cheap wireless web cams deployed in houses and offices (and connected to home and office networks) might just be the perfect way in for attackers. Researchers from the Vectra Threat Lab have demonstrated how easy it can be to embed a backdoor into such a web cam, with the goal of proving how IoT devices expand the attack surface of a network. They bought a consumer-grade D-Link WiFi web camera for roughly $30, and cracked it open. After installing a back-door to the Linux system that runs the camera, and then turning off the ability to update the system, they had an innocent seeming but compromised device that could be stealthily added to a network environment.

webcam distro?

[ChunderDownunder]

The article mentions the d-link embeds Linux.

Is there a dd-wrt equivalent for webcams and a list of compatible models? or are these things generally tivoized?

Re:webcam distro?

[OolimPhon]

These are IP cameras, that is, a camera which runs a website that can stream whatever the camera is pointing to.

I recently bought one of these to act as a baby monitor. It needs an OS in order to run the web software and Linux is already available, so why not use it? I'm betting the configuration used chops out almost everything apart from the absolute essentials.

I have a Foscam FI8910W. The first thing to note is that initial configuration including a mandatory root password change /must/ be done using an Ethernet cable. At that point you can choose to use the wifi link or disable it; the same with uPnP. Wifi is paired with my wifi router and, as far as I can tell, only by connecting to the router with a MAC-listed client can anyone access the camera.

There is a Dynamic-DNS facility to access the camera over the Wild West Interwebs but that requires configuration which I have disabled as not required.

Why webcams?

Put ANY compromised hardware on your network, and it's no longer secure. This is news?

Re: Why webcams?

[DaHat]

How do you know if the device is compromised?

While you hopefully won't use one sent by a known enemy (thanks for spoiling the surprise Greeks!), how do you ensure that a unit you picked up used on eBay or Craigslist wasn't backdoored?

Opt only to buy retail or online from major vendor? Same issue. How do you know someone hasn't purchased the device, tampered with it, repackaged it with some shrinkwrap then returned it? .. Or worse, intercepted the shipment prior to you getting it?

Re: Why webcams?

[DaHat]

Easy. I reflash it with the original firmware image before use, or better yet, something superior.

Unless you use a JTAG to force a flash, you are trusting the honesty/reliability of the existing software to actually update the chip, which is the equivalent of trusting that user mode AV can assure you if a machine is clean or not.

At DEFCON this year there was a demonstration of infecting the LTE modem in a tablet (OS independent) which not only would persist OS wipes, but even attempted firmware updates: https://www.youtube.com/watch?...

A long increasing problem in computing is that you don't just have a single computer, but a box full of computers, many of which run it's own software stack that most of us aren't qualified to try to validate... and it's only getting worse.

Segment the network.

[willy_me]

All questionable devices should go on a separate network segment that is isolated via a strict firewall. If I can not compile and install OpenWRT on my device, it does not go onto my main network.

Re:You get what you pay for

I agree, but:
This article is good because it lets us (the good guys) send a link to this article to the ignorant guys (managers etc), so that a sense of urgency is formed. Then maybe we are allowed to allocate resources to protect ourselves - at least from the script-kiddies and the semi bad guys.
(For the really skilled bad guys, even many professional organisations will fail in the long run)

Re:You get what you pay for

[Barny]

There is that but this is old old old news.

https://youtu.be/B8DjTcANBx0

And back then it was even big, high quality (and price tag) cameras that were at fault.

Basically, these sorts of things must be on their own vlan and cut off from all access that isn't to the monitoring station/area.

Linux webcam compromised ..

[tetraverse]

"Limitations to this type of attack are obvious: attackers must be skilled enough to create a backdoored flash image, and find a way to deliver it to the device - either by "updating" an already deployed device, or by getting their hands on it before it's installed." ref

Router lockdowns and monitoring

[Todd+Knarr]

This is one reason to segregate devices and have firewall rules that control which devices can make outgoing connections. That way you can insure IoT and other devices that have no business talking to the Internet can't talk to the Internet.

I also run a monitoring job that collects MAC addresses and associated IP addresses from the router's ARP cache and reports on unexpected changes. It doesn't make it impossible to slip a device onto my network without it being noticed, but it takes a fair amount more work that the likely intruders won't be putting forth. It also helps find the MAC addresses of new equipment that doesn't like to say what it's MAC address is.

Re:You get what you pay for

[WaywardGeek]

Here's a nice warm thought to keep everyone up at night: What is to keep hackers who enjoy this sort of thing from buying devices at BestBuy, hacking them to insert remote back doors, and then returning them to BestBuy the next day? If they put it back in the packaging, possibly with new shrink-wrap, they could claim they never even opened it, and it would go right back on the shelf for some unsuspecting victim to buy.

Would it matter if the device were a $20 webcam, a $2,000 desktop PC, a $50 Wifi router, or a $100 HP printer?

Easy to protect against.

[Lumpy]

I have several 1080P Onvif china security cameras that are known to send video back to China. it is trivial to make these 100% secure and hacker proof disabling all backdoors if you have education and knowledge.

At home, I can see people having the problem as 99% of all citizens are IT Uneducated. but a business? there is ZERO excuse.

I put them on their own VLAN separate from everything else, they can only talk to the recorder PC and that PC can talk to both networks so we can view the camera streams. Camera VLAN has zero access to the internet, Recording PC that is straddling two networks has simple rules as well to prevent data leaking.

And this is the sad part. Most businesses don't have competent IT that even has the first clue about network security. Plus you should ALWAYS have no trust for any device on your network. Treat them all as hostile and only let them have what is needed to do what you want.

Businesses that don't spend money on IT that is competent deserve what they get.

Re:You get what you pay for

[plover]

Here's a nice warm thought to keep everyone up at night: What is to keep hackers who enjoy this sort of thing from buying devices at BestBuy, hacking them to insert remote back doors, and then returning them to BestBuy the next day? If they put it back in the packaging, possibly with new shrink-wrap, they could claim they never even opened it, and it would go right back on the shelf for some unsuspecting victim to buy.

But ... that could never happen. There's yellow tape on the box assuring me that it was inspected and repackaged by Best Buy experts. Experts! And we all know only experts are permitted access to the yellow tape dispenser.

I have little doubt the same experts refurbished one of the returned washing machines I was looking at. I wanted to see how the drain filter would work so I opened it, and while I looked disgustedly at the slimy lint still trapped in the filter, about a gallon of water poured into their carpets. I guess that's what karma looks like.

Re:You get what you pay for

[Dr.Dubious+DDQ]

That's a good point, though it seems like a lot of effort to get a device into a random, unknown network at a random, unknown time.

To me, it merely emphasizes that being able to replace the OS/Firmware oneself is important, and should be done with any new device.

Doesn't really matter if Spyware McWebcam put a malware OS on the device if I'm just going to overwrite with a good firmware of my own choosing before putting it on my network.

Same goes for full computers, too, along with "smartphones" and tablets, which seem like they'd be bigger targets. One could do a lot more harm with a backdoored iPhone or Android device returned as "new, unopened" than a webcam.

Re:You get what you pay for

[rthille]

How is this different from _any_ device these days?

Re:Webcams just an example ANYTHING that runs Open

[Gaygirlie]

If you want to know what consumer devices pose a security threat (whether cheap or expensive, webcam, router/modem or other device), just look at the list of devices that other people have loaded some version of a Linux based O/S on to. These are the devices that can be easily subverted. If your organisation is sensitive to security threats, the list of "hackable" devices should also be your list of products that should never be allowed to connect inside your company's security fence.

That's a stupid argument. The devices where it's easy to replace the firmware are also the ones that are the easiest to make sure they are secure, just replace the firmware yourself and then you can do anything you want to make it as secure as ever possible. The more closed the device is the less you can actually do to secure it!