Helped a friend set up a 6 camera system. He bought 4 reputable cams and two cheapies. We configured all cams to shut off any and all cloud services. All were set with static IP, gateway, NTP server, and NO dns. The four reputable ones generate zero unexpected traffic. The two cheapies? Constant flow of connection attempts to cn owned IPs, as well as dns requests to google DNS IPs (apparently hard coded). Nothing goes anywhere since they're on a segregated VLAN with no outside access... but the firewall packet counters are in the millions.
What did you expect from chinese products? For younger people, watch the beginning of "Three body problem" and remember that unlike in Germany after WW2, this regime was never over thrown or made responsible for what it did and still is doing. This message will likely be removed after CCP propaganda machine launches multiple feedbacks to TH-cam demanding it and YTs algorithm removes the message.
This is some really cool content. I would highly recommend a brief intro with some bullets on what you are going to attempt and then as part of the outro, provide a summary of what you discovered. It would really help tie everything together.
You are wonderful! A couple of months ago my work was throwing out old IP cams and I asked to have one because I was super interested in hooking it up and digging into everything that’s on it that the user doesn’t get to typically see. The camera is a Vstarcam. How lucky am I that an expert like yourself is doing exactly what I (an absolute amateur) was wanting to do on this brand of ip cam!
I’m not a hacker and have zero Linux knowledge but this stuff and how you present it is fascinating to me regardless. Thanks for taking the time to setup these demonstrations and so clearly explain what is a very deep understanding of these devices.
What i'm interested in is when firmware detects that it has no internet connection (because I put it in a network jail), but that triggers routines in the device to escape the jail by automatically connecting to any nearby open WiFi without being told to. Or having firmware that can entering promiscuous mode to watch and analyze other devices for te purpose of masquerading as those devices after it sees it's silent for 30 minutes or so in order to find a way out of its jail. I'm concerned with so-called security cameras that provide no actual data security, or worse actively try to evade attempts to make them secure. It's not a matter of whether your cloud data is secure, but when it becomes insecure and whether you will ever know that it has happened. Cloud data means it's stored (potentially indefinitely) on someone else's computer and used for whatever purposes they want to use it for. And you have no recourse if they lied to you in the first place, or later abuse that trust whether it be willful or by neglect.
That’s technically possible. But in practice, I don’t think most companies producing these cheap cameras are doing that. Not only does it significantly increases the software R&D cost, they have little to gain from, since most people using it are not experts in security, and simply sending data from device to their server is enough to “monitor their customer” (if that’s their goal). I bet most of their target customers don’t know how to setup a Firewall on their router. What you have described is more like an attack organized by state-backed hackers, who knows their device is likely to be placed in an airgapped environment or some sort. But let’s be honest, any high security facility won’t use WiFi security cameras at all. So a state backed hacker group will likely spend their time on something else that is more effective.
@@tlxyxl8524 I disagree. These companies producing cheap cameras are licensing firmware provided by another company. If that other company is a state sponsored front for a surveillance agency, then the licensing cost and terms will be very cheap to the camera producer. Something similar happened with a US agency that 'sold' an advertising library to Kuran app developers in order for the US agency to dragnet track Muslims. This kind of thinking not only can happen it IS happening, and it logically must happen. Only a fully open-source software and hardware (including microcode, ASICs and SBC BSMs) or full reverse engineering can hope to find these things when they are imported devices because there is no legal recourse against a foreign government that engages in this activity. And political recourse against a country doing this to its neighbor is unlikely.
Absolutely incredible channel. You keep the pacing super easy to follow and your topics are always interesting. Very educational and cool at the same time this is one of my favorite channels now ❤
Subcribed! Not only highly educational video, but reveals why it makes strategically sense that AliExpress and similar are so dirty cheap. Could you make more videos exposing products bought from China?
Actually that's a really good and easy way to show proof of hack, point it at something only @mattbrwn knows, and they can jump on the discord with an image for proof. They can provide further proof afterwards....or not... 😂
After all these years never knew or have seen all this techniques in action. Very excellent explanation and educational we need more of this stuff. Subscribed and liked thanks matt🎉🎉🎉🎉
Wonderful. Exactly answering some of the questions I had about some of my Chinesium security cameras. I really appreciate you going through this with live workflow. Keep up the good work.
For the typical end Luser, anc customer support people (if any), the potential for every device dying when the cloud server's certificate changes to one not in the chain of trust is a potentially significant issue. From the programmer's perspective... They possibly said to their manager, 'to do this properly we need to provide a way to update the trusted certs regularly' the account said oof, more infrastructure? and the CS people said 'what about users who had the device turned off for 2 years, and the manager replied, 'what if we just don't check the certs?' and went home with a bonus for saving the company money.....
"what if we just don't check the certs?" what if we check the certificates and the stupid users that forgot to use the product, forgot that they even had the product, so you sell them another one !
How have I never found your channel before? subscribed! This should be a DEFCON talk.
5 หลายเดือนก่อน +1
Way over my knowledge but found it very interesting to look at. Have for long time been thinking of a way to check what an app like TikTok and other app that should not be trusted, and different hardware, to see if they can be trusted. Wonder if such devices like you cheap camera should be on it's own network isolated from home server and other stuff. Looking forward to watch your future videos that educate us all.
Looking at some of the details decoded by certmitm it looks like the cloud infrastructure may be setup for multiple manufacturers to use (the reference to OEM look interesting). What are the chances that the work that Matt is doing applies not only to the make/model of camera being analysed, but also other brands and models ?
im sure many companies are using these services. Think about the cost for them to pay for this infrastructure, these companies are pretty obviously selling some kind of data to pay for it. These cameras dont cost that much so they cant keep that kind of operation afloat for free
Jesus! I just stumbled across this video and now I'm subscribed and know that I need to be much MORE more paranoid about stuff that I was previously just suspicious about.
Nice video! Btw, find supports filtering for names and even executing other commands on its results find . -iname '*pam*' # same as the grep pipe find . -exec file {} \; # same as your xargs pipe
Super instructive, and highly illustrative of the (in)security of many IoT devices. I just got into embedded and packet hacking at Def Con 32, and this is a fantastic continuation of what I learned there. Great to see these techniques employed in the wild, and you do a fantastic job of describing what's going on at each step.
This is one of the many reasons people need to be more aware of the risks of IOT devices. Especially when it comes to devices from other countries like China. Even thermostats, sensors, etc. It;s all sending data and to think and say things like "I don't care if China sees the temp in my house" is not seeing the bigger picture. As your video points out IoT devices are not very secure. I've even seen some people argue that they disable traffic to China. That "may" help but not all people have that skill and I guarantee you Chiuna has cloud based servers all over not just in China so you really don't know unless you have the skills to analyze traffic, look at all destinations and lookup who actually controls that endpoint and dig up what shell companies may be masking the true owner/country. Good video.
@@supremeleader5516 that thermostat can run network scans, or whatever recon and send it back to china. Every network device has a mac address which is assigned to a company. They could watch and see how many people have a samsung tv over a tcl for example and then sell that data to marketing companies to try and sell you something. Thats one small example. There is a lot of data going through a network at any time. Sometimes you just dont know what you dont know.
I like this video. I'm technical (software experience but not security background) and would love more high level summary and explanation of what all this means. E.g. what are the consequences for users, what does this enable the Chinese to do etc etc
Now I have to reuse this tutorial in my lawnmower! I did not even try as I've seen it is ssl traffic, but I've never guessed the tls is not even verified! Thanks!
So.. to make sure I'm understanding - The flaw that allowed you to successfully run the MITM is that the camera didn't validate that the certificate was signed by a trusted root, so it trusted the cert dynamically generated by the utility? If this is the case, but it didn't work, is it common to be able to inject a new trusted root into the filesystem of the device under test, or if it did the root validation, that would be pretty secure?
I could be wrong but I think in this particular case, the dynamically generated certs weren't even needed, as the app didn't even bother to validate the server cert.
@@effsixteenblock50 Oh.. I was figuring that "not validating" the cert meant it just didnt verify it was valid up to a trusted root installed on the camera, but if it really didn't even validate the name of the cert, that's a new level of carelessness on their part! I might have to get one of these things just to play with now!
@@SteveJones172pilotoften devices do nothing more than verify the common name/san matches an expected value. In those cases a self signed certificate with the same name as the intended site will suffice.
Do these cameras have built in chinese backdoors from software or hardware or both ? And have you created a list of security cameras that have been compromised ?
@@Matlockization what actually happens is these devices have to use remote servers to generate things like thumbnails and/or previews. The problem is you have to compete on price, not security.
was the initial HTTP Request packet for that .jpg file just a "semaphore" or "signal" to the chinese server farm that the device was rebooted. and perhaps the "token" was really a way to get a message to those servers? This might have been a method of obscuration used by the manufacture. also, I noted that a HTTP 404 was returned by the server. hmmm
Hi Matt, Can you do a video on decrypting the wireshark tls packets after certmitm injecting a self signed certificate in the camera connection? I mean, that should be possible now, right? I tried loading the certmitm key file into Wireshark but I just cannot get it to decode the tls trafic.....
That is only possible IF the TLS cipher used does NOT provide perfect forward secrecy. en.m.wikipedia.org/wiki/Forward_secrecy I agree this nuance would make a good video.
@@mattbrwn So, how would you proceed if you want to spy on your camera traffic to see all the messages forward and backward with the Chinese server? Thanks for the link! Interesting!
IoT means "Internet of Trouble". Also, don't get too comfortable if YOUR cam doesn't generate suspicious traffic. It is just waiting for the right time. ;)
Seriously. With what you are giving me as information and other hints. I am enjoying testing all the wifi device I have. Be it sensibo heat pump controler to my thermostats. And door bell camera. Amazing stuff!!!
Hi Matt, Thank you for the great content! I have a question: when running a tool like certmitm, is it necessary to make any modifications to my router? How does the traffic get routed through the host? Thanks a lot!
Hello Matt! Your content is absolutely fascinating, I love your videos! A question, any chance you would once look at an easier project, such as the tiny LCD screens they sell for Pc performance monitor screens. They have an onboard chip and the HW usually can only be used with the provided software.
Any way you could do a video on the blink mini security camera? Im not at your skill level yet but i have a few of these cameras at home and would like to know how secure they are. Love your videos btw and look forward to seeing more content
I have the YI cameras and i would like to stop them from call home PRC , is that possible i have to use an app from them to be able to connect to the webcams.
I am not going through 360 reactions, so excuse me if already asked. But why would you pipe the output of find . to grep instead of using find . -type f -name *pem ?
I noticed this with the useless use of grep too and tried to find a comment and came across yours. I'm guilty of this sometimes too when I can't remember parameters on something like awk
@@JamesTK I am probably guilt of useless use of commands in real life as well. However, when it is for a video I expect a better use of commands by the host. If someone is not aware of the uselessness of commands, I'd advise against making a video. If someone is aware I'll expect better usage of commands.
The IoT devices I"m familiar with use TLS in PSK mode. It is very lightweight as there are no certificates to verify, and cannot be MITM'd unless you know the PSK.
A token was sent in clear text, havent watched the whole video but could be used to start a remote unauthorized stream with it, same was done with eufy cameras. The JPG is the thumbnail of the camera seen in the app. And when it comes to mobile applications not properly SSL pinning, this can be fairly easily circumvented with reverse engineering and the usage of software like frida, to override functions and or inject your own logic.
I've got Zosi CCTV system and as soon as I set up a password on there, I stated getting hacking attempts on my network and even my email, so I just leave it offline and only access it locally. Also what's the point in SSL if it can be decrypted so easily?
I have a hodge-podge of network equipment and servers and extremely superficial understanding of how any of it works. DIR-862L router running DD-WRT and AdGuard Home, 3x Osprey Informatics IP cameras, 1x Vaddio Conference Shot 10 IP camera, Datto Alto A3V2 NAS running Proxmox which is hosting Ubuntu server which hosts NFS share, Nginx, iSpy Agent, plus a Western Digital DX4000 running Microsoft Server 2008, a Linksys SPA2102 VOIP adapter, and Brother network printer/scanner. How susceptible is all this stuff? I'm genuinely curious!
Same shit with owning a VPS. I installed fail2ban and occasionally looked at the ban list, and it was just thousands of Chinese IPs trying to probe any open port.
Ive learned so much from your videos. I have a basic soldering system setup but I cant do smd stuff let alone desoldering firmware chips. What would be the entry level equipment that you would recomend??
My background is Unix in general. Going back to the Solaris 3 days. I get the software side of things but I need advice about the hardware side to get to the software side. I can't afford the crazy expensive setups that we see on the channels. I need something that its OK to fail now and then. Thanks for any advice you can give. It'd be better then me just picking temu crap at random.
@mattbrwn could you try hacking and attacking the EDL on the Oppo Watch OW19W8?? It's an WearOS Smart watch but more on the cheaper end and I've bricked it by installing Asteroid OS and then locking the bootloader which bricked the Smartwatch because for whatever reason whenever you lock the bootloader on that device it basically factory resets it's self but the issue is I deleted the Wear OS Partition meaning i can't Unbrick it as of yet and I've tried fixing it through the EDL but it's encrypted and idk how that works and so far no one knows how to unencript it through software
UPDATE: my camera account was pwned within 2 hours of the video going live. 😎Well done internetz
LOL
🤣🤣🤣🤣🤣🤣🤣🤣
well that was quick lol
Dum Spiro Spero my friend. Soli Deo Gloria indeed. Nice phrase btw!
2 hours? You guys are slackin. 🤣
Helped a friend set up a 6 camera system. He bought 4 reputable cams and two cheapies. We configured all cams to shut off any and all cloud services. All were set with static IP, gateway, NTP server, and NO dns. The four reputable ones generate zero unexpected traffic. The two cheapies? Constant flow of connection attempts to cn owned IPs, as well as dns requests to google DNS IPs (apparently hard coded). Nothing goes anywhere since they're on a segregated VLAN with no outside access... but the firewall packet counters are in the millions.
Probably spyware selling what you do and recording *that*
I did the same, for all my Reolink cameras
@@zyghom Do they stay quiet on the network? My Hikvisions do.
@@khx73 they don't stay quiet but firewall does not let any traffic from them outside my LAN ;-)
@@zyghom Dirty little things... haha
This is my favorite newly discovered TH-cam channel. I watch every video as soon as they drop. Keep it up Matt!
just like me
🙋🏻♀️
Same here! I get super excited when I see a video drop 😂
same 😂
How cute they think+ 5g (jj=. P😊
TLS encryption, in this case, is probably more about obscuring what this device is doing versus protecting the user's data.
What did you expect from chinese products? For younger people, watch the beginning of "Three body problem" and remember that unlike in Germany after WW2, this regime was never over thrown or made responsible for what it did and still is doing. This message will likely be removed after CCP propaganda machine launches multiple feedbacks to TH-cam demanding it and YTs algorithm removes the message.
this is the content we need more of, keep it up matt this is legitimately great stuff
This is some really cool content. I would highly recommend a brief intro with some bullets on what you are going to attempt and then as part of the outro, provide a summary of what you discovered. It would really help tie everything together.
I like this suggestion too. I feel like he always addresses his thinking process as he goes, but a quick outline up front may be helpful.
I would highly recommend they keep doing their own thing how they want, when they want. I'm here to watch, not exert control over the Internet.
You are wonderful! A couple of months ago my work was throwing out old IP cams and I asked to have one because I was super interested in hooking it up and digging into everything that’s on it that the user doesn’t get to typically see. The camera is a Vstarcam. How lucky am I that an expert like yourself is doing exactly what I (an absolute amateur) was wanting to do on this brand of ip cam!
Man these videos are great, love how you explain your steps with enough detail to follow along. Great stuff.
You are a natural teacher as well. I hope you many, many subscribers!
I’m not a hacker and have zero Linux knowledge but this stuff and how you present it is fascinating to me regardless. Thanks for taking the time to setup these demonstrations and so clearly explain what is a very deep understanding of these devices.
What i'm interested in is when firmware detects that it has no internet connection (because I put it in a network jail), but that triggers routines in the device to escape the jail by automatically connecting to any nearby open WiFi without being told to. Or having firmware that can entering promiscuous mode to watch and analyze other devices for te purpose of masquerading as those devices after it sees it's silent for 30 minutes or so in order to find a way out of its jail.
I'm concerned with so-called security cameras that provide no actual data security, or worse actively try to evade attempts to make them secure. It's not a matter of whether your cloud data is secure, but when it becomes insecure and whether you will ever know that it has happened.
Cloud data means it's stored (potentially indefinitely) on someone else's computer and used for whatever purposes they want to use it for. And you have no recourse if they lied to you in the first place, or later abuse that trust whether it be willful or by neglect.
that's why I have to wrap the device in tinfoil, so the WIFI doesn't work
That’s technically possible. But in practice, I don’t think most companies producing these cheap cameras are doing that. Not only does it significantly increases the software R&D cost, they have little to gain from, since most people using it are not experts in security, and simply sending data from device to their server is enough to “monitor their customer” (if that’s their goal). I bet most of their target customers don’t know how to setup a Firewall on their router.
What you have described is more like an attack organized by state-backed hackers, who knows their device is likely to be placed in an airgapped environment or some sort. But let’s be honest, any high security facility won’t use WiFi security cameras at all. So a state backed hacker group will likely spend their time on something else that is more effective.
Have you identified any devices behaving this way?
There is always someone smarter hacking what appears to be secure. However if they’re at the top of the game they’re going after big fish.
@@tlxyxl8524 I disagree. These companies producing cheap cameras are licensing firmware provided by another company. If that other company is a state sponsored front for a surveillance agency, then the licensing cost and terms will be very cheap to the camera producer. Something similar happened with a US agency that 'sold' an advertising library to Kuran app developers in order for the US agency to dragnet track Muslims. This kind of thinking not only can happen it IS happening, and it logically must happen. Only a fully open-source software and hardware (including microcode, ASICs and SBC BSMs) or full reverse engineering can hope to find these things when they are imported devices because there is no legal recourse against a foreign government that engages in this activity. And political recourse against a country doing this to its neighbor is unlikely.
Thank you for letting us know. Having no certificate also means no certificate can expire. :-)
Root CA companies hate this trick!!!
They could use self-signed root CA without any expiry time.
Absolutely incredible channel. You keep the pacing super easy to follow and your topics are always interesting. Very educational and cool at the same time this is one of my favorite channels now ❤
Subcribed! Not only highly educational video, but reveals why it makes strategically sense that AliExpress and similar are so dirty cheap. Could you make more videos exposing products bought from China?
Point the camera at a Rick Astley video so that a hacker of your keys can see the success directly :D
Actually that's a really good and easy way to show proof of hack, point it at something only @mattbrwn knows, and they can jump on the discord with an image for proof. They can provide further proof afterwards....or not... 😂
that is an awesome idea
Remember the time when 4chan located indoor cameras and raided them. I'm not sure it's that great of an idea...
@@nezu_cc Cats out of the bag on that already if he's leaving it online for it to be hacked.
@@nezu_ccwell it was bc the camera was near an open window. I’m sure he can just put the camera in a box or something
After all these years never knew or have seen all this techniques in action. Very excellent explanation and educational we need more of this stuff. Subscribed and liked thanks matt🎉🎉🎉🎉
Your videos are as good as sitting in sessions at DEF CON!
loving the idea of letting peeps from the web fish around on the device and connect with you and others on discord ❤
Wonderful. Exactly answering some of the questions I had about some of my Chinesium security cameras. I really appreciate you going through this with live workflow. Keep up the good work.
western cloud cameras are not very different.
@@turtlefrog369 You're right. Really doesn't matter the country of source.
Yooooooo, You just got a new sub. Lovely vid. Love the work! ❤
I can see you love what you do - good energy - I enjoy your technical insight.
That was an awesome run-down and explanation Matt, subscribed!
Good video, I can feel you raw passion and excitement about what you're doing coming through. I'll have to check out some of your others.
For the typical end Luser, anc customer support people (if any), the potential for every device dying when the cloud server's certificate changes to one not in the chain of trust is a potentially significant issue. From the programmer's perspective... They possibly said to their manager, 'to do this properly we need to provide a way to update the trusted certs regularly' the account said oof, more infrastructure? and the CS people said 'what about users who had the device turned off for 2 years, and the manager replied, 'what if we just don't check the certs?' and went home with a bonus for saving the company money.....
"what if we just don't check the certs?" what if we check the certificates and the stupid users that forgot to use the product, forgot that they even had the product, so you sell them another one !
OCSP is what they need
To be honest, I would not be surprised if this was actually just as intended, by Chinese rules.
Awesome stuff mate. I am learning so much, and gives some scale as to how much I have to learn still. Keep it up!
How have I never found your channel before? subscribed! This should be a DEFCON talk.
Way over my knowledge but found it very interesting to look at. Have for long time been thinking of a way to check what an app like TikTok and other app that should not be trusted, and different hardware, to see if they can be trusted. Wonder if such devices like you cheap camera should be on it's own network isolated from home server and other stuff.
Looking forward to watch your future videos that educate us all.
Just discoverd your channel. This is sweet stuff. Great job
Looking at some of the details decoded by certmitm it looks like the cloud infrastructure may be setup for multiple manufacturers to use (the reference to OEM look interesting). What are the chances that the work that Matt is doing applies not only to the make/model of camera being analysed, but also other brands and models ?
Wow I didn't catch this! I bet you are right and that there are a bunch of whitelabel brands out there.
im sure many companies are using these services. Think about the cost for them to pay for this infrastructure, these companies are pretty obviously selling some kind of data to pay for it. These cameras dont cost that much so they cant keep that kind of operation afloat for free
It seems, most of the current spies out of China are using 0s and 1s. Good stuff, Matt!
Jesus! I just stumbled across this video and now I'm subscribed and know that I need to be much MORE more paranoid about stuff that I was previously just suspicious about.
Would be cool if you could get that binary to run on your Linux machine and view the video feed without using the app
Very cool. I look forward to part2.
Great morning watch from Sweden, appreciate the video, Matt!
Nice video! Btw, find supports filtering for names and even executing other commands on its results
find . -iname '*pam*' # same as the grep pipe
find . -exec file {} \; # same as your xargs pipe
finally some channel for me :) high quality content!
Your content is awesome man,thanks for making it!
Decrypting SSL!? Can’t wait for this one! Keep it up dude. Really enjoying the videos.
Super instructive, and highly illustrative of the (in)security of many IoT devices. I just got into embedded and packet hacking at Def Con 32, and this is a fantastic continuation of what I learned there. Great to see these techniques employed in the wild, and you do a fantastic job of describing what's going on at each step.
So thankful to have found you!! Woot Woot!!
Nice work Matt
This is one of the many reasons people need to be more aware of the risks of IOT devices. Especially when it comes to devices from other countries like China. Even thermostats, sensors, etc. It;s all sending data and to think and say things like "I don't care if China sees the temp in my house" is not seeing the bigger picture. As your video points out IoT devices are not very secure. I've even seen some people argue that they disable traffic to China. That "may" help but not all people have that skill and I guarantee you Chiuna has cloud based servers all over not just in China so you really don't know unless you have the skills to analyze traffic, look at all destinations and lookup who actually controls that endpoint and dig up what shell companies may be masking the true owner/country. Good video.
How temperature will benifit china?
@@supremeleader5516 that thermostat can run network scans, or whatever recon and send it back to china. Every network device has a mac address which is assigned to a company. They could watch and see how many people have a samsung tv over a tcl for example and then sell that data to marketing companies to try and sell you something. Thats one small example. There is a lot of data going through a network at any time.
Sometimes you just dont know what you dont know.
Until non-China stuff is tested you have no way of being certain the same, or more sophisticated, shananigans are going on.
What awesome content again thanks matt❤❤
Great content, Matt. You earned a new subscriber.
Great video. You did a great job explaining all the steps you did.
This is great content. Have you tried this on any major brand name cameras like Blink or Ring?
I hit the like button 10 seconds into the video as I know I am in for a treat! Great work!
What is the most dangerous threat? A kind of obfuscated but auditable connection or a perfectly secure connection directly to an malicious service?
respect bro, keep up the great work!
Awesome matt!! subscribed!
Nice video's Matt, subbed! 👍
This channel should go viral, love it.
I, an extremely biased source, agree 😁
Great content, definitely subscribing!!
fascinating Matt, brilliant
Great vid! Stay awsome, Jim.
I like this video. I'm technical (software experience but not security background) and would love more high level summary and explanation of what all this means. E.g. what are the consequences for users, what does this enable the Chinese to do etc etc
Now I have to reuse this tutorial in my lawnmower! I did not even try as I've seen it is ssl traffic, but I've never guessed the tls is not even verified! Thanks!
So.. to make sure I'm understanding - The flaw that allowed you to successfully run the MITM is that the camera didn't validate that the certificate was signed by a trusted root, so it trusted the cert dynamically generated by the utility? If this is the case, but it didn't work, is it common to be able to inject a new trusted root into the filesystem of the device under test, or if it did the root validation, that would be pretty secure?
I could be wrong but I think in this particular case, the dynamically generated certs weren't even needed, as the app didn't even bother to validate the server cert.
@@effsixteenblock50 Oh.. I was figuring that "not validating" the cert meant it just didnt verify it was valid up to a trusted root installed on the camera, but if it really didn't even validate the name of the cert, that's a new level of carelessness on their part! I might have to get one of these things just to play with now!
@@SteveJones172pilotoften devices do nothing more than verify the common name/san matches an expected value. In those cases a self signed certificate with the same name as the intended site will suffice.
Great video, would love to see what they send after getting the auth.
Love these videos! Keep it up!
THANKS This is eye opening. Is there a clearing house for IOT devices that do not have these type of issues? Wired and Wireless?
Do these cameras have built in chinese backdoors from software or hardware or both ? And have you created a list of security cameras that have been compromised ?
Yes it has been proven, there are even Website with hacked or unsecured cameras..
@@mmuller2402 Very worrying.
@@mmuller2402How to find that website?
@@Matlockization what actually happens is these devices have to use remote servers to generate things like thumbnails and/or previews. The problem is you have to compete on price, not security.
@@johnsullivan8673 Well, people are already paying extra for peace of mind since we all know what communist china are up to.
Yoooo my man usin polybar and i3wm, lets go
was the initial HTTP Request packet for that .jpg file just a "semaphore" or "signal" to the chinese server farm that the device was rebooted. and perhaps the "token" was really a way to get a message to those servers? This might have been a method of obscuration used by the manufacture. also, I noted that a HTTP 404 was returned by the server. hmmm
Hi Matt, Can you do a video on decrypting the wireshark tls packets after certmitm injecting a self signed certificate in the camera connection? I mean, that should be possible now, right? I tried loading the certmitm key file into Wireshark but I just cannot get it to decode the tls trafic.....
That is only possible IF the TLS cipher used does NOT provide perfect forward secrecy.
en.m.wikipedia.org/wiki/Forward_secrecy
I agree this nuance would make a good video.
@@mattbrwn So, how would you proceed if you want to spy on your camera traffic to see all the messages forward and backward with the Chinese server?
Thanks for the link! Interesting!
A transparent proxy.
E.g. certmitm or mitmproxy
Also sslsplit can create a synthetic pcap file if you really want to view the data in Wireshark.
IoT means "Internet of Trouble".
Also, don't get too comfortable if YOUR cam doesn't generate suspicious traffic. It is just waiting for the right time. ;)
your polybar looks so much similar to my previous style
Seriously. With what you are giving me as information and other hints. I am enjoying testing all the wifi device I have. Be it sensibo heat pump controler to my thermostats. And door bell camera. Amazing stuff!!!
Hi Matt,
Thank you for the great content! I have a question: when running a tool like certmitm, is it necessary to make any modifications to my router? How does the traffic get routed through the host?
Thanks a lot!
Such an awesome video! Thanks!
Hello Matt!
Your content is absolutely fascinating, I love your videos!
A question, any chance you would once look at an easier project, such as the tiny LCD screens they sell for Pc performance monitor screens. They have an onboard chip and the HW usually can only be used with the provided software.
Thanks for posting. Super interesting 🙂
Any way you could do a video on the blink mini security camera? Im not at your skill level yet but i have a few of these cameras at home and would like to know how secure they are. Love your videos btw and look forward to seeing more content
I have the YI cameras and i would like to stop them from call home PRC , is that possible i have to use an app from them to be able to connect to the webcams.
Great video Mr Matt. So it's probably not good to buy a CAM from Temu? 😮
Could you make a video about your MITM-Router, hardware, making and software?
Seach for a video and looked on your Github but can't find it.
its not HW, all software. sorry I'll add github link to video description
Ah that would be perfect. Thanks!!
On what linux distro do you run your script, or do you just run it in for example Kali?
Do you have any videos on the Aqara security cameras?
Nice Hacking Video, keep it up brother !!
@mattbrwn how did you learn IoT reverse engineering and where to start ?
I also like to look for what other wifi/BT or RF traffic the device ( camera) has been scanning and packaging off the meta data for.
Another Amazing Video Matt! Are you going to DC 32 this year?
very nIce, good man
Thanks!! Great video, ionly interesting stuff, no bullshit stories.
I am not going through 360 reactions, so excuse me if already asked. But why would you pipe the output of find . to grep instead of using find . -type f -name *pem ?
I noticed this with the useless use of grep too and tried to find a comment and came across yours. I'm guilty of this sometimes too when I can't remember parameters on something like awk
@@JamesTK I am probably guilt of useless use of commands in real life as well. However, when it is for a video I expect a better use of commands by the host.
If someone is not aware of the uselessness of commands, I'd advise against making a video. If someone is aware I'll expect better usage of commands.
I’d love a video on eufy cameras!
The IoT devices I"m familiar with use TLS in PSK mode. It is very lightweight as there are no certificates to verify, and cannot be MITM'd unless you know the PSK.
A token was sent in clear text, havent watched the whole video but could be used to start a remote unauthorized stream with it, same was done with eufy cameras. The JPG is the thumbnail of the camera seen in the app. And when it comes to mobile applications not properly SSL pinning, this can be fairly easily circumvented with reverse engineering and the usage of software like frida, to override functions and or inject your own logic.
The Wireshark capture was on a specific port on your desktop or a port on your router/modem? It''s the mitmrouter?
How did you connect to the device? UART? etc?
You are a clever person. How did you learn your skills?
I've got Zosi CCTV system and as soon as I set up a password on there, I stated getting hacking attempts on my network and even my email, so I just leave it offline and only access it locally. Also what's the point in SSL if it can be decrypted so easily?
I like how they misspelled "signature" as "signatrue" in one of those intercepted requests
idk why, but now i wonder what "signafalse" looks like
I have a hodge-podge of network equipment and servers and extremely superficial understanding of how any of it works.
DIR-862L router running DD-WRT and AdGuard Home, 3x Osprey Informatics IP cameras, 1x Vaddio Conference Shot 10 IP camera, Datto Alto A3V2 NAS running Proxmox which is hosting Ubuntu server which hosts NFS share, Nginx, iSpy Agent, plus a Western Digital DX4000 running Microsoft Server 2008, a Linksys SPA2102 VOIP adapter, and Brother network printer/scanner.
How susceptible is all this stuff? I'm genuinely curious!
Same shit with owning a VPS. I installed fail2ban and occasionally looked at the ban list, and it was just thousands of Chinese IPs trying to probe any open port.
@@andrewlalis Did this with my firewall as well.. ru and cn hits in the hundreds of thousands
Now I can say Jason Bourne is teaching me hacking
would there be any value in capturing data going to and from the wifi module?
Nice series! and the adres eye 4 China.............. 🤫
Yeah, true, now that you spell it out. Didn’t see it in the first place.
Ive learned so much from your videos. I have a basic soldering system setup but I cant do smd stuff let alone desoldering firmware chips. What would be the entry level equipment that you would recomend??
My background is Unix in general. Going back to the Solaris 3 days. I get the software side of things but I need advice about the hardware side to get to the software side. I can't afford the crazy expensive setups that we see on the channels. I need something that its OK to fail now and then. Thanks for any advice you can give. It'd be better then me just picking temu crap at random.
@mattbrwn could you try hacking and attacking the EDL on the Oppo Watch OW19W8?? It's an WearOS Smart watch but more on the cheaper end and I've bricked it by installing Asteroid OS and then locking the bootloader which bricked the Smartwatch because for whatever reason whenever you lock the bootloader on that device it basically factory resets it's self but the issue is I deleted the Wear OS Partition meaning i can't Unbrick it as of yet and I've tried fixing it through the EDL but it's encrypted and idk how that works and so far no one knows how to unencript it through software
I like your videos. Would you try to check the firmware from a Reolink IP-camera? Really big brand is growing up. :)