The speakers should always repeat the questions asked.

Makes D-Link joke. *laughs* *nervously realize I also have D-Link products*

This is better than comedy.

Some of these are so blatant, you have to wonder if they're on purpose. Oops, the one script we forgot to password-protect happens to have a trivial root command injection exploit...

is that podium comically large or is he comically small

Six years later, and this shit is still happening... CVE-2019-15498

Every single time that I worry that technology is moving too fast for us security types, there's a million dollar company to prove me wrong. Every, single, goddamn time. I love it.

He failed to guard his corona now there’s an outbreak.

I barely know how to script, but I actually understood a good amount of that. This guy is great :D

Simplicity is key: Want to be safe? Just get a camera physically connected to a hard drive. Almost 10x cheaper and definitely more secure.

Very good presentation. The presenter is also very good with public speaking, and knew this subject very well. Also was experienced with good audience eye contact, and body language. As a former instructor/trainer myself, public speaking is not for everyone. Interesting subject, I didn't understand a lot about the coding and software values, but nonetheless it was fun/scarey to listen to what can be done. Job well done.

This is why I drop all traffic to and from my IP cameras at my edge firewall. If I want to view them remotely I will VPN into my network. It's old school but I don't trust any hardware running embedded Linux on my network. To many companies have no idea what they are doing code wise and these cameras are essentially computers to be abused.

Get this man a glass of water.

For anybody wondering whether or not the byte code is x86, it is ARM. (now things make sense lol)

Every camera manufacturer ceo face rn: PIKACHU FACE

This guy hacks into security cameras for fun. It looks simple, but it took some brain power to figure out. Although some of these exploits are patched by now, hardly anybody updates their firmware, and someone could conceivably download new firmware and find more of these exploits in a debugger, without even having to buy the camera.

Thanks for the post. I love watching Craig's stuff. Very well explained and makes me actually want to look through firmware

Moral of the story: don't put your surveillance system on the Internet. And if that is impossible for you, put it behind a firewall that has been beefed up to eliminate such exploits (I'm not sure this is even realistically possible, but I'm just suggesting a possible way to deal with insecure devices of which we have no shortage).

13:28 Well, they use "high security" as one of their marketing points. Additionally, their main business focus is networking infrastructure hardware. So this networked camera insecurity fiasco is pretty relevant and pretty embarrassing for them even when "they are not a camera company".

I. AM. ROOT

Even though this was miles above my nerd level, it was still interesting to watch.

Isn't this the same guy that developed Reaver, the tool built into Kali Linux/Parrot Sec used for recovering WPS PIN Registrars?

Excellent talk! Thanks for uploading

Actually rofling at the "Ron Burgundy" exploit.

This is great! Scary but great. Ive read about several companies doing half assed jobs doing these kinds of things. This man just showed how easy it is (for the people with the technical skill).

Well a good nmap scan is pretty valuable too.

I love the Bob Evans product placement of the podium

I used to work for a CCTV software company and the vast majority of cameras had default passwords still in use (I still have a list, and a map of all the camera clones) We always stood be the "we don't have a default/backdoor password" when people called us after getting locked out.

This was fun. Also funny was when he said 0day and I realized that the video was uploaded years ago haha

Excellent demonstration 👌 Anything nice for 'hikvision' lately?

Great talk. Impressive that products not designed to receive updates are shipped in this conditions. We need better ethic in the industry.

It's almost 2020 and these days I see automated scans on my router from all kinds of national IP's that scan automatically on every port available and try default FTP passwords etc, with access denied errors hence how i found out about this. This video is great security motivation for anybody, especially with the new generation of minecraft kids setting their routers DMZ to their local PC so their servers run easily consistent, but also opening a whole world of AI scanners that will get into much worse once they've found local admin / root.

He makes that tisking sound a lot.

I am new to the cyber world and I have to say this video is amazing. What great presentation and knowledge. Thank you.

I'd love to see a walkthrough of how he ran his Qemu. I wonder if he's just emulating the programs individually or if he's booting the full system with a kernel in a VM. I'd assume it's the former, but would love to see it regardless.

Huh, this reuse of code across several brands of networked cameras reminds me of keyed-alike locks as described by "Deviant" Ollam! So even though this code isn't exactly keys (public, private, SHA, hash, etc.), it seems similar.

only issue is that if it had low video quality , when pausing or freezing the image, you will notice that from the user side that there are no artifacts, meaning that the user could detect that the image has been paused, such things which would add noise to a basic low video quality camera are nearby computers, other machines, maybe cleaning machines, or noise from the outside...

Why in the world would someone possibly do Javascript Authentication? They write firmware for camera's but they don't know how to write PHP?

This has inspired a lot of fun thank you.

With how much money these companies make, why do they not invest in the security of their products? It's sad to think people are able to tap into schools, hospitals, financial institutions, government agencies, etc and see anything that want; not to mention having access to the local network. Maybe instead of being so tight with their money, they should hire people such as the speaker to find vulnerabilities for them. I know there are companies that do such work, but there are more skilled individuals than what any company has. Put a bounty out for vulnerabilities... Awesome presentation.

i really didn't understand a word, but somehow I still found it to be quite interesting to hearing him explain all this fancy stuff. I am highly confused yet entertained

26:26 In this case I believe the answer to "who is vulnerable" is "everyone"?

What's that B64 non-standard key string encryption he's talking about? I have no clue what this is nor was I able to google it successfully.

It's 2019 and my friend told me that there are still cameras out there with version 1.4.13 that can be easily searched for and yet none of these exploits work. Strange...he said.

XD 3SVISION hasn't patched that yet

Funny, I always thought it was "0-day (zero-day)" instead of "O-day (oh-day)".

Playing Watch_Dogs and seeing this afterwards is really mindblowing...

Would've been swell if he swigged the beer instead of the water at the end of that haha.

thanks man, great presentation

What a stupidily large podium, really the adverse of what a podium is for🤦

10:40 I think the crowd didn't get the war games picture. lol

Absolutley wonderful video

Any updates to this talk? Have you looked at Ubiquiti's cameras?

I hope to know as much as this guy does one day.

Pretty cool stuff but since one having implemented/instaled surveliance Cams, one should also install or supervise the sensors of the objects e.g. the motor of the elevator or some kind of nearfield/capacity sensor or temperature sensor to verify the picture at the scene with some eventually intruding or invading. Therefor I would recommend to install a nearing sensor at the cam to at least use the beam-coil to redundant survaile the cam's direction. But perhaps hacking this would be working the same way as showen. But this solution is cheaper than installing a IR-interface in a second Cam cause just using a filter wound't exploit IR-RAW-Data and I guess these data are much harder to fake if you haven't hacked the Cam before. In my opinion a picture must also have a different check-in sum than a live-stream but I don't know. If the check-sum would differ from the stream-sum a attack is eventually going on and you could deploit some allerd. But since got the firmware you can also read-out the expected sum and my deliver the expected data to the handler. But this is not my field of expertise therefore I am just guessing. And you all know "Invaders Must Die" :-D don't consider this to be to serious

really good demo; Thanks,

cracking the old way, I wonder about the creators of an IP cameras, what did they wanted to get at the end of a result, the next conference of a Black noob 2013 ? ^^

"This Camera has a list price of *CONTACT US* Which is how i KNOW i can't afford it" LOL THAT SHIT HIT HOME *HARD!*

It’s been 6 years... are these patched yet?

I realize he's 1000x as brilliant as I am, so is it wrong it bugs me when he says "oh-day" instead of zero day?

Legend

What beats me is the admins throwing their security cameras out in the wild right on the internet. It's common and best practice to firewall them and hide them behind a secure VPN. Also VPN software gets patched and evaluated for vulnerabilities more than embedded firmware does. But these guys are like "nope, just throw that shit right on the open internet."

That was the scariest thing I've ever seen.

you tried any Bosch cameras? in my country they are the most expensive cameras sold and they sell a tone of them.

I bet police and security officials are all over this convention

I was listening, not watching. After the exploit, I heard him take a drink. I was disappointed he wasn't swigging the beer that was being guarded. Phrase of the video: "Epicly trivial" Hoping the state of the art has improved in the last decade.

would anyone be so kind as to explain the grep command in terms of the command injection during 16:00 when he's talking about the IQinvision cameras? i think i understand the actual command injection appended to the end of the string entered into the URL (apart from the addition of "$IFS"), but how does the next command, "grep -i ...." come into play after that? it seems /oidtable.cgi and /oidtable.html give the same results in terms of the info they pull and list. thanks for any leads.

Those cameras are all on the WAN and behind the WAP and firewall. If you’re already on the network you can just use Wireshark to watch existing feeds.

omg just imagine these people want to see those people in the private chat room...lols

"oh-day", "daymen"

The podium looks like Bob Evans

And let me guess: the panel that covers the SD card slot on those cameras that have them is held in place by a lock that has "CH-751" or "C0106" stamped on it! Right?

Thank you for your admin password, Dlink Camera!

I found this fascinating, but have absolutely zero experience in coding or scripting or whatever, and am a total newb when it comes to computer use in general. It seems like I need to learn a new language to do this, and I've always wanted to be bilingual.... If I wanted to be able to understand more to do things like this myself, where do I start? What resources do I use? are there specific training courses I can sign up to to learn this stuff? How long would it take to go from knowing nothing, to understanding how to do something like this?

Excellent explanaiton

$get password..... >ok why not

*chilling on my hardcoded access codes

18:47 how do i view the source code of a password field such as that one thats using java script, or anything else like php or whatever. Is it as easy as using inspect element in a web browser?

Are there parts in the video that you don’t understand ?

It was pretty intresting and informative

System? I KNOW WHERE THIS IS GOING!

this guy isclever.someone needs to hire himto build a super camera ad software

What makes me happy is when someone laughs at his jokes that normal people wouldn't understand. We smart!

I have one question, all the admin pages IP adresses was accessed through google search i think right? How i can find out what IP adress is on one specific camera for example? Imagine this: I have camera on my house, i can see exact model of camera, how i can determine IP. Just interested how can be this done, in movies they know IP of everything imediately somehow :D

I never laughed this much in any comedy show. Xd

he is a real genius

That was excellent!

Anybody know stuff about how to view firmware code like the lines he showed in the presentation? Can't find anything new on the internet

He knew about corona ahead of time

My goal - get on this guy's level.

i laugh whenever they laugh but i don't understand any of this.

Dude you are the man. I am still new to "security world". I really want to become a solid Penetration Tester. What would your recommendations be?

Isn't it called zero-day? Not oh-day.

While watching this video, my computer's RAM was very suddenly overloaded (98%), basically everything crashed. I didn't see what it was because on Task manager I was looking for a program to close (while usually it is sorted by RAM or CPU usage). I am getting concerned...

*So there is one big problem: Even if you can break through all these pseudo-walls and stuff, HOW THE HECK CAN YOU FIND OUT THE IP ADDRESS OF THE CAMERA?*

So am i understanding this correctly? If the networkcamera is connected to a webserver or clouddrive and is therefore showing up when someone is scanning the internet it is exploitable the ways Craig Heffner explains? Are those things not connected to a router in most cases?

Congrat's !!..Great show...Thank you!!! Greetings from Macedonia!!!

Jokes to future hackers, I now have an obscure east-european router. Even I don't know how it's performing, but it's the sturdiest rock I ever owned.

How I can tell you read my notes

What is impressive is his knowledge of the exploits