Gaming giant says hackers stole source code, software tools

      22

We're always interested in looking at the security of consumer & enterprise kit, whether it's for a customer as part of a hàng hóa security evaluation, or for our own interest. For our most recent IoT adventure, we've examined an outdoor cloud security camera which lượt thích many devices of its generation a) has an associated Smartphone app b) is quiông xã lớn thiết lập and c) presents new security threats khổng lồ your network.

Bạn đang xem: Gaming giant says hackers stole source code, software tools


The Motorola Focus 73 outdoor security camera is packed with features & quite a few surprises - it's not made by Motorola for starters. It's the outdoor variant of a family of Blink and Motorola IPhường cameras manufactured by Binatone which includes baby monitors. All these products boast cloud connectivity via the Hubble service (built upon an Amazon EC2 instance) which allows owners khổng lồ watch & control their camera remotely as well as receive sầu movement alerts, providing their monthly plan permits it, through a Mobile ứng dụng.

This blog describes in detail how we were able to exploit the camera without access khổng lồ the local network, steal secrets including the home page network’s Wi-Fi password, obtain full control of the PTZ (Pan-Tilt-Zoom) controls and redirect the video feed and movement alerts to our own server; effectively watching the watchers.


The Teardown

Whenever we get new kit, we’re always keen khổng lồ understand what powers it. A teardown of the device revealed a Nuvoton ARM9 SoC (N329x), with a N79E814AT20 CPU. GPIO terminals are offered adjacent khổng lồ the CPU (Pin mask is 15) và there is a prominent (& hugely significant) micro switch behind the glass dome which allows the app to lớn find the camera during thiết đặt.

The PCB liên kết to lớn the motorised gimbal which can rotate left và right, but has a (soft) stop at 90 degrees either side. This gives a total azimuth of 180 degrees which can be controlled via API commands.



Network connectivity is provided through either 802.11 or wired Ethernet with the latter taking precedence.

An LED above the lens gives a clue lớn system status & can be controlled via a bespoke commvà. The LED is always on whilst the camera is working/observing và pulses on & off when streaming video khổng lồ a remote server or processing a movement alert.

The corresponding Hubble mobile ứng dụng is available for không tính phí from the usual phầm mềm stores; for this retìm kiếm we used the Android ứng dụng from the Google Play store. The tiện ích is the portal khổng lồ your cameras, all of which are associated with a Hubble trương mục. The app is also the only ‘official’ method of provisioning a camera and supports many more models of IPhường cameras beyond the Focus 73 through the use of a standard API.

The Setup

During thiết đặt the phầm mềm instructs the user to lớn either plug in an Ethernet cable or press the ‘pair’ button on the camera which causes the camera to switch khổng lồ host mode & offer up an open (aka insecure) wireless network. The tiện ích then scans for this network which is typically called CameraHD-(MAC address) and prompts the user khổng lồ connect to lớn it. This is an alarming feature for a camera designed for outdoor use particularly as the camera also offers a host of unfiltered network services, including the network video clip feed (RTSP), a bespoke internal messaging service for initiating alerts và two distinct website servers (nuvoton & busybox), one of which has an undocumented firmware nâng cấp page. Readers of our other blogs will know how much we like upgrading firmware…



When the tiện ích associates with this open access point it issues requests khổng lồ the nuvoton website hệ thống to perkhung a wireless scan of visible networks using the Linux iwmenu commvà, the results of which are returned to the app as XML so you can piông xã your network from a danh sách. Once selected, you must enter your private Wi-Fi security key which is then broadcasted unencrypted over the open network accompanied with some basic HTTP Authentication in the khung of username ‘camera’ and password ‘000000’. The query string is a curious concatenation of the lengths of the SSID, PSK, username và password followed by the fields themselves - worthy of a point for originality.

This HTTP.. Authentication appears lớn be legacy & is not used; a situation which we found khổng lồ be fairly comtháng on this device, for example there are many legacy webpages on the camera (some which were written for the MBP2000W), lượt thích /routercài đặt.html. A cursory examination of these provide insight inlớn a previous incarnation of this hardware as a baby monitor (pre-Hubble).

System Overview



Once configured the app communicates indirectly with the camera via the Hubble cloud service. It does this through a combination of a TLS protected REST API for commands & alerts & a connection khổng lồ a streaming đoạn phim hệ thống for real-time đoạn phim. The real-time đoạn phim aspect is slightly more complicated. The di động ứng dụng signals to the Hubble VPS that it wishes to lớn initiate a streaming đoạn Clip session. In order lớn skết thúc this commvà on to the camera the Hubble VPS needs a way of locating it on the Internet and the ability lớn create an inbound connection through the firewall of whatever network the camera is linked lớn.

The traditional way of enabling inbound connections through a NAT router is via the STUN (Session Traversal Utilities for NAT) protocol. The camera sends regular heartbeat messages to lớn the Hubble VPS, informing it of the camera’s external (WAN) IP address & the UDP port that it is listening for messages on. This also creates a temporary (120s) hole in the firewall permitting the Hubble server to connect to the camera.

Xem thêm: Alien Shooter Mới Nhất - Game Quai Vat Nha Hoang

Communication between Hubble and the camera is within the STUN protocol itself which is an interesting way to lớn use STUN since it is meant khổng lồ be used in tư vấn of other network protocols, much the same way DNS enables a HTTPhường. session. The camera maintains an open UDPhường port on the NAT router via regular STUN heartbeat messages through which it receives ad-hoc commands from Hubble.

A typical comm& would be ‘start streaming video’ which would be sent as an AES encrypted message lớn the STUN client which decrypts it using a local key then forwards it on lớn its own web hệ thống using the cURL utility.

The website VPS then runs a local script which, in the case of streaming video, generates a random URL built around the hardcoded IPhường address of the remote đoạn Clip server. This URL is returned to the cURL client who in turn returns it via an encrypted STUN message khổng lồ Hubble and ultimately the tiện ích. Once the public URL is received by the tiện ích it connects directly to lớn the video hệ thống and receives a UDPhường. stream of video data. This obscure public URL can also be accessed directly by other clients.

The Firmware

The firmware wasn’t advertised publicly but like many IoT devices, there was a behind-the-scenes system for updating the firmware which was available via private URLs. Finding these URLs didn't take long with the help of the app which contained partial URLs in its strings. A quiông chồng bit of guesswork to fill in the blanks in the URLs (mã sản phẩm & firmware version) và we were looking at a compressed Linux file system called ‘skyeye’, written by Hong Kong camera firm Cvision. We were also able khổng lồ obtain historical and, more significantly, development firmware via the same method.

The Cvision firmware blob contained /bin, /etc, /lib folders but was not a full Linux OS, rather it was a folder which sat on mountpoint /mnt/skyeye. Some core binaries lượt thích busybox were not included because they belonged lớn the parent Nuvoton OS, which did not have an update mechanism so contained lots of old binaries, some 10 years old.

There were references in scripts and configuration files lớn other models of indoor IP.. cameras in the firmware, including switch statements for the family of Focus cameras. This suggested the firmware was generic, presumably lớn reduce development & tư vấn costs, và it would be configured at thiết lập for the particular Model, defined in a text tệp tin.

The webhệ thống housed at /mnt/skyeye/mlswwwn/ used haserl CGI scripts which pass HTTP form parameters directly into lớn the shell environment (as root in this case) lớn perkhung functions such as fetching logs or upgrading firmware. In this instance it was exploitable by scripts which later called those saved environment variables.

Malicious Firmware Upgrade

As mentioned previously there are two web servers served from the same thư mục on the device (/mnt/skyeye/mlswwwn/) on port 80 & 8080 respectively. The second VPS is a busybox httpd which lượt thích any normal httpd restricts access to special files like executables or scripts in /cgi-bin/ for example. Unfortunately the Nuvoton (possibly MJPG based) website server on port 80 has no such restriction, so any file we couldn't see on port 8080 we could read in full on 80, including ELF binaries which provided a valuable insight inlớn the architecture (ARM32 LE) and executable environment.

One of these files was a very interesting haserl script, called haserlupgrade.cgi, & was identified as the start of the firmware update process. As the firmware is not encrypted or signed we were able lớn modify it to include an edited haserl script which contained a discrete one line backdoor: .

The modified firmware can then be uploaded via http://(IP):8080/fwtăng cấp.html allowing us to exexinh đẹp arbitrary commands as root with the browser like so:

http://(IP):8080/cgi-bin/script.cgi?run=cát /etc/passwd

Directory traversal và commvà injection

We identified a potential vulnerability in the haserlupgrade CGI script (see above) in the form of good old directory traversal. The script (running as root) takes a compressed firmware image & moves it to lớn a designated location outside the webroot. Fatally, it does not validate the filename provided in the form so "new_firmware.tgz" & "../../../mnt/skyeye/etc/cron/root" are both OK. By creating an equivalent script in a demo environment we verified the directory traversal worked because haserl doesn't validate any input đầu vào, but despite repeated attempts we couldn't get a file to stichồng, it kept getting removed regardless of where we put it on the tệp tin system (which was anywhere because it was privileged). At this stage we had the capability lớn briông chồng the device by overwriting a key tệp tin (eg. /bin/busybox) which considering it's a security camera could be advantageous...

It makes sense that a firmware nâng cấp process deletes the firmware tệp tin on completion. Not to be deterred we examined the remainder of the script and discovered an interrupt hotline lớn a 'fwupgrade' binary (line 16) which we loaded inkhổng lồ IDA. This binary makes use of the firmware tệp tin name that was saved into /mnt/cache/new_fwtăng cấp (line 8). When fwnâng cấp receives the SIGUSR1 interrupt it reads 128 bytes from the new_fwupgrade file & uses this for the firmware filename. It then calls a shell script to perform the firmware update on this filename which cleans up the firmware file on completion.

Xem thêm: Vietnam Strikes Eleventh Hour World Cup 2018 Deal, 2018 Fifa World Cup™: Video Bản Full Trận Bỉ

As the firmware filename is output to lớn a tệp tin which fwnâng cấp then reads 128 bytes from, this allows for a firmware with a very long filename to lớn break the process và for the uploaded file lớn not get deleted as it only has a partial filename.


Chuyên mục: Tin Tức