Helped a friend set up a 6 camera system. He bought 4 reputable cams and two cheapies. We configured all cams to shut off any and all cloud services. All were set with static IP, gateway, NTP server, and NO dns. The four reputable ones generate zero unexpected traffic. The two cheapies? Constant flow of connection attempts to cn owned IPs, as well as dns requests to google DNS IPs (apparently hard coded). Nothing goes anywhere since they're on a segregated VLAN with no outside access... but the firewall packet counters are in the millions.
What did you expect from chinese products? For younger people, watch the beginning of "Three body problem" and remember that unlike in Germany after WW2, this regime was never over thrown or made responsible for what it did and still is doing. This message will likely be removed after CCP propaganda machine launches multiple feedbacks to TH-cam demanding it and YTs algorithm removes the message.
What i'm interested in is when firmware detects that it has no internet connection (because I put it in a network jail), but that triggers routines in the device to escape the jail by automatically connecting to any nearby open WiFi without being told to. Or having firmware that can entering promiscuous mode to watch and analyze other devices for te purpose of masquerading as those devices after it sees it's silent for 30 minutes or so in order to find a way out of its jail. I'm concerned with so-called security cameras that provide no actual data security, or worse actively try to evade attempts to make them secure. It's not a matter of whether your cloud data is secure, but when it becomes insecure and whether you will ever know that it has happened. Cloud data means it's stored (potentially indefinitely) on someone else's computer and used for whatever purposes they want to use it for. And you have no recourse if they lied to you in the first place, or later abuse that trust whether it be willful or by neglect.
That’s technically possible. But in practice, I don’t think most companies producing these cheap cameras are doing that. Not only does it significantly increases the software R&D cost, they have little to gain from, since most people using it are not experts in security, and simply sending data from device to their server is enough to “monitor their customer” (if that’s their goal). I bet most of their target customers don’t know how to setup a Firewall on their router. What you have described is more like an attack organized by state-backed hackers, who knows their device is likely to be placed in an airgapped environment or some sort. But let’s be honest, any high security facility won’t use WiFi security cameras at all. So a state backed hacker group will likely spend their time on something else that is more effective.
@@tlxyxl8524 I disagree. These companies producing cheap cameras are licensing firmware provided by another company. If that other company is a state sponsored front for a surveillance agency, then the licensing cost and terms will be very cheap to the camera producer. Something similar happened with a US agency that 'sold' an advertising library to Kuran app developers in order for the US agency to dragnet track Muslims. This kind of thinking not only can happen it IS happening, and it logically must happen. Only a fully open-source software and hardware (including microcode, ASICs and SBC BSMs) or full reverse engineering can hope to find these things when they are imported devices because there is no legal recourse against a foreign government that engages in this activity. And political recourse against a country doing this to its neighbor is unlikely.
You are wonderful! A couple of months ago my work was throwing out old IP cams and I asked to have one because I was super interested in hooking it up and digging into everything that’s on it that the user doesn’t get to typically see. The camera is a Vstarcam. How lucky am I that an expert like yourself is doing exactly what I (an absolute amateur) was wanting to do on this brand of ip cam!
For the typical end Luser, anc customer support people (if any), the potential for every device dying when the cloud server's certificate changes to one not in the chain of trust is a potentially significant issue. From the programmer's perspective... They possibly said to their manager, 'to do this properly we need to provide a way to update the trusted certs regularly' the account said oof, more infrastructure? and the CS people said 'what about users who had the device turned off for 2 years, and the manager replied, 'what if we just don't check the certs?' and went home with a bonus for saving the company money.....
"what if we just don't check the certs?" what if we check the certificates and the stupid users that forgot to use the product, forgot that they even had the product, so you sell them another one !
This is some really cool content. I would highly recommend a brief intro with some bullets on what you are going to attempt and then as part of the outro, provide a summary of what you discovered. It would really help tie everything together.
Actually that's a really good and easy way to show proof of hack, point it at something only @mattbrwn knows, and they can jump on the discord with an image for proof. They can provide further proof afterwards....or not... 😂
I’m not a hacker and have zero Linux knowledge but this stuff and how you present it is fascinating to me regardless. Thanks for taking the time to setup these demonstrations and so clearly explain what is a very deep understanding of these devices.
Subcribed! Not only highly educational video, but reveals why it makes strategically sense that AliExpress and similar are so dirty cheap. Could you make more videos exposing products bought from China?
Nice video! Btw, find supports filtering for names and even executing other commands on its results find . -iname '*pam*' # same as the grep pipe find . -exec file {} \; # same as your xargs pipe
Absolutely incredible channel. You keep the pacing super easy to follow and your topics are always interesting. Very educational and cool at the same time this is one of my favorite channels now ❤
This is one of the many reasons people need to be more aware of the risks of IOT devices. Especially when it comes to devices from other countries like China. Even thermostats, sensors, etc. It;s all sending data and to think and say things like "I don't care if China sees the temp in my house" is not seeing the bigger picture. As your video points out IoT devices are not very secure. I've even seen some people argue that they disable traffic to China. That "may" help but not all people have that skill and I guarantee you Chiuna has cloud based servers all over not just in China so you really don't know unless you have the skills to analyze traffic, look at all destinations and lookup who actually controls that endpoint and dig up what shell companies may be masking the true owner/country. Good video.
@@supremeleader5516 that thermostat can run network scans, or whatever recon and send it back to china. Every network device has a mac address which is assigned to a company. They could watch and see how many people have a samsung tv over a tcl for example and then sell that data to marketing companies to try and sell you something. Thats one small example. There is a lot of data going through a network at any time. Sometimes you just dont know what you dont know.
Wonderful. Exactly answering some of the questions I had about some of my Chinesium security cameras. I really appreciate you going through this with live workflow. Keep up the good work.
Jesus! I just stumbled across this video and now I'm subscribed and know that I need to be much MORE more paranoid about stuff that I was previously just suspicious about.
3 หลายเดือนก่อน +1
Way over my knowledge but found it very interesting to look at. Have for long time been thinking of a way to check what an app like TikTok and other app that should not be trusted, and different hardware, to see if they can be trusted. Wonder if such devices like you cheap camera should be on it's own network isolated from home server and other stuff. Looking forward to watch your future videos that educate us all.
After all these years never knew or have seen all this techniques in action. Very excellent explanation and educational we need more of this stuff. Subscribed and liked thanks matt🎉🎉🎉🎉
IoT means "Internet of Trouble". Also, don't get too comfortable if YOUR cam doesn't generate suspicious traffic. It is just waiting for the right time. ;)
Looking at some of the details decoded by certmitm it looks like the cloud infrastructure may be setup for multiple manufacturers to use (the reference to OEM look interesting). What are the chances that the work that Matt is doing applies not only to the make/model of camera being analysed, but also other brands and models ?
im sure many companies are using these services. Think about the cost for them to pay for this infrastructure, these companies are pretty obviously selling some kind of data to pay for it. These cameras dont cost that much so they cant keep that kind of operation afloat for free
I like this video. I'm technical (software experience but not security background) and would love more high level summary and explanation of what all this means. E.g. what are the consequences for users, what does this enable the Chinese to do etc etc
Now I would like to see some kind of custom firmware that we can install to make it localhost RTSP stream with audio. That would be TOP TIER! Cause I also have these China cameras and would love to localize these.
Same shit with owning a VPS. I installed fail2ban and occasionally looked at the ban list, and it was just thousands of Chinese IPs trying to probe any open port.
Hello Matt! Your content is absolutely fascinating, I love your videos! A question, any chance you would once look at an easier project, such as the tiny LCD screens they sell for Pc performance monitor screens. They have an onboard chip and the HW usually can only be used with the provided software.
Now I have to reuse this tutorial in my lawnmower! I did not even try as I've seen it is ssl traffic, but I've never guessed the tls is not even verified! Thanks!
Hi Matt, Thank you for the great content! I have a question: when running a tool like certmitm, is it necessary to make any modifications to my router? How does the traffic get routed through the host? Thanks a lot!
A token was sent in clear text, havent watched the whole video but could be used to start a remote unauthorized stream with it, same was done with eufy cameras. The JPG is the thumbnail of the camera seen in the app. And when it comes to mobile applications not properly SSL pinning, this can be fairly easily circumvented with reverse engineering and the usage of software like frida, to override functions and or inject your own logic.
Seriously. With what you are giving me as information and other hints. I am enjoying testing all the wifi device I have. Be it sensibo heat pump controler to my thermostats. And door bell camera. Amazing stuff!!!
Ive learned so much from your videos. I have a basic soldering system setup but I cant do smd stuff let alone desoldering firmware chips. What would be the entry level equipment that you would recomend??
My background is Unix in general. Going back to the Solaris 3 days. I get the software side of things but I need advice about the hardware side to get to the software side. I can't afford the crazy expensive setups that we see on the channels. I need something that its OK to fail now and then. Thanks for any advice you can give. It'd be better then me just picking temu crap at random.
pfff... Social Score: -10 % for revealing the dataflow. :D But i love it. Ever since that guy found out his smart fridge was sending 4gigs of data to some random server - ive been kind of following the topic on what else is sending what data to who. Just because its encrypted it doesnt mean its completely legit. No eula or whatever notices prior so its lawfully sketchy. Not to mention security sketchy in terms of being a secure device. Now what this fact does, it can make simple smart devices marginaly more expensive as they will need to be built with security in mind. One could also compare it to a newer wi fi router vs cheap router in terms of security functions and protocols/standars... Theres a significant price difference bc of hw implemented, thats for start. Also, to have network devices almost completely idiot proof in terms of setup, that would cost like a uniti router. Add that to the cost of something like a security cam and or smart fridge, and you can see where im going with it. Also wont help the chip shortage in long term. Now good luck to the next producer of Smart toilets. Just make sure it doesnt leak - DATA. XD
So.. to make sure I'm understanding - The flaw that allowed you to successfully run the MITM is that the camera didn't validate that the certificate was signed by a trusted root, so it trusted the cert dynamically generated by the utility? If this is the case, but it didn't work, is it common to be able to inject a new trusted root into the filesystem of the device under test, or if it did the root validation, that would be pretty secure?
I could be wrong but I think in this particular case, the dynamically generated certs weren't even needed, as the app didn't even bother to validate the server cert.
@@effsixteenblock50 Oh.. I was figuring that "not validating" the cert meant it just didnt verify it was valid up to a trusted root installed on the camera, but if it really didn't even validate the name of the cert, that's a new level of carelessness on their part! I might have to get one of these things just to play with now!
@@SteveJones172pilotoften devices do nothing more than verify the common name/san matches an expected value. In those cases a self signed certificate with the same name as the intended site will suffice.
Any way you could do a video on the blink mini security camera? Im not at your skill level yet but i have a few of these cameras at home and would like to know how secure they are. Love your videos btw and look forward to seeing more content
Super instructive, and highly illustrative of the (in)security of many IoT devices. I just got into embedded and packet hacking at Def Con 32, and this is a fantastic continuation of what I learned there. Great to see these techniques employed in the wild, and you do a fantastic job of describing what's going on at each step.
Some of the request headers (nonce, signat[ru]e, key) suggest that they might be using HMAC to prevent tampering. And since they also misspelled "signature", who knows if it works. In that case, presumably there are some HMAC secret key on the device. One of those things that sometimes get slapped on to "mitigate" interception issues, even though it only addresses one part of that (tampering, but not inspection).
I had a cheap security camera to set up. It turned out that you could view it online on a Chinese site at the same time as it was being used by the owner, and that wasn't clear in the instructions. I can't remember exactly how I found the site. The camera was an 'Anran' pan and tilt wi-fi camera. It was one of those that you set up using qr codes on the mobile app, and let the camera see it (something else to experiment with!). Luckily you could use it camera to phone, without internet, as the person that owned it didn't have a router - all internet use was mobile Internet (I did say that it was probably best to disable the mobile internet when viewing the camera though.) Edit, just found a copy of the set up QR code, looks like part of a URL, and a 'P' parameter with a base 64 encodeed string that reads 'Anran123' - probably the default (maybe override too) password.
If a root cert expire. Those IoT devices stop working. Or when your server cert is too strong for the IoT device openssl version. Either way, there are many bad reasons why it wouldn't validate the server certificate 😅
![[TH] 2024 PMGC League | Survival Stage วันที่ 1 | PUBG MOBILE Global Championship](http://i.ytimg.com/vi/FVFT-PFwU80/mqdefault.jpg)
UPDATE: my camera account was pwned within 2 hours of the video going live. 😎Well done internetz
LOL
🤣🤣🤣🤣🤣🤣🤣🤣
well that was quick lol
Dum Spiro Spero my friend. Soli Deo Gloria indeed. Nice phrase btw!
2 hours? You guys are slackin. 🤣
Helped a friend set up a 6 camera system. He bought 4 reputable cams and two cheapies. We configured all cams to shut off any and all cloud services. All were set with static IP, gateway, NTP server, and NO dns. The four reputable ones generate zero unexpected traffic. The two cheapies? Constant flow of connection attempts to cn owned IPs, as well as dns requests to google DNS IPs (apparently hard coded). Nothing goes anywhere since they're on a segregated VLAN with no outside access... but the firewall packet counters are in the millions.
Probably spyware selling what you do and recording *that*
I did the same, for all my Reolink cameras
@@zyghom Do they stay quiet on the network? My Hikvisions do.
@@khx73 they don't stay quiet but firewall does not let any traffic from them outside my LAN ;-)
@@zyghom Dirty little things... haha
TLS encryption, in this case, is probably more about obscuring what this device is doing versus protecting the user's data.
What did you expect from chinese products? For younger people, watch the beginning of "Three body problem" and remember that unlike in Germany after WW2, this regime was never over thrown or made responsible for what it did and still is doing. This message will likely be removed after CCP propaganda machine launches multiple feedbacks to TH-cam demanding it and YTs algorithm removes the message.
What i'm interested in is when firmware detects that it has no internet connection (because I put it in a network jail), but that triggers routines in the device to escape the jail by automatically connecting to any nearby open WiFi without being told to. Or having firmware that can entering promiscuous mode to watch and analyze other devices for te purpose of masquerading as those devices after it sees it's silent for 30 minutes or so in order to find a way out of its jail.
I'm concerned with so-called security cameras that provide no actual data security, or worse actively try to evade attempts to make them secure. It's not a matter of whether your cloud data is secure, but when it becomes insecure and whether you will ever know that it has happened.
Cloud data means it's stored (potentially indefinitely) on someone else's computer and used for whatever purposes they want to use it for. And you have no recourse if they lied to you in the first place, or later abuse that trust whether it be willful or by neglect.
that's why I have to wrap the device in tinfoil, so the WIFI doesn't work
That’s technically possible. But in practice, I don’t think most companies producing these cheap cameras are doing that. Not only does it significantly increases the software R&D cost, they have little to gain from, since most people using it are not experts in security, and simply sending data from device to their server is enough to “monitor their customer” (if that’s their goal). I bet most of their target customers don’t know how to setup a Firewall on their router.
What you have described is more like an attack organized by state-backed hackers, who knows their device is likely to be placed in an airgapped environment or some sort. But let’s be honest, any high security facility won’t use WiFi security cameras at all. So a state backed hacker group will likely spend their time on something else that is more effective.
Have you identified any devices behaving this way?
There is always someone smarter hacking what appears to be secure. However if they’re at the top of the game they’re going after big fish.
@@tlxyxl8524 I disagree. These companies producing cheap cameras are licensing firmware provided by another company. If that other company is a state sponsored front for a surveillance agency, then the licensing cost and terms will be very cheap to the camera producer. Something similar happened with a US agency that 'sold' an advertising library to Kuran app developers in order for the US agency to dragnet track Muslims. This kind of thinking not only can happen it IS happening, and it logically must happen. Only a fully open-source software and hardware (including microcode, ASICs and SBC BSMs) or full reverse engineering can hope to find these things when they are imported devices because there is no legal recourse against a foreign government that engages in this activity. And political recourse against a country doing this to its neighbor is unlikely.
This is my favorite newly discovered TH-cam channel. I watch every video as soon as they drop. Keep it up Matt!
just like me
🙋🏻♀️
Same here! I get super excited when I see a video drop 😂
same 😂
How cute they think+ 5g (jj=. P😊
You are wonderful! A couple of months ago my work was throwing out old IP cams and I asked to have one because I was super interested in hooking it up and digging into everything that’s on it that the user doesn’t get to typically see. The camera is a Vstarcam. How lucky am I that an expert like yourself is doing exactly what I (an absolute amateur) was wanting to do on this brand of ip cam!
Thank you for letting us know. Having no certificate also means no certificate can expire. :-)
Root CA companies hate this trick!!!
They could use self-signed root CA without any expiry time.
For the typical end Luser, anc customer support people (if any), the potential for every device dying when the cloud server's certificate changes to one not in the chain of trust is a potentially significant issue. From the programmer's perspective... They possibly said to their manager, 'to do this properly we need to provide a way to update the trusted certs regularly' the account said oof, more infrastructure? and the CS people said 'what about users who had the device turned off for 2 years, and the manager replied, 'what if we just don't check the certs?' and went home with a bonus for saving the company money.....
"what if we just don't check the certs?" what if we check the certificates and the stupid users that forgot to use the product, forgot that they even had the product, so you sell them another one !
OCSP is what they need
To be honest, I would not be surprised if this was actually just as intended, by Chinese rules.
This is some really cool content. I would highly recommend a brief intro with some bullets on what you are going to attempt and then as part of the outro, provide a summary of what you discovered. It would really help tie everything together.
I like this suggestion too. I feel like he always addresses his thinking process as he goes, but a quick outline up front may be helpful.
I would highly recommend they keep doing their own thing how they want, when they want. I'm here to watch, not exert control over the Internet.
this is the content we need more of, keep it up matt this is legitimately great stuff
Point the camera at a Rick Astley video so that a hacker of your keys can see the success directly :D
Actually that's a really good and easy way to show proof of hack, point it at something only @mattbrwn knows, and they can jump on the discord with an image for proof. They can provide further proof afterwards....or not... 😂
that is an awesome idea
Remember the time when 4chan located indoor cameras and raided them. I'm not sure it's that great of an idea...
@@nezu_cc Cats out of the bag on that already if he's leaving it online for it to be hacked.
I’m not a hacker and have zero Linux knowledge but this stuff and how you present it is fascinating to me regardless. Thanks for taking the time to setup these demonstrations and so clearly explain what is a very deep understanding of these devices.
You are a natural teacher as well. I hope you many, many subscribers!
Subcribed! Not only highly educational video, but reveals why it makes strategically sense that AliExpress and similar are so dirty cheap. Could you make more videos exposing products bought from China?
Nice video! Btw, find supports filtering for names and even executing other commands on its results
find . -iname '*pam*' # same as the grep pipe
find . -exec file {} \; # same as your xargs pipe
Absolutely incredible channel. You keep the pacing super easy to follow and your topics are always interesting. Very educational and cool at the same time this is one of my favorite channels now ❤
This is one of the many reasons people need to be more aware of the risks of IOT devices. Especially when it comes to devices from other countries like China. Even thermostats, sensors, etc. It;s all sending data and to think and say things like "I don't care if China sees the temp in my house" is not seeing the bigger picture. As your video points out IoT devices are not very secure. I've even seen some people argue that they disable traffic to China. That "may" help but not all people have that skill and I guarantee you Chiuna has cloud based servers all over not just in China so you really don't know unless you have the skills to analyze traffic, look at all destinations and lookup who actually controls that endpoint and dig up what shell companies may be masking the true owner/country. Good video.
How temperature will benifit china?
@@supremeleader5516 that thermostat can run network scans, or whatever recon and send it back to china. Every network device has a mac address which is assigned to a company. They could watch and see how many people have a samsung tv over a tcl for example and then sell that data to marketing companies to try and sell you something. Thats one small example. There is a lot of data going through a network at any time.
Sometimes you just dont know what you dont know.
Until non-China stuff is tested you have no way of being certain the same, or more sophisticated, shananigans are going on.
Your videos are as good as sitting in sessions at DEF CON!
loving the idea of letting peeps from the web fish around on the device and connect with you and others on discord ❤
Wonderful. Exactly answering some of the questions I had about some of my Chinesium security cameras. I really appreciate you going through this with live workflow. Keep up the good work.
western cloud cameras are not very different.
@@turtlefrog369 You're right. Really doesn't matter the country of source.
Jesus! I just stumbled across this video and now I'm subscribed and know that I need to be much MORE more paranoid about stuff that I was previously just suspicious about.
Way over my knowledge but found it very interesting to look at. Have for long time been thinking of a way to check what an app like TikTok and other app that should not be trusted, and different hardware, to see if they can be trusted. Wonder if such devices like you cheap camera should be on it's own network isolated from home server and other stuff.
Looking forward to watch your future videos that educate us all.
It seems, most of the current spies out of China are using 0s and 1s. Good stuff, Matt!
After all these years never knew or have seen all this techniques in action. Very excellent explanation and educational we need more of this stuff. Subscribed and liked thanks matt🎉🎉🎉🎉
Good video, I can feel you raw passion and excitement about what you're doing coming through. I'll have to check out some of your others.
IoT means "Internet of Trouble".
Also, don't get too comfortable if YOUR cam doesn't generate suspicious traffic. It is just waiting for the right time. ;)
Yooooooo, You just got a new sub. Lovely vid. Love the work! ❤
That was an awesome run-down and explanation Matt, subscribed!
Awesome stuff mate. I am learning so much, and gives some scale as to how much I have to learn still. Keep it up!
Just discoverd your channel. This is sweet stuff. Great job
Great video. You did a great job explaining all the steps you did.
Your content is awesome man,thanks for making it!
This is great content. Have you tried this on any major brand name cameras like Blink or Ring?
Looking at some of the details decoded by certmitm it looks like the cloud infrastructure may be setup for multiple manufacturers to use (the reference to OEM look interesting). What are the chances that the work that Matt is doing applies not only to the make/model of camera being analysed, but also other brands and models ?
Wow I didn't catch this! I bet you are right and that there are a bunch of whitelabel brands out there.
im sure many companies are using these services. Think about the cost for them to pay for this infrastructure, these companies are pretty obviously selling some kind of data to pay for it. These cameras dont cost that much so they cant keep that kind of operation afloat for free
How have I never found your channel before? subscribed! This should be a DEFCON talk.
Nice work Matt
Would be cool if you could get that binary to run on your Linux machine and view the video feed without using the app
Great morning watch from Sweden, appreciate the video, Matt!
Very cool. I look forward to part2.
Great content, definitely subscribing!!
What awesome content again thanks matt❤❤
I like this video. I'm technical (software experience but not security background) and would love more high level summary and explanation of what all this means. E.g. what are the consequences for users, what does this enable the Chinese to do etc etc
Great content, Matt. You earned a new subscriber.
Such an awesome video! Thanks!
Yoooo my man usin polybar and i3wm, lets go
Now I would like to see some kind of custom firmware that we can install to make it localhost RTSP stream with audio. That would be TOP TIER! Cause I also have these China cameras and would love to localize these.
finally some channel for me :) high quality content!
respect bro, keep up the great work!
Thanks!! Great video, ionly interesting stuff, no bullshit stories.
So thankful to have found you!! Woot Woot!!
very nIce, good man
Same shit with owning a VPS. I installed fail2ban and occasionally looked at the ban list, and it was just thousands of Chinese IPs trying to probe any open port.
@@andrewlalis Did this with my firewall as well.. ru and cn hits in the hundreds of thousands
Thanks for posting. Super interesting 🙂
fascinating Matt, brilliant
I hit the like button 10 seconds into the video as I know I am in for a treat! Great work!
Hello Matt!
Your content is absolutely fascinating, I love your videos!
A question, any chance you would once look at an easier project, such as the tiny LCD screens they sell for Pc performance monitor screens. They have an onboard chip and the HW usually can only be used with the provided software.
Now I have to reuse this tutorial in my lawnmower! I did not even try as I've seen it is ssl traffic, but I've never guessed the tls is not even verified! Thanks!
Hi Matt,
Thank you for the great content! I have a question: when running a tool like certmitm, is it necessary to make any modifications to my router? How does the traffic get routed through the host?
Thanks a lot!
A lot of wow but nothing out of the ordinary here
Awesome matt!! subscribed!
Nice video's Matt, subbed! 👍
Great vid! Stay awsome, Jim.
What is the most dangerous threat? A kind of obfuscated but auditable connection or a perfectly secure connection directly to an malicious service?
Great video Mr Matt. So it's probably not good to buy a CAM from Temu? 😮
Love these videos! Keep it up!
Decrypting SSL!? Can’t wait for this one! Keep it up dude. Really enjoying the videos.
@mattbrwn Just discovered the channel. Great stuff. Subbed. What make and model is your work bench and where did you get it from? Looking to get one.
benchpro. got it from bench depot. modular design so idk exactly what model but you can design it the way you want on the site
THANKS This is eye opening. Is there a clearing house for IOT devices that do not have these type of issues? Wired and Wireless?
A token was sent in clear text, havent watched the whole video but could be used to start a remote unauthorized stream with it, same was done with eufy cameras. The JPG is the thumbnail of the camera seen in the app. And when it comes to mobile applications not properly SSL pinning, this can be fairly easily circumvented with reverse engineering and the usage of software like frida, to override functions and or inject your own logic.
Great video
This channel should go viral, love it.
I, an extremely biased source, agree 😁
Great video, would love to see what they send after getting the auth.
I have mad mad respect for this guy.
Dudes gonna topple the CCP through a temu security camera lmao
Nice Hacking Video, keep it up brother !!
your polybar looks so much similar to my previous style
Now I can say Jason Bourne is teaching me hacking
Seriously. With what you are giving me as information and other hints. I am enjoying testing all the wifi device I have. Be it sensibo heat pump controler to my thermostats. And door bell camera. Amazing stuff!!!
Ive learned so much from your videos. I have a basic soldering system setup but I cant do smd stuff let alone desoldering firmware chips. What would be the entry level equipment that you would recomend??
My background is Unix in general. Going back to the Solaris 3 days. I get the software side of things but I need advice about the hardware side to get to the software side. I can't afford the crazy expensive setups that we see on the channels. I need something that its OK to fail now and then. Thanks for any advice you can give. It'd be better then me just picking temu crap at random.
And this is why I don't have any IoT stuff in my house unless I've coded it myself.
Another Amazing Video Matt! Are you going to DC 32 this year?
I’d love a video on eufy cameras!
I am fascinated by type of thing and really enjoy your videos.
I like your videos. Would you try to check the firmware from a Reolink IP-camera? Really big brand is growing up. :)
Love the homelab.
Nice series! and the adres eye 4 China.............. 🤫
Yeah, true, now that you spell it out. Didn’t see it in the first place.
The Wireshark capture was on a specific port on your desktop or a port on your router/modem? It''s the mitmrouter?
pfff... Social Score: -10 % for revealing the dataflow. :D
But i love it. Ever since that guy found out his smart fridge was sending 4gigs of data to some random server - ive been kind of following the topic on what else is sending what data to who. Just because its encrypted it doesnt mean its completely legit. No eula or whatever notices prior so its lawfully sketchy. Not to mention security sketchy in terms of being a secure device. Now what this fact does, it can make simple smart devices marginaly more expensive as they will need to be built with security in mind. One could also compare it to a newer wi fi router vs cheap router in terms of security functions and protocols/standars... Theres a significant price difference bc of hw implemented, thats for start. Also, to have network devices almost completely idiot proof in terms of setup, that would cost like a uniti router. Add that to the cost of something like a security cam and or smart fridge, and you can see where im going with it. Also wont help the chip shortage in long term. Now good luck to the next producer of Smart toilets. Just make sure it doesnt leak - DATA. XD
So.. to make sure I'm understanding - The flaw that allowed you to successfully run the MITM is that the camera didn't validate that the certificate was signed by a trusted root, so it trusted the cert dynamically generated by the utility? If this is the case, but it didn't work, is it common to be able to inject a new trusted root into the filesystem of the device under test, or if it did the root validation, that would be pretty secure?
I could be wrong but I think in this particular case, the dynamically generated certs weren't even needed, as the app didn't even bother to validate the server cert.
@@effsixteenblock50 Oh.. I was figuring that "not validating" the cert meant it just didnt verify it was valid up to a trusted root installed on the camera, but if it really didn't even validate the name of the cert, that's a new level of carelessness on their part! I might have to get one of these things just to play with now!
@@SteveJones172pilotoften devices do nothing more than verify the common name/san matches an expected value. In those cases a self signed certificate with the same name as the intended site will suffice.
Any way you could do a video on the blink mini security camera? Im not at your skill level yet but i have a few of these cameras at home and would like to know how secure they are. Love your videos btw and look forward to seeing more content
I dont know how i ended up here, but im here to stay.
Great vid!
Nice work.
Super instructive, and highly illustrative of the (in)security of many IoT devices. I just got into embedded and packet hacking at Def Con 32, and this is a fantastic continuation of what I learned there. Great to see these techniques employed in the wild, and you do a fantastic job of describing what's going on at each step.
I love this channel
Some of the request headers (nonce, signat[ru]e, key) suggest that they might be using HMAC to prevent tampering. And since they also misspelled "signature", who knows if it works. In that case, presumably there are some HMAC secret key on the device. One of those things that sometimes get slapped on to "mitigate" interception issues, even though it only addresses one part of that (tampering, but not inspection).
I had a cheap security camera to set up. It turned out that you could view it online on a Chinese site at the same time as it was being used by the owner, and that wasn't clear in the instructions. I can't remember exactly how I found the site. The camera was an 'Anran' pan and tilt wi-fi camera. It was one of those that you set up using qr codes on the mobile app, and let the camera see it (something else to experiment with!). Luckily you could use it camera to phone, without internet, as the person that owned it didn't have a router - all internet use was mobile Internet (I did say that it was probably best to disable the mobile internet when viewing the camera though.)
Edit, just found a copy of the set up QR code, looks like part of a URL, and a 'P' parameter with a base 64 encodeed string that reads 'Anran123' - probably the default (maybe override too) password.
You are a clever person. How did you learn your skills?
If your video archive on that Chinese Server isn't just full of Rick Astleys Never Gonna Give You Up, you're missing a trick :P
If a root cert expire. Those IoT devices stop working. Or when your server cert is too strong for the IoT device openssl version. Either way, there are many bad reasons why it wouldn't validate the server certificate 😅