A recent project to roll out a CCTV system at our offices highlighted the immense security challenges posed by "Internet of Things" devices. The need to provide convenience to customers should be carefully balanced against the long term needs for security from the outset. At the dawn of a new era we should ensure a solid foundation is laid and that we don;t end up with a fundamentally broken set of protocols and practises.
4. Several Factors came together:
1) Needed a plan for the next big thing,
2) Needed a CCTV solution for the office,
3) Needed it to be fun and interesting to talk
about
8. 1) Research CCTV cameras,
2) Buy some cameras,
3) Install cameras,
4) Use ZoneMinder,
5) Profit!
9. ● Pros
– “Hassle Free”
– No compatibility issues
– Cheap
● Cons
– No ZoneMinder!
– Lock in, No source
– Not easily hackable
● Lots of cheap CCTV camera solutions out there,
● 4 – 8 Channels with DVR,
● Everything comes in one kit,
10. Analogue vs IP Cameras
Analogue Cameras
● Pros
– Cheap,
● Cons
– Low resolution,
– Wall wart power supply,
– Need video capture card
IP Cameras
● Pros
– Use POE,
– High Resolution 1080p,
– No capture card
● Cons
– Expensive,
– Requires POE switch
–
15. ● Didn't die figuring out the
live and neutral wire!
● Internet said the black wire
is always live. What does
the internet know!
● Chose the red wire
● I was right!
19. Open Source Wins
(again)
– ZoneMinder
expandable,
– Configurable,
– Hackable,
– Source available
– ZoneMinder is
awesome
Analogue Cameras:
– Good for external
cameras. Who wants
an ethernet cable
dangling outside the
office?
IP Cameras
– Bit of a nightmare
– Undocumented,
– Insecure
20. ● Planet Hardware
● Atrocious, I.E no, documentation and really
bad firmware (wasn't surprised.)
● Browser app required ActiveX!
● Yay for Windows XP vm – used for tax and
other unsavoury purposes.
● No documentation for stream URL!
● Nada in web ui :(
● Nada on the interwebs :`(
23. ● Duck-Duck-Go
● There is a standards body that develops a
remote camera control API (ONVIF) Yay!
● Its a SOAP based service :(
● Planet claimed compliance Yay!
● Nmap - scary results
23/tcp open telnet
80/tcp open http
554/tcp open rtsp
8080/tcp open Http-alt
16000/tcp open fmsas
68/udp open|filtered DHCP
3702/udp open|filtered WS-Discovery
5060/udp open|filtered SIP
24. ● 23 – Telnet – Can't access, shows login prompt,
● 8080 – HTTP-Alt – Query to port 8080 with
SOAP browser plugin responds with wsdl!
● 5060 – SIP – ?
● Banner Grabbing – running ancient Boa http
server As of January 2006, Boa has the following limitations:
● No access control features (HTTP Basic access
authentication, etc.)
● No chroot option (planned)
● No Server Side Includes (deemed incompatible with server
performance goals)
● No SSL support although there are some patches against
0.94.13 that introduce SSL support
26. ● Different profiles for functionality
● Got security designed in up-front
● Planet implementation
● No SSL,
● No password to query web service
● Handy web method GetUsers→
● Returns users and plain text passwords,
● Got rtsp URL with GetStreamURI YAY!
● RTSP stream not encrypted!
● No account lockout
34. ● Vivotek Dome IP Camera
● Has Wifi,
● Supports ONVIF,
● Supports POE,
● HikVision Dome IP Camera
● Supports ONVIF,
● Support POE,
● Support Wifi
22/tcp open ssh
80/tcp open http
554/tcp open rtsp
8000/tcp open unknown (uPnP)?
8200/tcp open Unknown (uPnP)?
3702/udp open|filtered ws-discovery
5353/udp open Multicast DNS
35. ● Hikvision
– The Good
● Web interface support
SSL,
● ONVIF web service
protected by basic
auth,
● Can upload SSL
certificate,
● Can disable uPnP,
–
– The Bad
● Support a cloud
service
● Supports PPOE,
● Supports Wifi,
● Support FTP – built in
SD card slot for
recording,
● Upnp on by default,
● No SSL by default
● Stream not encrypted!
● No account lock out
36. The Ugly
● Huge attack
surface for a
device directly
exposed to the
internet
– Mobile app