 All right, welcome back everybody. We have another great speaker for you today We have Paul Maripisi who's here to tell us a little bit more about his presentation Abusing peer-to-peer to hack three million cameras ain't nobody got time for that. How's it going Paul? Very good. Very good to be here guys. All right. Welcome to this Q&A looking forward to asking you some questions and hopefully we'll get a whole bunch of questions for people on the track One live QA stream in discord But how about if you just kind of give us a little bit overview of yourself who you are? Maybe just a little bit about your presentation. What made you think of it? Anything so that people can kind of get a good idea about what your presentation was about Yeah, sure. So yeah, my name is Paul Maripisi. I am based out of San Jose, California and so my talk was so basically I got some IP cameras and It's it's pretty much assumed that these things are insecure I think when people pick these up But I just kind of wanted to see how far that I could take it and I basically ended up Finding a way to access literally millions of cameras So I mean I figured it would be bad I figured you know, maybe someone could target maybe a couple or maybe the crypto wasn't so good But yeah, you could take it to the extreme of extremes and start jacking these things left and right Awesome. So I think we also have something else to do with you first But let me see if I'm sick at is any ideas about what we might want to do with you Well, just so happens that Paul here is a first-time speaker and every time we Join someone to the whole speaker crowded Def Con we commiserate the The not commiserate Celebrate So English has been a single at second language So we will commemorate the event with a shot so I'd love to ship a bottle off to you But unfortunately, we better rely on your own stock and so you can join me in a quick drink We'll we'll christen this talk for you. So yeah, cheers. Yes, gentlemen Awesome stuff. All right So now look at that underway That's a pretty big shot you got there so yeah So let's see Questions that we have coming in. Do you see any coming through on the Discord chat already there so yeah, it might be kind of a we have one. We have one. Thanks. Thanks for your research Or any of the exploitable elements you discussed such as the direct connection with UIDs or traffic analysis the supernode required for the P2P environment To operate effectively from a user point of view or would alternative architectures Which is cameras operators could use utilize third-party access controls and and content encryption Basically, how could how ought a P2P environment be designed to be both convenient and secure? right in Terms of the super device ones, I would say that's not necessary to the whole thing. That's pretty much entirely To kind of help the network Vendors will actually put up a bunch of their own relay servers and honestly not that that's any better because they have access to that traffic So that's not necessary it just kind of helps when people need connections, I guess I Don't think the peer-to-peer aspect is inherently bad It just kind of comes down to you know making sure that the traffic is protected Making sure that there's identity verification going on so you know who you're actually talking to I think those things could help a lot and of course The fact you can predict or otherwise obtain UIDs is a huge problem so you might want a way to Protect those a little bit more or have the ability to change them I mean personally, I don't think I would want a device doing this It kind of depends on people's risk tolerance But there are certainly a lot of ways that they could have made this you know a little bit less gross Awesome. Yeah in your presentation You even did a really quick demo at the end where you captured some binary and put that through the video feed You get to see some chickens So that was kind of interesting through your research. Did you ever Let's say see anything interesting when you were kind of checking out to see what was coming through or did you not really look at the The video streams all that much Yeah, I've had a few interesting things I mean obviously as part of the research sometimes you have to go and try to connect to something and or see how far you can get I certainly Avoided like you know more personal like in-home stuff because I mean I'm not trying to spy on people Some of the more I guess guilt-free ones you can say are like, you know Someone might have one of like a landscape or a more public area which feels you know a little bit less creepy one thing that does come to mind I had a guy reach out to me a couple weeks ago and He mailed me says hey, you know, I found your research and what happened was my camera got stolen and He was Continuing to watch the camera With the app on his phone and he said all of a sudden this thing came back online So is there any way that you could like, you know steal the password or find the IP address or anything like that? I said, yeah, you know give me the UID and I'll see what I can do and not two hours later You know, I start up the man in the middle attack not two hours later the thing Connects to me and drops the password and the IP address, of course, so You know, I guess if you're a thief Stealing a peer-to-peer camera is a major opposite fail for sure It's gonna it's gonna seriously leak exactly where you are. So I mean, I sent that back to him and I Don't know what's happened of that But you know, it felt pretty cool to be able to use an exploit like that to actually help someone like You know, hey, you lost your camera, but here's the password if you want to take a look and see what's going on in there Yeah, that was pretty interesting how you are showing that you can use some of the Google's geolocation to find out Where that the camera is and I'm guessing that's similar to what you did for your friend there Just how close were you able to to figure out? Is it like within a few meters of where the camera actually is with the geolocation? Yeah, oh man So I suspect the way that that works is like obviously Google drives around for street view And I imagine that as they're doing that they are collecting every single base station ID that they see So depending on what they're seeing, you know, obviously they've they're storing the exact location that they're at when they do that Depending on the MAC address is that you give that API and I think there's a whole bunch of other parameters to kind of like fine-tune that So depending on what you give it, they can figure out like exactly where they were when they picked it up um, I've put in like some of my own MAC addresses and I've been Very unhappy with what I've seen And that it's like yeah, it's it's pretty dead on and I mean, I imagine um In all cases, it might not be that accurate It's probably going to matter on the density of the wi-fi networks around you because of course that's going to give them more ways to To improve the accuracy um, but Yeah, oh man They start a lot of data on that and as I said it is Dirt cheap to make those requests like it's a couple cents per call or something like that. So And anyone can start doing that. Yeah, that's all crazy Yeah, it looks like a spherical kitten has a question for you the whole firewall Whole punching stuff seems to be primarily an ipv4 related technique Does any of this peer-to-peer stuff work on an ipv6 only network? Oh, that's a good question um, I am honestly not sure. Um, I have only Done udp whole punching stuff with ipv4 scenarios. I admittedly haven't tried it in ipv6 um, I I don't Admittedly, I don't know too much about ipv6 just yet And um, of course, I mean these devices are so primitive. I've yet to come across one that actually uses it um So I'm I'm not sure. Uh, that's a really good question. I'm sorry. I can't answer Yeah, one of the common questions that we have been asking speakers is What types of uh, research could somebody else build on top of yours or maybe Where could somebody go further with the research that you've done and maybe checking out the ipv6? Could be something that somebody else could take a look into as well Yeah, that would be really cool. Um another one that uh, some some guy actually already reached out to me Saying he wanted to look into it. Uh, I did mention through text call a platform, which is Probably the biggest peer-to-peer, uh, vendor that I know Um, I love for people to kind of start poking at that Um, and kind of see if they have any similar problems or who knows. I mean, maybe they're in better shape, but We don't know until we poke. So yeah Sega do we have any anything else coming in from the discord channel for paul? Yeah, so we have a question. Uh, can you explain how a device can connect to a super node without knowing the uid? Uh, yeah, um so When a device needs to make a connection the It'll it'll ask the p2p servers to do a relay request like if it can't do a peer-to-peer connection It'll send a request to basically pull down a list of relays Um, that will return a an array of IPs and ports and then it'll try to connect to each one of those and eventually it'll find one one of those may be a super node so, um When uh, when someone's trying to connect to a device, that's how that works I hope that answers your question yeah, and uh Super quick hit and followed up with a second question and said that I understand why this super device proxying would be Useful even said insert huge air quotes here for finding a route out of your own internal network But why would anyone want or need to proxy traffic via joe randoms camera on the internet? What use case would such a method enable? I think it is just basically taking uh, the load off of the vendor servers Um, if they have you know a million devices and there's only like two or three relay servers Then those are going to have a lot of heavy lifting and of course those are going to have limited bandwidth and it's limited limited everything really So, um, it's kind of just again to add more relays to the vendor's network to provide the support for more people to Make connections if necessary um The vendors could also just buy more relay servers With this architecture, there's really not a limit to the number of relays that a vendor could put in their network But it is more cost effective for them to offload that on the users. So Really, that's the biggest reason is uh, it saves defenders money Um, and again, it's it's actually not an uncommon thing in peer-to-peer architecture. Uh, super nodes are pretty much everywhere Skype used to do this too And um, it just you know kind of helps with the redundancy of the network, I suppose Yeah, I think you said in the presentation that even with Skype you could opt out of it Yeah, but with these devices, I mean, I I have never seen something disclaiming that it does this So you would have to notice like Man, this thing is throwing off a lot of traffic and connecting to the other side of the world But I'm not using it for some reason, you know Yeah So chappy asks you explored cameras primarily in your research Did you try other iot device types or what other types of devices used this peer-to-peer technique? Yes, so I mean, I've mentioned smart doorbells and baby monitors, but those are really cameras under the hood just kind of rebranded But in terms of like real other use cases, I've also seen these peer-to-peer libraries implemented in uh, nats Not nats. Sorry. God Nazes Uh, so yeah network storage devices So I guess if people have a nas in their home and they want to connect to it This will give them give them the ability to do that Which is horrifying because that's just screaming for, you know, huge data theft but One thing that I discovered actually pretty late in the game here was alarm systems and there is actually a specific company that I think loads this into all of their alarms and the Traffic going to these things is entirely in clear text So you can do, you know, the super device attack and you can sit and you can see these like streams of configuration data for alarm systems and You know, that's that's insane Yeah, that that sounds like a whole another topic of research right there as well Yeah, yeah, so, you know, if anyone wants to dig into that, um, I mean Feel free to I don't want to elaborate on it right here But I feel free to hit me up and I may be able to kind of give people some uh, some more insight into that Yeah, maybe if somebody talks to you, you can say well the company name rhymes with Say, are you seeing any good questions coming in on the channel? Yes, I have a question about um, do you have an estimate of how much traffic was being routed through those, uh, those relayed devices rather than super nodes Um I don't have an actual figure, uh, I will say At least would see us too. I do know that to some degree it tries to keep track of how often it's running Um, and I think after it's done a session it might shut off for a little while um, but I don't think that there's actually a limit per se because I I'm pretty sure, you know If you connect to it and you just want to stay connected for all day or whatever I don't see a reason why it would drop you So that is theoretically unlimited um When I've let packet captures run before I mean even just in the matter of a couple hours I've definitely seen like a couple hundred megs go through easily so um Yeah, it can get up there pretty quickly because it's it's video data, you know, it's And even when the video isn't flowing, um, there's still constant um, like kind of like, uh Heartbeat messages going back and forth. It's constantly generating traffic in the meantime But when the video starts going through, of course, that's going to be, you know, a little bit more heavy This seems like a fun one for you and maybe you'll be able to expound on it a little bit Uh, is the full video feed going back to the vendor? uh Yes, I mean honestly Like so, so here's the thing with with peer to peer Uh, with like when udp hole punching happens. I mean, that's a direct connection between you and the device So in that case not necessarily But if you're doing a relayed connection So even if you're not using a super device, which is, you know, some random person's camera If you're using one of the like vendors relay servers I mean they at that point have access to everything going through that so if they're not using encryption or If they're using encryption often they know the key So they could Very easily, you know pick up every single thing going through that relay and and watch it or or store it or or really do whatever so that's kind of You know, that's another risk. Uh, and that's another reason why I'm I'm not a fan of really any of this stuff going through any Vendor owned servers because you really never know what they're doing or what backdoors might be in place that allow them to do things um It's there's been so many times where I've seen cameras advertise as being encrypted and as I as I've shown I mean some first of all lie about it, but uh Yeah, like it doesn't matter if it's encrypted if they know the key anyway, like it it really doesn't matter in that case. So um Yeah, uh, kind of a roundabout answer, I guess, but yeah, they absolutely can potentially pick up everything going through it Yeah, yeah, or even as you showed that you saw somebody's chickens coming through yours Yeah, exactly. So this probably uh dovetails right into your answer there Our peer-to-peer device is fundamentally doomed in term of Internet wide visibility or are there techniques that these vendors could use to improve the situation or to limit exposure? Yeah, I mean I don't like I said, I don't think peer-to-peer is inherently a bad thing Um, I can see the value of having a direct connection Especially for real-time things like video and audio Um, but if you're gonna set that up Yeah, there needs to be more protection in play. Um I I've thought about it a little bit like if I were to design this sort of a thing Um, what would I want to do and you know, of course you're gonna want to have legitimate cryptography like like a tls sort of situation going on um the the identity verification problem is a little bit tricky because It you you might want to do something like trust on first use It's not like the vendor can really issue a certificate because you don't you know, that can be exploited um so Yeah, uh, it's It's possible, but it's tricky and I think some of the ways that Could make it more secure like having a trust on first use sort of a thing They're not user friendly or most people would be like, you know, kind of confused or put off by it So I think there's very little chance of measures like that being put in cool um, so While there are ways that this could be done effectively I would say the chances of them actually being rolled out by vendors are pretty slim because convenience is always gonna kind of take priority I think with this sort of thing And does it seem to appear to jump between relays or will it sit on a single one for the entire session? I think it'll sit on one Uh, if if the relay suddenly drops like say say it's using a super device and someone like pulls the plug on their camera I think it'll reestablish the connection with another one. Um But otherwise, I think it'll basically, you know, stay on the same one as as long as it possibly can cool How are we looking over there? Say god anything's standing up to you for questions So we got a new question that um, I've heard Chinese nationals constantly trying to use these to get a look at us Not the government not business just curious people Have you seen this type of traffic? um I I haven't really seen that sort of a thing. Um, it's Obviously, I've shown it's certainly possible Uh, but I mean, I I can't really make any accusations Uh, one I guess one thing I can kind of add is um, I have had people ask me if they think that any of this design or behavior is, you know intentional um, I mean I I honestly don't think that it is I don't think that this is like, you know Something that's been put in place deliberately to allow for this sort of thing um In in terms of any vendor that I've actually been able to make contact with Some of the responses have shown that they're really just very naive when it comes to security um, I mean, I've even had Responses come back to me like how did you get our encryption key? It's like dude It's right there in the firmware and they're like, well, how did you get that? It's like you dude your firmware is a zip file and you let people download it So like this this isn't magic. Um, they I they just don't really think that people are gonna do that sort of thing um, and then the logical logical follow-up to this is they they obfuscate it, right? One method of protecting these firmwares These firmware files, which as I said are basically just zip files is One swapped a couple of the zip magic numbers So all you had to do to you know, open it up was swap those magic numbers back and then it's fine and they're like How did you decrypt it? It's like it's not encrypted It's not encrypted you you swapped a couple numbers So, um, yeah, I think Go ahead. Sorry. Sorry. I was gonna say when I when I saw your tart your mention about the, uh Vendor claiming that they had no api therefore wasn't a problem They had gone to the same school of of security as some of the election security, uh vendors had so Yeah, if if I had any wish it really would be for these companies to You know hire a security professional like do some serious security architecting Um, just because you came up with an encryption method over the weekend that you thought known is ever going to break You know, that's that that that that is our job. Like we take pleasure in busting that stuff apart So eventually someone's going to figure it out and um, you know, there goes your there goes your protection and um when you're In the case of p2p when you're a transport layer like that and you are kind of higher up in the supply chain pushing your stuff down to all these different device manufacturers who are then selling it to resellers who are then selling it to users like it really there's a lot of impact beneath you, you know, so you really have a responsibility to Um, take this stuff seriously and invest some time into getting this stuff, right So if I were to get one of these cameras, how could I find out if I am affected by the things that you found in your research? That's a great question because it is not always obvious um When you buy a device first of all, I mean the the brand name doesn't mean anything because Who knows where it's actually coming from? Some don't actually even mention that they use peer-to-peer. They just use it kind of under the hood the best way to determine if one of these is using the affected peer-to-peer libraries is to Use wire shark and see if it's reaching out to anything on udp port 32 100 And kind of to connect to that Or expand on that if you want to make sure that you never Have one of these devices active in your home Then you can set up a firewall rule to block outbound udp port 32 100 like on your router or if you have like a dedicated firewall appliance or something yeah, so you know, you talked about the uh, the supply chain issues of this and the you know the actual uh lack of insight and the the lack of people be able to look at the vendor and tell You know, whether this is uh affected by it or not. Uh, this is actually the third talk that I've uh uh, moderated that's talked about these these supply chain type, you know issues where the uh, the Vulnerability is so far up the chain that when it gets to someone they don't even know it could be there I mean, do you have any comments on on just kind of that supply chain wrist writ large and other than The folks at the top of that chain have to be uh more diligent Um, I think it's going to be a continued problem for a while Uh, yeah, because I I think people are going to kind of continue poking up higher and higher like this and finding more and more crazy things that are very widespread um and also It's hard to fix it. It's really hard to fix because even if these uh vendors start You know fixing things in order for it to propagate down is going to take a long time and um In a lot of cases like there's no even real nice ways to update these things with like the high chip cameras, uh, I think a great example is like, uh sv3c, right? They are a reseller of high chip If you go on sv3c's site, they're not necessarily going to have the latest firmware from high chip Like they are also going to have to receive it from high chip and put it on their site And there are plenty of resellers that don't do that like they don't even offer firmware downloads So if you buy a device even though there may be a firmware available for it Uh, you're just going to know to go to this reseller site And they're not going to have anything listed and you're going to be like, well, I guess I have the latest version And you're going to stay vulnerable so, um It it's it's hard to fix like even even when things even if things do start eventually going In the right direction. There's going to be a lot of stuff out there that remains problematic And if I just keep one of these devices on a vlan, would I then be safe? No, you will not That can certainly stop things like pivoting So if someone gets a shell, you know, maybe they may not be able to hit other things on the network, but um Someone could still steal the password. They can still certainly connect to it and view it they can still Potentially see what wi-fi networks are near you and you know get your location It's it's been pretty common where I've You know express these concerns to people and they're like, oh, I don't care I mean my camera is just looking at my dog or I'll just put it on a vlan and you know it's like it's How comfortable how comfortable are you with someone still accessing this thing and either viewing it without you realizing it or Figuring out more information about you like are you really truly okay with that? Like you want to stick to your guns on that one? And some people really don't care to like yeah, let them see where I am, but I mean I I disagree with that mentality And where can people get the password reset exploit that you mentioned in your presentation? Yeah, I'm sorry guys. I goofed and didn't put a link in my slides So if you go to hacked dot camera I did put a link up to the The high chip reset script as well as the wire shark disector And another thing that I put up is in the slide deck there was like the flyover on the map where it showed where all the devices are I have a link here that says device map and if you click on that it is fully interactive You can scroll around the world and see the density of devices all over the place So you can you know have a blast playing with that And do you have any ip cameras and you're home now? Uh disconnected I have a giant oar of garbage in my closet I I think What I will probably do because this is another question I get is If these aren't safe what are safe? I personally would probably build one my own it's the sort of thing where I would want full control of it Uh obviously not everyone is going to be able to or willing to do that so while while I haven't had a chance to look into I think nest is a great example. I haven't had a chance to look into those kind of cameras. I would imagine those are probably a little bit more thoughtfully designed but I'm not going to believe it until I put it to the test and I think that's a pretty good practice because Sometimes you never know how far down the rabbit hole goes as as this talk kind of showed so, um I personally would recommend building them yourself if you can but uh, if not, then at least go with someone who has like a legitimate security architecture program or at very least a channel to disclose books because gosh like Disclosing these things to vendors even if you manage to find out the actual device manufacturer getting a response sometimes is impossible Excellent um Last question for you. What should be kind of the takeaways that people get from this? What do you really want uh people to get from your presentation? And what kind of maybe changed you want to see going forward or things that people can think about from watching your presentation? um well anything that prioritizes convenience over security is uh Probably gonna screw you Um, yeah, and if it is kind of prioritizing convenience then see what it's doing because uh Not not everyone is super keen on on how to do these things properly So it's sort of a um if someone is offering you some magic to make your life easier Look into what it is really like poke at it a little bit and make sure that it's it's solid um, I guess that's that's really the biggest thing and um Excellent Great. Thank you so much for doing this paul um When you're when we're all done with this if you could put some contact information in the track one Channels if you want people to be able to get in touch with you Maybe ways that they can get the the scripts that you mentioned Anything like that so that people could continue this conversation with you would be great Yeah, absolutely will do it's uh been an absolute pleasure. I'm glad you guys enjoyed Thank you so much for doing this paul and we will be back in about 30 minutes with another speaker Sounds good. Take care