This is how a $30 D-Link webcam can be converted into a backdoor
Researchers at US security firm Vectra Networks have hacked a ‘tiny’ D-Link web camera and demonstrated how it can be abused by cybercriminals and turned into a medium to steal data or for sending additional commands. In other words, they have shown how the web camera can be turned into a persistent backdoor into corporate networks.
Recently, the Vectra Networks researchers carried out an experiment in which they transformed a D-Link DCS 930L webcam into a backdoor device.
“Consumer-grade IoT products can be easily manipulated by an attacker, used to steal an organization’s private information, and go undetected by traditional security solutions,” said Gunter Ollmann, CSO of Vectra Networks. “While many of these devices are low-value in terms of hard costs, they can affect the security and integrity of the network, and teams need to keep an eye on them to reveal any signs of malicious behavior.”
Turning an IoT device into a backdoor basically gives hackers 24×7 access to an organization’s network without needing to infect a laptop, workstation or server, all of which are usually under high scrutiny by firewalls, intrusion prevention systems and malware sandboxes, and typically run antivirus software that is updated regularly.
“Most organizations don’t necessarily think of these devices as miniature computers, but essentially they are in that they can still give attackers access to sensitive company information, particularly because they are connected to the corporate network,” said Ollmann. “Unlike the computers people regularly interact with, these devices do not have the processing power or memory to run antivirus or other security software. Since they don’t have usable persistent storage, attackers use NVRAM to store the configuration and flash ROM to store the malicious code.”
In an effort to demonstrate viability of that threat vector, the Vectra Threat Labs team purchased a D-Link webcam for $30, cracked open the case, and used flashrom to dump the content. This process revealed a u-boot and a Linux kernel and image.
The webcam was working as usual while hiding the hack. Vectra also installed code to stop network administrators making any firmware updates that would remove the backdoor.
“The irony in this particular scenario is that Wi-Fi cameras are typically deployed to enhance an organization’s physical security, yet they can easily become a network security vulnerability by allowing attackers to enter and steal information without detection,” said Ollmann.
While the research was conducted using a D-Link device, Ollmann said other Web-based cameras possess similar design vulnerabilities.
“The design of many mass-produced consumer-level electronics is very similar. Devices that can be easily attached to the network and remotely controlled or managed via the Internet tend to be soft targets,” he said. “The design of circuit boards, chipsets and the requirement for software updates combined into a simple and environmentally reliable package limits design options. It doesn’t help that many of the popular ‘small footprint’ operating systems popularly used for mass-produced network devices are poorly secured themselves.”
The biggest downside for attackers is the lack of persistent storage in devices like webcams, wrote the researchers. “Instead, they use NVRAM to store configuration and the flash ROM to store the running code. So the attacker’s hope for real persistence rests on being able to control what will be in the flash ROM,” they wrote.
Despite this challenge, hacks on devices like webcams will probably be more widespread than attacks on devices such as networked refrigerators or automobiles, said Ollmann. While scary, the latter kind of attack is largely “stunt hacking,” he said.
In contrast, he said, “From a criminal hacker’s perspective, the prospect of subverting cheap and ubiquitous IoT technologies such as webcams – which are widely deployed in both residential and commercial capacities – is a highly desirable target. More to the point, devices that can be hijacked and serve as backdoors, yet be popular second-hand items or items that can be easily concealed and physically deployed or swapped with an existing installation, are vital tools in organized crime and espionage. ”
While an extensive range of security products can be used to protect desktop computers, laptops and smartphones, such technologies are not yet available to protect the increasing number of other devices now being added to networks, Ollmann said. “The whole realm of IoT security is in its infancy and, as a consequence, currently exposed to a rapidly expanding number of threats that cannot yet be efficiently mitigated.”
In early December last year, Vectra’s researchers had disclosed the vulnerability to D-Link. However, the researchers noted in their blog post that as of last week, the company has not yet addressed the issue.