We (Synack researchers Colby Moore and Patrick Wardle) recently presented our research, , ‘Optical Surgery; Implanting a Dropcam,’ at DefCon 22. We tore apart a Dropcam and showed how a malicious adversary could persistency install a software implant. Though other presentations often leave the design of such an implant as an ‘exercise to the audience (or reader),’ we decided to buck the norm and presented Cuckoo’s Egg; a Dropcam implant. (Note: while other security researchers have blogged about Dropcam, Synack’s work was preformed prior to, and independently of this).
Dropcam is a “cloud-based Wi-Fi video monitoring service with free live streaming, two-way talk and remote viewing that makes it easy to stay connected with places, people and pets, no matter where you are.” (dropcam.com). Dropcam is known for its easy of use, simplicity, and elegant design. Recently acquired by Nest (owned by Google), Dropcam is poised to become the core of Google’s push into the connected home market. Besides its popularity, the Dropcam’s Linux subsystem and numerous capabilities (Bluetooth, WiFi, Audio and Video, and USB) make it an incredibly juicy target.
(figure 1) the Dropcam video wi-fi system
Popping a # (Root) Shell
Our initial goal was to get a root shell on a Dropcam Pro so that we could explore the environment. Armed with Colby’s hardware expertise, the Dropcam was quickly popped open and a 3.3v UART was discovered. Upon hooking up an FTDI chip and connecting TX and RX (to pins 3 and 4) and GND, we were presented with a serial console.
(figure 2) connecting a FTDI chip/TX/RX/GND to the Dropcam
Unfortunately, we were unable to guess or brute force the root password. However, by shorting the TX and RX pins on reboot (or by simply holding down the Enter key while powering on the device) we were dropped into the bootloader. Here we were able to modify the boot parameters to boot directly into a root shell; game over!
Vulnerabilities & ‘Features’
With root on the device, we able to poke around and test the environment. Our presentation delved into several vulnerabilities that we discovered. For example, we determined that the camera was running an old version of OpenSSL which was vulnerable to a client-side heartbleed attack. Due to this we were able to remotely recover the private certificates which are used to authenticate the camera to the server. Armed with such certificates, an attacker could spoof the camera and inject arbitrary video steams. We also uncovered several host-based privilege escalations in the setup application, a way to push unsigned code down to the camera without having to pop it open, and finally a way to man-in-the-middle the connection between the Dropcam’s iOS application and the Dropcam cloud (due to lack of SSL pinning).
Cuckoo’s Egg; a Dropcam Implant
The main goal of our talk was to present a software implant, designed to persistently and stealthily live on a Dropcam. This implant, named Cuckoo’s Egg, supports a wide range of advanced capabilities. For example, it is able to hot-mic the device in order to hear everything, both intercept and manipulate the video stream, geolocate the camera, and even infect computers that are used to configure the camera.
While several of the features of the implant were trivial to implement, some required module injection, runtime hooking, and a ton of reverse-engineering. For example, the user-mode core of the camera software talks directly to the video device via undocumented IOCTLs. In order to manipulate the video stream these IOCTLs and various undocumented structures had to be understood. The slides details our findings which ultimately allowed us to inject our own frames directly into the video feed, Ocean’s 11 style.
Finally, as we needed physical access to infect the camera anyway, we decided to add some extra hardware in order to turn the camera into an actual cyber weapon. Intrigued? checkout the slides and demonstration.