Patrick Wardle, Director of Synack Research and Colby Moore, Synack Research Engineer
Video Monitoring solutions such as dropcam aim to provide remote monitoring, protection and security. But what if they could be maliciously subverted? This presentation details a reverse-engineering effort that resulted in the full compromise of a dropcam. Specifically, given physical access and some creative hardware and software hacks, any malicious software may be persistently installed upon the device.
Implanting a wireless video monitoring solution presents some unique opportunities, such as intercepting the video stream, ‘hot-micing’, or even acting as persistent access/attack point within a network. This presentation will describe such an implant and well as revealing a method of infecting either Windows or OS X hosts that are used to configure a subverted dropcam.
If you’ve got physical access to a dropcam, it’s pretty much game over. An attacker can quickly subvert the camera, installing a fully-featured persistent implant. Such an implant can run arbitrary commands, provide geolocation information, exfiltrate or manipulate the audio and video feed, or infect other computers. We will discuss the reverse-engineering efforts that allowed us to develop such capabilities, as well as provide implementation details of our implant.
Our goal is to raise awareness that as these devices can be accessed by hackers or adversaries, they should be scrutinized in the way people protect their laptops or workstations. Don’t trust a camera just because you think it is an isolated gadget, or ignore the one that sits in your company’s spaces. The truth is, a compromised dropcam becomes a full-fledged computer that can be remotely commanded and controlled by a malicious adversary. And since there are no simple ways to detect a such a compromise, an attacker may remain undetected in your network for a long time – scary stuff indeed!