back to article $30 webcam spun into persistent network backdoor

Vectra Networks security wonks have spun a cheap webcam into a backdoor to persistently p0wn PCs. The junk hacking expedition led Vectra's chief security chap Gunter Ollman into the internals of the D-Link DCS 930L, a network camera that can be had for US$30. The attacks are useful as an alternative backdoor for targeted …

  1. Christian Berger

    Running your own firmware is not a security problem, it's an essential right you have

    The problem in this case was that you could change the firmware without being physically at the device. A simple button, or in fact a timer that only allows firmware updates for the first n minutes after booting would have solved that problem.

    Of course this is an easy find. Just look at the firmware images, take them apart and change them before putting them together again. Installing the cross compiler to make your own binaries to put into that image is more complicated than that. Many people who want to start a carrier in security or who want to promote their security outfit just bring that out purely for promotion. That would be perfectly al right if it wouldn't set the idea into peoples mind that running your own firmware is a security risk.

    Let me put it in another way. What they did is to change the firmware and remove the update function. A legitimate user might do exactly the same. First remove all the junk from the firmware you don't want (i.e. the calling home functions) then remove the update function so nobody would install the less secure vendor provided version again. Removing functionality is relatively easy and it can bring you a great security benefit.

  2. Pete 2 Silver badge

    Applies to everything?

    So, the guy reflashed a commercial product and added a backdoor.

    What was special about this particular camera, that couldn't be applied to pretty much any device capable of being upgraded by its owner or a potential baddie? [ See below for the answer ]

    ISTM the only "weakness" on this device is that the researcher was able to work out how it worked and to add code that didn't screw up it's operation (although given the parlous state of the software on some of these cheapo cameras, it's difficult to say what "normal operation" actually is).

    As for

    > A fix would require a Trusted Platform Module or specialised chip to verify software updates.

    That's not going to happen, so it's probably best that these devices remove the upgrade / reflash option (although how you'd stop people whipping the lid off and reflashing through the internal programming / debug interface, I do not know). Alternatively, since this device can already be hacked to run OpenWRT (why? FFS!), maybe the easy access and hackability that Linux provides is becoming more of a liability than a benefit?

    1. John Sturdy

      Liability AND benefit (Applies to everything?)

      Although it's a liability when someone else does it, there are all sorts of benefits to being able to customize a camera yourself.

      The one that appeals to me is using the steady stream of data with low information density as the carrier for steganography --- thus using surveillance equipment to counter another form of surveillance.

      To get a suitable data stream, point the camera so it includes some of the outdoors in its field of view; trees waving in the wind, shadows of clouds moving across the lawn, birds flying past... an empty room might not be good enough in itself. Or maybe a fishtank would do. I wonder whether spies will now start taking an interest in anyone with a webcam showing their aquarium, and wonder what they're hiding?

      That being said... being able to reflash it without physical access, or at least a user-settable password, would be appalling. But the OpenWRT instructions make it look like that's not what's happening here.

  3. Doctor Syntax Silver badge

    "The attacks are useful as an alternative backdoor for targeted attackers who already have access to a machine"

    A WiFi camera might well be installed outside the premises it's supposed to be guarding so it access could be possible.

  4. Ian 62

    Second hand kit

    I suppose its a gentle reminder that something as basic as this can be reflashed and stuck on eBay.

    The attacker might not always get the device into a juicy target, but whats the risk/cost? Buy it second hand, flash, resell for much the same price. Get a few dozen out there and see where they land.

    Whilst you'd hope that commercial enterprises would buy new, if you're looking for a like-like replacement to make life easy for yourself, if its an EOL product eBay might be your only choice.

    1. John Sturdy
      Black Helicopters

      Re: Second hand kit

      Sounds like good reason to reflash all such second-hand kit whenever possible. And perhaps new kit too, for that matter.

    2. Pete 2 Silver badge

      Re: Second hand kit

      > The attacker might not always get the device into a juicy target, but whats the risk/cost? Buy it second hand, flash, resell for much the same price.

      The place this is most likely to happen is with used phones. Yet we don't hear of it. We do hear of people buying s/h phones and finding all the stuff from the previous owner still on it, so it's clear that there are many people who have neither the knowledge nor the inclination to protect their privacy.

      I'd use the phone market as the "canary in the coalmine" for this sort of thing. It's a bigger market and therefore potentially more open to exploitation. The buyers seem to be an order of magnitude less savvy and the scope for illicit gain is much greater.

  5. TeeCee Gold badge

    .......It is not something users should expect to surface in the wild

    Oddly enough, it's just the sort of thing I'm expecting to surface in the wild en masse and repeatedly, courtesy of teh intervuln ov fings.

    Let's face it. The smartphone and tablet boys don't do secure systems and timely security patches. You expect the cheapshit household commodity lads to do better why exactly?

    As regards the requirement for physical access in this case, I wouldn't be at all surprised to find that its existing auto-update function ain't exactly bulletproof when it comes to validating the update source as genuine and a bit of extra jiggery-pokery with spoofed addresses could get it to compromise itself.

  6. allthecoolshortnamesweretaken


    Always use the proper tools and protective gear, kids!

    1. Paul Crawford Silver badge

      Re: Ouch.

      Like not putting crap like these things on your corporate LAN? Have another IP range for them without Internet access nor much internal access so only the security desk PC can record/view the cameras?

      Oh and while you are at it, partition your network to put printers, etc, that have web servers and other crap that is never patched on to a similar restricted zone...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like