What WERE they thinking? Internet-enabled cameras under the security lens once again…

Vulnerability researchers at Core Security have recently turned their attention on internet-enabled cameras.

IP (internet protocol) cameras are to video surveillance as standalone Wi-Fi routers are to home networks.

You don’t need a host computer, or a video card, or a USB port, or a complicated configuration ritual.

They’re designed so that you simply connect them to your network and they Just Start Capturing, so you will find them very widely used for security monitoring.

Sadly, the Core techies found a veritable raft of holes (if that is not an impertinently mixed metaphor) in cameras from both D-Link and Vivotek.

I’m not going to steal all their thunder here by re-explaining in detail the exploitable vulnerabilities that they found, but I do want to mention some of the holes.

Buffer overflows, authentication bugs and command injections are all regrettable flaws, but at least the programmers didn’t actually intend them to be there. (Let’s assume so, anyway.)

But when security holes arise from features, not bugs, you really do feel like shouting aloud, “What WERE they thinking?”

Here’s an example from Core’s digging into the D-Link products:

Don’t worry if you don’t understand ARM assembly language.

Quickly explained, the code above takes the last three characters of the string username:password, as submitted to the camera’s RTSP (real-time streaming protocol) service.

It checks to see if those trailing characters are :*?, meaning the user entered a password string of *?, and reports success if so.

In other words, the two-character password *? is a hard-wired backdoor password to the camera’s real-time video stream.

Hardwired passwords were a design blunder back in the 1970s; in the 2010s, they are simply unacceptable, so never succumb to the temptation to include them in your code.

And never create backdoors by setting up emergency logins with well-known username/password pairs “just in case,” because that amounts to the same thing, though at least it is a blunder that can be fixed without a code update.

As if the existence of a hardcoded backdoor password wasn’t enough, Core’s spelunkers also found entirely unauthenticated ways to retrive live video data.

If you know the right URLs to use, you can jump over any password or login hoops, and just access the camera’s video stream directly.

One URL, reports Core, gets you right at the video data; another gets you at a low-bandwidth ASCII-art version of the video’s luminance, or light levels.

Luminance data sounds uninteresting, but actually gives you a perfectly usable black-and-white picture.

Core created a cute example of this bug by pointing the camera at a coffee pot and capturing the output. (Of the camera, not the coffee pot.)

→ Coffee pot videos, especially luminance-only ones, have a primaevally important place in techies’ hearts. The world’s first ever internet webcam was deployed by computer scientists at the University of Cambridge so they could keep track of their coffee-maker remotely. “The image was only updated about three times a minute, but that was fine because the pot filled rather slowly, and it was only greyscale, which was also fine, because so was the coffee.”

Authentication problems showed up in the Vivotek camera firmware, too.

Linux, which is the operating system used on the Vivotek cameras, creates a virtual file system object called /proc/kcore. (RAM used to be made out of ferrite magnets called cores, whence the name.)

Reading this file provides a programmatically uncomplicated way of dumping of the kernel’s physical memory.

That usually yields lots of secrets, from credit card magstripe data in point-of-sale devices, to user credentials in Vivotek cameras.

For that reason, the contents of /proc/kcore, and many other system files of that ilk, are usually well-protected.

In particular, when you run a web server, you ought to take steps to prevent visitors from navigating up-and-over in your directory tree by using character sequences like ../../.. to go sneakily upwards towards the root directory.

That’s called a directory traversal bug, and the Core researchers found one in the Vivotek camera, so that they could ask for a URL such as:

That ought to be blocked, but it is not. (To be fair to Vivotek, Core pointed out that with the latest camera firmware, you have to login before this trick will work, but in previous firmwares even an unauthenticated user could grab the core file. No pun intended.)

As we’ve written before, security patches for hardware devices like routers, printers and cameras are often overlooked.

Don’t let that happen!

Always-on devices like routers and cameras are typically part of your security infrastructure, so a compromise on one of them could facilitate the compromise of your whole network.