IoT Security: Backdooring a smart camera by creating a malicious firmware upgrade

Remember kids. The S in IoT stands for security.

I have had the Newest.Technology system since they were initially released (over 2 years). I love the ease of use and they work well. Batteries last a long time too. I have added cameras as needed. I love the 2 way communication with this one.

Exactly what I was searching for, a well detailed CCTV firmware reversing tutorial. Hey Ninja, I really like your work and your way of explanation, Please Upload more videos, please make it a bit frequent like 1v/month.

So if you buy one of these used, you should flash the official firmware. Apart from that, not restricting firmware flashing is not a big deal, since flashing it requires physical access to the camera anyway, and having the ability to flash a custom firmware means one can make custom security updates after the camera is discontinued and no longer receives official updates.

This is EXACTLY what I was looking for when I bought this camera. I hate that the default firmware doesn't allow video streaming via the Wise app without an internet connection [via LAN]. So finally I have a means to circumvent their servers while still attaining live video footage.

We don't need to see the baby-monitors when we're out of the house.

Take a look at the access log of your server :)

The 19 dislikes are smart camera manufacturers

Can we quickly laugh at how stupid their way of stopping telnetd is? Instead of uninstalling it and or removing it from the rcS file, instead, they just kill it (And not even stop the service, just use killall.)

That was so easy to watch and learn, no extra and unnecessary steps, no stupids and distractive ads. simple and awesome iot exploit. Keep up the good work

Really fantastic video, well done. Your explanations and visuals are easy to follow, and we can all tell that you have a good understanding of what you're doing.

Wow this was really interesting to see a demonstration by someone willing to explain the thinking process along the way. This is very inspiring!

Through all the video I was like '' ok that's very theoretical, how would you install the firmware in real life's and the you gave the example at the last second and my blood turned cold 😱

Having a secure firmware upgrade process is important, but it comes with a downside that few manfacturers are kind enough to mitigate. Sure, unauthorized users rely upon insecure firmware update processes to install backdoors, but they're also what authorized users often rely on, to install mods. But this is a tiny minority of customers, weighed against the far greater number of customers who would benefit from the extra security. And unfortunately, it's a tiny enough minority that most companies won't consider it worth the extra R&D for providing a secure alternative authentication method for use by the owner, even when they wouldn't otherwise have any reason to go out of their way to lock the owner out.

It's good to see this channel is still alive, I love your content! Thank you for sharing your knowledge, hope to see more updates in the future

Great job on this! I actually have one of these hacked cameras to use a security cam (but keep it off of the wyze network). Crazy how simple it is to hack the firmware and can't wait to see more. Might be time for me to start hacking some of my IoT devices. Makes me a bit nervous of how vulnerable my network might be though!

Great note about zero padding the modified filesystem image before you bundle it to keep it the same size as the original!

I loved this video! i plan on picking up a camera to play around with myself! Im glad I'm not the only one who thought "what if it has been backdoored and returned to the wild" you're a legend man!

This is awesome, I can perfectly use tooling such as jefferson right now for firmware modification. To split up flash image partitions, I am simply using dd though and cat things together again.

Edit: Since it looks like jefferson is for extraction only, I'll stick with mounting the rootfs through the mtd + jffs2 kernel modules, which is a bit of work and annoyance, but solved. =) I will still keep jefferson in mind for extraction-only/analysis use-cases though, makes sense also to have something portable. Thank you!

Awesome video! Exactly the type of hands-on example I love to see/learn from.

Amazing video. I love the "hack" where you get it into ram where there was more space. I was just wondering though: The need to store the extra binary was to get the reverse shell, but if bash was there, could you then use that instead? I do really like you went the NC way, because I learned a lot about what to do if the situation arose. Amazing!

No doubt, you've already had countless people recommending the Wyze Cam V3. The low light image capability seems very good.

What it doesn't have is RTSP, and Wyze doesn't seem very anxious to provide that capability.

But it's a swell cam.

I really liked the style of this video, because it was "just right" for the knowledge I have. You explained it very well and with not too much or too less informations. thx!

What an fantastic video!

Excellent content and perfect pace.

Really good video with good explanations! Love it dude! Keep up the good work!

Would this work on the newer v3's? Awesome video and explanation. I'm looking to set one up as a weather webcam for weather underground.

Great tutorial, lots of new utilities I have never heard of before

This could all be avoided if the customer had all cameras on their own network (vLAN) with no internet access and no access to the main network. But this was a very informative detailed video.

I really hope this isn't so easy to do for other devices!

Generally speaking I do believe systems should allow users to load arbitrary firmware. Just OTA updates should be signed or at least loaded via TLS

Nice video, keep up the good work! But are you planning on uploading more regularly? And do you have any plans in doing more Ghidra related videos?

That was a lot easier than it should've been lol..

Secure firmware upgrades are a massive problem with stripping owners abilities to use their device how they want to.
If I own the device I should be able to install whatever firmware I want.

If the device is returned and then later given out to a new customer, they should be flashing known good firmware onto it and confirming that it is present.

A German Engineer. Nothing more to say :) Ah, wait. A German Reverse Engineer :)) Well done.

You should make more such videos, you have the potential to grow your channel

This was really interesting, do you have any plans on uploading more IOT videos?

This is seriously impressive. How long did this take?

Ghidra Ninja - It's been a while. I love your work and want to see more. Thanks of the video.

I was able to get into a Faleemi outdoor camera with this exact same method (except they have an option to only update the rootfs so I only needed to repack the squash file with no UBoot header). Works like a charm, and with telnet/wget I can update my camera remotely with my custom firmware. Thank you so much for my first IoT hack! I was also able to get a UART terminal to it on the hardware side.

Thanks for the tip! Gonna try and modify an init script, pack the squashfs and update the camera. Should be similar to your model

I'm going to start checking the firmware on every device I buy from now on. On the plus side it will keep me from buying too many things :D.

i just found your content yesterday, and I am HOOKED. Keep up the awesome work :)

I had a friend whose mom purchased a cheap Walmart IoT camera.

This camera has two-way communication features and makes an alert when the owner rings in. One time it made the alert sound but no audio on the other end. They literally believed it was caused by ghosts as the camera ". . . doesn't connect to the internet, it goes through my mom's phone."

How it started: Aw yeah but if someone has physical access what's the big deal? Security is almost always at a loss once you have physical access. I'd rather be able to tinker with and mod my devices.

How it's going: Hooooooly heck, I am now terrified of everything that ever was or ever has been.

Your videos are amazing, please never stop posting videos, I am now a student of yours.

Found your channel watching the new Game and Watch hacks and enjoying the content library, this video was awesome to watch and might try to do this myself on my own Wyze cam.

interesting to see the miio client on there, same thing is running on my vacuum. Thanks for the very informative video

Great video! Is there a way to repack the JFS2 directory like you did with the squashfs folders? I took a look at jefferson but the docs only mention the ability to extract.

Good security practice to reinstall the firmware on used devices I suppose.

Thank you for this video. Tell me, please, is it possible to edit files within a SBN (signed binary) file and then repack with this method? I can open the archive and see the files inside but I'm not sure how to repack it.

I've said it before and I'll say it again: The Internet of Things is a terrible idea.

If a device can connect to the internet and it isn't a full-blown computer (or something that can act like one without voiding the warranty, like a smartphone), don't use it. Don't let it anywhere near you. There's no telling what it'll do. A camera could spy on you. A fridge could be bricked. Heck, electronics can outright explode under the right circumstances and with a malicious enough attack.

Another thing to do is to engineer a completely new board for that camera. One that runs the original firmware, except on the SOC there is another hidden core that taps into the wifi and the camera sensor. Perhaps even add one of those very interesting radios I read about the other day, and exfiltrate images from up to 7Km away.
Now not everybody can afford a santa's work shop where all kinds of nifty things are made, such as certain upgrades for routers and the like, but it is still food for thought. The added benefit is you could leave the manufacturer provided backdoors dormant, perhaps add a feature to disable them remotely.

I once bought a shady cam on Amazon just for the fun of it and did a port scan, found out they simply had the Telnet port open with no root password set so yeah...
I'd love to flash a custom firmware on the camera since the hardware itself is nice but it doesn't provide RTSP (open Telnet port wouldn't be much of an issue just in my local LAN and behind a separate VLAN) but it seems like that my camera has almost no Google entries at all :(

Such a great video! Very informational

Most devices have some sort of checksum of the firmware binary, how do you usually bypass that?

It would be cool to have everything done by one python script.

this is why I stick to IoT stuff with minimal risk of harm, like light bulbs

Good job on the video, hope u continue to make videos like this

it would be great if u do a backdoor on a router firmeware :D

Most of the cheap imported Chineseum landfill we lovingly call H.264 DVR equipment, contains (from factory) insecure firmware and/or malicious code concealed within the supporting viewer software. Combined with non secure http servers, these inferior CCTV DV recorder camera systems (intended for domestic use) make for interesting covert viewing and yet another digital playground to abuse for any bored hacker. 🤣

Can you do one similar reverse engineering on a Huawei 4G dongle , that could be a nice tutorial

I'm taking some courses in IOT, I still can't understand everything here but I'm enjoying it a lot

It's been a few years, but I believe I used to use squashfs as the system image on the good ol' T-Mobile G1 (HTC Dream), the first Android device. But I thought it wasn't read-only once mounted as I used to manipulate the system partition all the time... I may be mistaken tho, that was 2009

Awesome Video! Keep up the good work!

Very good Job. I liked reverse Shell using netcat , i'm using reverse ssh , bit this is more easy

Where does the reverse shell point to initially? If you were to run PWD for example. Is it just the home dir of the user? (In the case of the video the user would be root)

How did he calculate the size of each section at 3:07

Great to see you back. Hope you'll post more videos.

Hi, could you make a video about reading a bluetooth headphones firmware? I wonder how and if it's even possible. My ubuntu can't see it while they're connected via usb cable and I'm not that smart (yet) to get a custom connection via bluetooth.

Could you extract the firmware for Vstarcam cameras? They're not available online and the updater inside the camera only downloads a diff of what needs to be updated. I tried extracting from the flash using a raspberry pi but it didn't work. These cameras are one of the most sold on aliexpress and I can't find a way to telnet to them. Their RTSP server keeps crashing and I wanted to write a custom script to restart this server. Would be nice if you managed to crack these cameras. Thanks!

Firewall! Disallow internet access for any new device on your network (until you trust it), problem solved!!
I remember when I purchased some HikVision cameras and they were so chatty to somewhere in China. I was nervous so I created a firewall rule that basically have them no access to l internet.

What's the method for downloading the firmware already install on the device to see if it has been compromised?

Would you please help a noob (little knowledge in navigation with Linux) how to check if any suspicious activity is going on on the devices (CCTV) - for instance how to check if any of the cameras or devices connected in my network having connections established outside of my network?
How do I distinguish if the connection is due to cloud functionality (aka mobile access) or due to a malicious SW running in background. Thanks to every comment on this.

very cool i have always been thinking about repacking modified firmwares

Awesome. I actually have one of these sitting around.

and again we learned... if you actually want privacy, don't get stuff that connects to the internet. at the end you're trusting some company and their devices.
don't start crying when someone leaks footage from one of the twenty cameras that you have pointing at yourself. it's a real risk and we all take it.

but hey, everyone NEEDS heating that is controlled by the smartphone and stuff like that, right?

NetCat compiled for MIPS should be under 100Kb, no need for a 1.5Mb busybox binary. Good alternative for busybox is toybox (still about 800Kb compiled for MIPS) also has nc.

Amazing video :) Please make more

I would back up your channel on another platform like Bitchute or library. YouTube has been deleting channels like yours.

Remember that the I in IoT stands for insecurity.

a good video after another and another and another ... good job! Open a patreon if you need a little motivation to upload more frequently. I would sign up just like I'm on the LiveOverflow patreon...

Can I ask how did you learn so much about Linux and other commands that you have used and python ? Please mention any resources that you used while learning.

I have an 'IMOU Ranger - 2 ' IP camera , it got bricked while upgrading it's firmware to the latest version which was followed by a powercut while upgrading. I searched online for its official firmware file but couldn't found one. Any help would be appreciated....

Great content bro 👍😀

Wait a minute, you mean that those cheap IP cams don’t actually call home naturally ?! 😁

Amazing to see you back.Loved the video

Why we cannot just use Binwalk to extract the content of the firmware ?

Awesome video!

What plain text http server did you use to get the cam to wget from? As i can't get passed that

Thanks I believe my nosey neighbors watch me through my LED lights also .

Would building a new busybox with netcat included also be an option?

if it had bash installed, you can do tcp / ip in pure bash
otherwise i'd have compiled a small C executable to do it for me.

Awesome video 😍

So don't buy low-end security equipment if you intend of having it connected to the internet?

Great job :)

I love your videos!

any chance this still works with current V2 that are fully updated or new V3?

Anyone click on this and wonder why He needs so many cameras for his back door

I used the xiaomi fang hack firmware but it’s even less secure

this just looks like magic to me

Might have to get a few of those cams now :D

Huh, I might try Binwalk to see if it can analyze the contents of my PS2 “disc backup”.

how do you know all of that !! that's impressive

This video is AMAZING. Thx

also this telnetd might be accessible for a split second during boot, don't you think?

This is so cool!

Thank you that knowledge!

Man I feel like I'll never be smart enough for this, but I really want a career in cybersec

God, I got a problem in the first step. I ran "binwalk -t ****.bin", and then there were a lot of zlib compressed data. I just don't know how to address it. Anyone could help? Really appreciate.

"shameless plug", not sure why but I laughed my ass off at that haha

I am dumb i couldn't understand the packing part a bit. Do you have any course online? Or any resources that would help. I come from web and Network exploitation background am getting into firmware reversing and stuffs i couldn't understand a bit while packing the firmware. :(

Why will you backdoor it if you can brick it and let it unusable?

can you help please-getting this error when i tried to extract using binwalk -e "WARNING: Extractor.execute failed to run external extractor 'jefferson -d 'jffs2-root' '%e'': [Errno 2] No such file or directory: 'jefferson': 'jefferson', 'jefferson -d 'jffs2-root' '%e'' might not be installed correctly"

Can you give us link for IOT device,, ?

99.9% are clueless on where the reset button is located!

15:50 Thanks for the advice :)

Amazing video...

dude this channel teach a lot better youtube channel easy tips and learn everyday

Note to self: Reason to not buy and IP camera #478: IT CAN BE HACKED WITH MALICIOUS FIRMWARE!

Dude, you are coding too fast( to furious?), like you are where writing a letter; you are embarrassing me.

Can you do it on a router too ?!

Broke: "secure" firmware
Bespoke: No firmware XD
#stateless #StateConsideredHarmful

I wish i was smart enough to do this

Amazing vid!

man, you are a genius. i can only wish to know a half of a half of what you know. can you do some alexa hacking? my brother in law have one and i would love to do some pranks to him

Dude! Amazing!

The oh s*** moment at the end... love it

I know a camera that's hacker proof. VHS analog cameras

Welcome Back! Finally a new video! 🙌

That's the best YouTube sponsorship I've ever seen.... "this video is sponsored by ME" ;)

cool video..👍👍👍

Is it save if nobody has hardware access?

why don't you use binwalk -e?

Ive watched this twice and still don't have a clue whats happening haha

From the UK 🇬🇧. Great stuff

One day i will be expert like you are...
Can you help me what should i learn how much should i learn and focus on what things.
Plz make motivation video and failure video of you.
So i can say my self after falure wait a min failure is success key..
So please make video on that

Can you do Wyze Cam v3 ?

TIL about binwalk. Mind blown.

The end was real scary

on 3:13 why did you skipped the 0x80 lzma compressed section

I have an old DVR that I am not using, and the firmware was just a tarball. When the device boots, its starts telnetd, and then it never stops it unlike your camera that your showing. And? Can you guess the Root password to the DVR? Its win1dows

May as well have been speaking Swahili to me... nice to see how stuff gets hacked though

Instead of using john the ripper why can't we just overwrite the shadow file and put hash of a known password , is that possible?

Wow...Just wow!

Doom on a wyze camera can't wait to see that

Was anyone able to get Jefferson up and running? I went to the github page and followed the steps but was unable to get the python lzma installed. Im on a fresh install of kali.

This work on the new v3's?

I am trying to learn aboutfirmware and stuff like that and am trying to do this with the foscam firmware 11_37_2_65 when I use binwalk on it it shows a zip archive and a romfs filesystem but I cannot find out how to modify the rom fs filesystem can anyone help and tell me how I can modify it?

binwalk output
20 0x14 Zip archive data, at least v2.0 to extract, compressed size: 740120, uncompressed size: 1547720, name: linux.bin
740270 0xB4BAE End of Zip archive, footer length: 22
740292 0xB4BC4 romfs filesystem, version 1 size: 1003200 bytes, named "rom 52601301"

file output after using the extractor tool
romfs: romfs filesystem, version 1 1003200 bytes, named rom 52601301.

Will the course be in German or English?

Really? It installs unsigned code? All on its own? Jesus.

those few last words were completely unnecessary, but on the other hand, I hope that ppl who get successful, won't try it "on public"

so.....you need physical access to the camera....????

Finishes smashing camera on the backdoor of my house.
"I think I'm doing something wrong!"

Wyze is the shadiest shit on Amazon I mean how can you buy that and be totally complicent with knowing that the Chinese have the ability to spy on you.

Whoever disliked this is either an idiot or they accidentally clicked the wrong button. Great video man and it would be good to see more videos like this that give us novices guidance in exploiting devices. It’s also good that you’ve shown it with a device we have access too, so yeh much appreciated 👍

Once i backdoored my neighbour's security cam. He was backdooring his wife...

And that's why you don't buy cheap Chinese security cameras

Why do you have to repack the image, Don't you already have telnet access as root?

god I wish I were this smart

👏👏👏

where do I learn rev eng??

And this is why you put cameras onto their own isolated LAN without internet.... :D

Time to sell some backdoored Cameras. tnx >:)

more like we hope to see YOU soon on this channel again. Whatever happened to wannacry part 2?

Like in Mr. Robot!

i have one of these branded as Xiaomi? China just does whatever it wants hahaha

Why do you have so many cameras, any plans on selling them online? :)

hey i love you. this was a fun video to watch

Ctfs be like 👍

great.

T.Hanks

We need more videos xD

Subbed ;)

I can't attend to your class, can you sell me the recorded videos?

I don't understand.
What he win hacking the camera?

внезапно ...

Mirai be like: first time?

Want more videos

I feel like rami malek/elliot anderson now

holy shit.. he ruined buying stuff period.. jk.. so much to learn..

finally !YAY

WHERE IS MY WANACRY PART 2?????????????

i feel like this guy doesn't smile

How can I contact with you? @stacksmashing / Ghidra Ninja

Why this script is running telnetd and then kills it, it has no sense

my_mind == boom

Welcome back-

nice

nice

why nc instead of socat where you have ssl capabilities now your rshell is plaintext

bin mir absolut sicher, dass du aus dem deutschsprachigem raum bist. dieser akzent ist so einzigartig hahah :D

ismart12 for the password? Hah.
I am 12 and what is smart?

Yay! :)

Ninja Indeed

By any chance you don't live in Stuttgart?

Heck ya new vid

Pleeeease, bem more quick... The content is good but I can't almost watch all

Your english sounds german. Where are you from?

Dude where is wanacry part2?

Why did I get this recommended?

Yikes you use a mac yucky