 From time to time we have a new speaker that has made it through the gauntlet of Call for Papers and they've been sort of vetted and we really appreciate their effort and their work and their research and there's a lot of work and we really want to congratulate our new speakers for making it through and for having the guts and figuring it out for the first time. It's all down from here. So give Josh Mitchell a big round of applause. Cheers. I think that makes four. I'm sorry. So Josh is here to talk about some critical issues with police body cameras and ride-a-log adventures. Yeah, it's cool. Hello. Hi. Welcome. Welcome. Welcome. All right. So this is what we're going to be talking about today. Yes, we have to have this up front. You guys can read that. Okay. So here's some of the things we're going to be talking about. I'm going to go with a little bit of an introduction. Say hi to everybody. Let's talk about some of the technology involved in these devices. I have five specific models to talk about. I had seven but due to circumstances out of my control I can only talk about five. And then we'll cover some industry-wide issues that I think apply to all of the devices. Have some, see some impact that's kind of important. And then have some questions. So here this is me. And yes, that is a hamburger phone. I've been doing this for quite a while. Former military. Then I specialized in electronic warfare. Then got into doing a little bit of malware stuff because it's fun. And then I became a professional exploit developer for a number of years. And now I do security research at NUEX. So there are approximately, I've categorized 77 different devices out there in the wild. You have the big ones, Panasonic, Motorola, Petrolize. Now these devices they have a wide variety of technology. Kind of forced into them. It's Wi-Fi, Bluetooth. Some support NFC. Some devices have triggers, event triggers you can use. Some do live streaming direct over GSM. Those are really popular in Europe. And other ones have proprietary RF communications and they ride along. They piggyback on the walkabout radios that police are using. And it's very important to note that these devices were primarily designed for transparency versus secrecy. Although that may be a bit of a vendor line because of some of the issues that I've found. And we'll play a little game feature versus Vuln as we go through this presentation. Again, so these devices they interact, they have an entire ecosystem surrounding them. It's not just the camera, which I'll show you more about this one later. They have desktop software. Some of them use blended storage. So you have onsite storage. You have cloud repositories. Some even have dedicated docking stations that use an embedded Linux distro and they create like an IPsec tunnel back to a cloud repository. And most of the ones that are interesting have smartphone applications that allow, that allow officers in the field to annotate videos and review the contents of the camera, which we'll get into later. It's quite bad. So this is the first device I kind of started looking at back in January. And it's sold on Amazon. Anyone can go and buy it. Pick it up. It's sold under the CEESC people. But Advanced Plus is actually the manufacturer of the device. And they're located in China. And one is mentioned really quick. I did get in contact with the vendor. And they have given me firmware and desktop application. But I didn't get a chance to review it because it happened last week. So anyways, so this particular device got it, took it apart, took the remote apart, trying to figure out how the remote is interacting with the camera. And had to go and look at some chips and see what frequency is operating. It's actually 433. And RTL 433 identifies it as a smoke detector, which is kind of interesting. And the neat thing about the remote and why I wanted to get this device is because the remote can be used to trigger multiple different cameras. Not just one. You can actually update the remote so that it triggers like a wide variety of cameras. And so we can kind of be annoying with that. Because this is the simple signal that's being transmitted. It's, there's no rolling codes. There's none of that. So if you want to, you can sit there with a RTL SDR, receive the signals, replay it with something more powerful than a hack RF because, well, it doesn't have much power. The other interesting thing about this device is when I was getting in contact with the manufacturer, they told me about their RF certification and it was not FCC certified. So there's that. Wow. Another thing about it is it's essentially a USB drive. So anything that you have, you know, when it records the videos, it drops them down onto the dedicated storage on the device. You plug it in to your computer, you pull the things off just like a USB storage. So if I wanted to put autorun.inf or take advantage of some link vulnerabilities that have been popular in the past, that's completely possible with this camera. All right. So here's another, another camera. This is the on call OCP Pro. As you see the architecture of the system down there in big, but unfortunately because of the one I got, nothing really works. So I got it, I think the USB was broken. It wouldn't maintain a USB connection. So everything to your right of the arrows, I didn't get a chance to test out. But there were enough glaring issues on the other part that it's fun to talk about. It uses an RTOS called ECOS. That hasn't been very many updates on that particular website in quite a while. When you trigger the Wi-Fi on it through a button press, it comes up as Firecam and that is the default password. And yes, it has a wonderful embedded ECOS HTTP server that I thought would be fun to kind of poke at, but you'll see that it wasn't really necessary. Yes, so this is the contents of the movie folder. And you see all the videos. It's coming up as 2014 because again it never got a good time sink from my laptop. But these are all to save videos and you see you can remove them, download them, upload files. You can actually even upload arbitrary HTML and serve that in the browser. That's not good. Yeah, so totally unprotected. 100%. No, nothing at all preventing anyone from downloading these videos or uploading ones to kind of overwrite these. And I have some tools that use git and post to overwrite files and download all the contents. It also has a nice settings file that you can download as well that has all of the relevant information about the camera in it, which is interesting. Okay, so here's the first kind of big device, a widely kind of used device that I had a chance to look at. So this particular device has a smartphone application that you can go and download available on the store. It has desktop software that is available for download on the manufacturer, or the reseller's website. And I say reseller because we will show, I'll show you this in a moment. And the firmware is also available for anyone to go ahead and pull down and browse and look through because it's not signed and it's not encrypted, which is awesome. Right, so smartphone application is primarily used to access the RTSP server that is not protected from anyone. And you can view the save videos on the device. And the desktop software is used to authenticate with the camera and download the video files off of the camera. So the desktop software, as you see there, it's a simple wrapper around the DMT10.dll. And that is actually, the name of that comes, I think, comes from the Chinese manufacturer because they sell the DMT10 version of this camera. The admin and general user passwords are six characters. They have to be exactly six characters, no more or no less. It has the SSID as you see for AMBA boss. And that's not something that you can change. And I'll get into that why that's kind of a big deal later. And you have some other things you can mess with in the, this is the administrative interface. As with all of the other desktop software that I have looked at, it's missing a lot of the exploitation prevention mechanisms like ASLR. And that's kind of across the board. You see here this little bit, a little clip from Ida. The verify password routine coming from DMT10. And then you have the set password export that's called from, that's available in DMT10 as well. As you can see there, there's no correlation between the two. That means that I can set the password without having to verify the password. So that's awesome. Yeah. Okay. Again, it comes with a smartphone application if you want to go find it. There it is. And that is primarily used to view state videos and live stream, whatever the camera is looking at. And I want to be sure to mention all of these cameras except I think for the next one. When you activate the Wi-Fi on these devices, they create a access point, right? They act as a Wi-Fi like hotspot without internet connectivity. So that's kind of important because if anyone's wanting to review videos, they create essentially a beacon upon themselves that anyone can kind of find and play with. And we'll talk more about that part later. Right. So again, this device, it's running a little bit of an older version of Linux. That's not really bad. Again, it has a JSON messaging server, which I was really surprised about. And RTSP and DNS. And after I got to poke around on the system, I found out that it was incredibly similar to a talk GoPro or get the fuck out. That if you want to know anything more about how this system operates, I would really recommend going reading and looking through that because it has a lot, it goes to a lot in depth about the messaging subsystem. And I wish I would have found that out, right, when I was looking at this. But I didn't need to because it has root Telnet exposed with no password required. And I wrote a wrapper script around PyTelnet that allows you to upload and download files if you don't feel like using Telnet. Again, here's the contents of the media folder, so any videos that you make or saved into here. This directory is mounted when you use the desktop software to download and upload videos. And it essentially sends a trigger to the camera and we can then, it treats it as a removable media drive. So if you wanted to upload, again, link files or any type of windows-based exploits to take advantage of the back-end digital evidence storage repository where these videos will be saved, and have something nice like WannaCry, you could definitely do that. What, yeah, so there we go. So this device, the digital ally first view HD, is architecturally different than all of the other cameras. It treats, it is a client. And it has other devices in its ecosystem that act as servers. For example, the rear view mirror in a cop car will act as a Wi-Fi access point. When this device is within range, it will automatically connect to that Wi-Fi access point and then, you know, interact through that. It's also how if you turn on the sirens, it will automatically start recording. It has event triggers, that kind of technology. And again, it supports, has its own desktop software that I tried to purchase two months ago and I did not get. Which is unfortunate. It has a smartphone application that anyone can download. Firmware is available and easy to look through. Literally tar, well unpack the firmware. And it does have a docking station that, you know, you take the camera out and plug it in and it will download stuff. But interestingly enough, it does come with a minimal software bundle on the device for anyone who gets a hold of it and wants to a minimum configuration manager and a minimum software viewer to view the contents and see whatever is going on on the device. You can also, it also has like readme's on there about how the device is supposed to work. So that's very, very user friendly. And kind of nice. So here is a picture of the minimum, the like the minimal viewer that comes packaged on the device. Right? The software, V-Vault, I tried to purchase. And hopefully it will get here eventually. Because there's a lot of features that I wasn't able to interact with and play around with because I didn't have that. One of those main features being, you turn the device into a wireless client. I couldn't do that because you have to pay the $800 for the desktop software. But we were still able to get some good stuff out of it. So the packaged installer is written in C-Sharp, which is awesome because it's really easy to decopile and play around with. The configuration manager generates two types of files, the 1WM config and that's for wireless. It also generates the device config and that is a binary format that's, that you can use to set the time and stuff like that. Now the, the viewer which is used for evidence review and making comments and clipping videos and stuff, generates three types of files, the DAZ file which is the digital ally zip file, the metadata file and the VM2 file which is XML. And we will go into those right now. So the WM config file is quite interesting because it is something that you're supposed to generate through the configuration software and then put on the device and it configures the device on how to interact with police networks and police like systems, right? So that would be important. So that would not be a good thing to have that XOR as, as the way to decode it. And you can see here that the, it's configured to use the, to look for the SSID that is associated with a police network. It has the PSK that is just text encoded and the password for FTP logins so that it can upload and download whatever media is on the device as it goes. Then the, the device config file is again to, to insert time and other information onto the device. That has a couple of lines worth of an XOR but it basically is an equivalent to a hex 88 XOR. So that's, that's cool. Oh and the 001 is before and then the small one is after when you decode it with, with XOR. Here's the DAZ file. The DAZ file is generated through the viewer application when you, you have, so you have the, the AVI and the metadata file. You insert that into the viewer application and then you mess around with, with the video and you save it out and it creates this DAZ file and all this other stuff. The, the VM2 file here is included in the, in the zip file and you see it has a huge amount of metadata associated with how this, this camera was operating and how, you know, like what sensors were used, what's the GPS cords, all this kind of stuff, right? And you see here it uses AES 128 CBC and the file name is the decryption key. See here we have, like in, in this we would have D0, 01, 8002 and then we just basically make that Unicode and we have the IV and the decryption key for our AES, whatever. That's, that's awesome. Right, so since, since the digital ally was so nice to include an unsigned installer on their application, I thought it would be fun to insert a back door into that because I can overwrite it, download it, modify it, push it back, overwrite it and then if anybody wants to install it, they, they give me a nice shell. So you see here the top item, that's the normal entry point. I just hand jammed this assembly and all that does is it creates a thread on the, on the section that I added to the application and that section is O-nose and then underneath, I simply put in some Metasploit reverse shell, shell code and this is the, here we have the install shield and down here we have the shell that's generated. I had to cut a lot of videos, so for time, but, so that's really bad. Right, so, again the, again the Android application which you can download on the Play Store is used to basically use the configuration manager and you side load config files onto it and that will turn your, your phone into, into an access point that the camera can then talk to. Now I was hoping that after two months I would get the software that I purchased and so I didn't bother to reverse engineer it with Frida, but I might have to soon or get my money back. I don't know. Right. So again, here is the firmware that you can get from the, from, from the manufacturer. Again, Benwalk and tar is really all you need, but as you're going through the, the firmware because once, once it gets extracted it has some, some really interesting, interesting things going on in there that I think I'm going to put in version two of this talk. There's some serious unbounded memory copy operations going on. But anyways, if, if you don't want to debug anything running on the device, if you create a nice little log file on the, on the, the camera, it creates every, after every operation here we have this, this log stuff going on after every, in every function it generates that. So there's tons of logging information and stuff. And all you have to do is create the log file and it's good to go. The GUI application in the MDVR, mobile DVR, pretty sure what that means, is what's used to do all of this interesting stuff. And it does some really interesting stuff because there's lots of wifi triggers and peer to peer operations going on with all of these devices when they're within the same network. And there's a lot of unbounded memory copying operations going on on these devices in their peer to peer network. But yeah, I think I'll save that for the next version. Ah, this guy. I wanted to spend some time on this because this camera is used in some pretty big, in some pretty big departments. Again, it has the smartphone application and has the awesome desktop software. It even has the docking station and the sports cloud storage and you can get the firmware. And they try, they try to be, have a pretty professionalized operation. Again, smartphone for live streaming and viewing media, which we'll talk about later. And desktop software for actually verifying that the media files that are coming from the device are valid. And we'll talk about that later too. So here's the desktop software. It is a Fat Client, right? So essentially you have a SQL database installed and then you have some two Fat Clients for admin, one for admin and one for officers, right? And it's used to, the admin app is used to configure the cameras and then assign them to various officers. And then the client application is used to upload, download video, and that's essentially it, right? You can add comments, but really uploading, downloading videos from the cameras, exporting them from the Fat Client is essentially it. But another application that is installed with this is the import-export tool. And there's, there's two types of authentication going on here. You have the authentication and the passwords that are created for, through the admin app that is, that are used to interact with the, the software and with the, the contents of the database. Now, then you have the, the Windows authentication mechanism, which is actually used by the import-export tool to authenticate with the database by passing all of the, uh, V-View app off and uses straight, uh, Windows off. So if I am local admin somewhere out there on a desktop that is used, that the officer is using the client app to upload and download videos, I can then connect and, uh, export videos. But I'll show you that in a minute. Other things associated with this, we have, um, we have lots of the install folders that kind of spreads out everywhere when you install it on your, on your box. Um, and we have logs about the, the, the communication between your computer and this device. Um, it communicates over, uh, USB, creates a comm, serial over USB, uh, attaches to the, the file and then starts writing stuff out to it. Um, it also, uh, has, has, uh, downloaded metadata that, like downloaded videos, cashed on the computers. So, uh, bypass, down, you have access to the downloaded metadata by bypassing, bypassing the upload client by just looking into the, the correct folder. Um, yeah, and, and again, if you go there, you can see all the cash videos. Yeah, so domain credentials, what I was kind of talking about earlier, uh, are used to export the database instead of the application credentials that you use when you, uh, create users. Um, and that is the, uh, admin user, super, first supervisor I suppose. Uh, and that's the SHA 1 of 1, 2, 3, 4, 5, 6, which is the default password, uh, for all of the, uh, admin, um, yeah, for the, for the supervisor, for the admin interface, right? Um, and they, they try to, when you install this, you start it up, but this is how I found it. Uh, it requires you, they ask you to contact their help and support system to configure the desktop software. Really, it's so that they can upsell you, right? So I was like, well no, I don't want to do that, um, because it probably wouldn't be good having Josh at his house contact the support people. Um, and, and so I was clicking around and found the import-export tool and googled the password. Uh, and, and then I was able to have admin on their software, which also you have to buy. So, uh, ah, another issue with this is when you download videos off of the camera, um, you, it, it, uh, you can, you can play those videos through the interface, right? Through the, through the, uh, the admin or the client interface, you can review the videos. Um, and to do that, it comes bundled with FFMPEG. Uh, and, um, it also uses FFMPEG to, uh, use the FFMPEG to create thumbnails based on the video. So not only when you just play the video, it doesn't use FFMPEG, uh, but when you, uh, when you upload all of the videos at, at the time of upload, it uses this to create thumbnails of the videos, which is important because it's processing videos with a version of FFMPEG that is from 2014 and has over 122 public CVEs out there for this version of FFMPEG. So if I could modify those version, those videos beforehand and search and exploit, I know I have a really, really vulnerable piece of software that's going to process those videos, which would then give me, uh, gain me access to the evidence storage repository where these, these videos are stored. Ah. So, here we have the, the admin interface, um, of the, of the Vera Patrol software. Uh, and you see here, we have, we have several videos that have been uploaded by Supervisor and their durations are, you know, in there and they have valid digital signatures. Uh, and then we have over, over here, we have making a copy of the video and exporting it and stuff. And there's an important video that we need to look at right there. It has a time length of zero and a valid digital signature. So, as we export these AVI files from the interface, uh, we had, we, you know, just pick a, pick an output folder and it creates the AVI file and then it has the log file that, uh, that requires all the comments put in there. Uh, and it saves them to wherever you want. And again, it says this file has a valid digital signature. A valid digital signature. So this is the contents of that AVI file that has a valid digital signature that is used to prosecute people and put them in jail. Uh, and I'll, I'll show you how I did that, uh, in a moment. Again, so we have the interaction, uh, with this, this device, um, it has, uh, you know, we create our log, it has log files that are nice and kind of, kind of peruse through those. Uh, it uses serial communications over USB, uh, to upload, download files, update firmware, uh, and do all that kind of nice fancy stuff. Well, the other day when I noticed when I was downloading those files, which were quite big, uh, it actually just tells the device to mount, uh, this, the, the application just tells the device to mount itself as a removable media drive. And then downloads the files. So if, if you want to write an application to interact with this, we see that, that the command system is incredibly complex right here. Uh, and very difficult to modify. And we can see right here that the device gets mounted as the eDrive, uh, and then it begins to upload the files. So, as I see this random drive pop up on my computer, I'm like, oh, what's an e? Let me, let me open that. And then you can just download the files off of that, completely bypassing all of the evidence collection software. This is awesome. Uh, right, again, so we have the, the, uh, smartphone application, um, that is supposed to interact with this device in the field. Um, and it uploads metadata to each video based off, uh, with JSON, which is pretty standard. Uh, you can also download any file off of this device. Right? So, uh, and then you can live stream, uh, with RTSP. So the only thing you need to do is if, if you found one of these in the wild, is download the app and you can see anything on it. Also, if you're within proximity of some police officers and you'd like to see what they see, you can see, you can see that over RTSP. Um, there was some pretty good talks a little while ago about the SunPlus format. Uh, and there's some tools out there that I definitely used that converts the SunPlus, uh, firmware burn format to, uh, to ID, IDB, which is great. Uh, it's freaking awesome. You should check that out. I love it. Uh, so you don't have to unpack or unpack firmware or do anything like that. It's just ready, good to go. Now, this device has several services that are available on it and it is this one right here. Uh, uh, it has FTP, uh, it has the photo transfer protocol and it has RTSP. Uh, FTP is used for uploading downloading files. It's also used for, with the smartphone, uh, it's used to, you know, upload, uh, and download metadata. So you can download any video off the device. You can also assign, uh, you know, any type of metadata through the JSON interface. Now, for you to be able to get, um, uh, for, for the smartphone to get, uh, directory listing of which files are available, uh, it uses the photo transfer protocol, which, um, there's some really great get repos out there about using PTP over Wi-Fi. Um, and that's going to be important in a minute. And then of course RTSP, which, you know, you just use VLC. So if I wanted to see what all the, uh, what all the, uh, video that was stored on this device, you simply use PTP. Uh, and we can see here that we have some AVI files that were filled with A's earlier, uh, available in our PTP directory listing. Now, for us to interact with that incredibly sophisticated, uh, FTP software and overwrite files that should be digitally signed and used to, uh, put people in jail, uh, we use FTP and we have some passwords Wi-Fi cam and username Wi-Fi cam. It actually accepts any combination. So if you don't remember Wi-Fi cam, you can try any other combination and it will work. Uh, then we have, uh, we, we just use type 1 and then we, uh, we enter pass, passive mode. I was playing around here trying to delete video files. It wouldn't let me overwrite them with whatever I wanted. And that is how we got A, uh, in that digitally signed, valid evidence file from earlier. Okay, so we have like a little demo. We'll show you here. Turn this guy on. Cool. It's on. All right. So another thing that I, I wrote, um, was a tool to, uh, identify these cameras in the wild based on their MAC addresses and their wireless access points. Because I said I was in the military and I, I think a, a very, very important to get often overlooked thing, uh, is the ability to, to locate something, uh, like in the field and be able to identify the emitter with the platform, the platform being the police and the emitter being the camera. Uh, and if I know that V view, I go and look in the OUID database and I see the MAC addresses that are associated with this company that is published by the IEEE. Uh, and I can say that this company only makes cameras. And if I pick up a MAC address or a SSID that's associated with that, well guess what it's only going to be? It's only going to be this. Right? And, uh, as a bad guy, you might want to know that. Right? Maybe find out about cops running around in our area. Let's see if this is working. I don't know. Yep. Live demos. Ask. Let's see if it's connected. Okay. You'll see. Okay, yeah, there it is right there. See if my buggy software works. Nope. It's not working right now. Oh well. This is a two-part demo. Right? So everybody knows that like USB Wi-Fi and Linux is shit. Spend the story of my life trying to get one interface that works right. Uh, but anyways, uh, if you wanted, it's supposed to identify this guy right here that we see. Uh, and we can just connect to that. Um, and the password is 1-2-3-4-5-6-7-8-9-0. It's very complicated. Anyways, so here, um, again, no, nothing really protecting, uh, anything that's going on. We'll just go ahead and we can just use VLC. It's that easy. It takes a while. Ta-da. Hi Defcon. So again, again, feature. Feature, right? This is a feature. That is awful, right? Anybody that would be like, yeah, I would like to live stream some video off of a police officer whenever I want. That's a feature. Oh, and the manufacturers like to say that, oh, it's only supposed to be right here. Yeah, cause, cause Wi-Fi antennas can't pick up stuff from a mile away. Like that hasn't been proven years ago. Right? Okay. And, and we can change the default password on this to give it something very complex because crack doesn't exist. And neither does that Wi-Fi, uh, thing the other day where, um, you could, you could get the, the key without even needing a client on the WPA2, uh, uh, network. If you guys haven't read that, I highly encourage doing it. Okay, so where's my presentation? Come back. All right. Here we are. Bang. Okay. So cool. Industry-wide issues. Right? So I analyze many cameras. I can talk about five. Uh, and, and industry-wide issue is digital signatures are not applied to the multimedia coming off of the device before it touches anything else. Which means that if anyone is able to get in between that being, either being on the desktop or interacting with the device in the field, you can corrupt any kind of evidentiary information on that device. And that is supposed to stand up in a court of law and put people in jail. Again, unencrypted firmware, unsigned firmware, unsigned. Your smartphone signs this firmware. Right? That, how much does that cost? How much do these things cost? About the same. Right? Uh, so you can peruse, you see anything you want. If you have physical access to the device, you could roll your own malware, drop it on there, and then as soon as it gets synced back in the back end, you own them. Done. Three minutes? Okay, cool. Uh, and again, localization, being able to find stuff out there. I war walk, find cops. Cool. Why it's important, uh, because this happened here last year, right? And the guy had cameras in the hallways, and he was targeting police. If he knew about this, he'd be able to do that a lot better. Okay. Thanks, thanks to Saha and everyone at Basement Browderhood. Uh, New Ecstasy. And I think, I think I have a couple minutes. I got questions. I got time for questions. Like one, one question. What time is it? It's team gram time time. Yes. Some do, some don't. Some you can actually configure to always be on the Wi-Fi. Always have Wi-Fi on. Some use Bluetooth. No, this doesn't show anything. It's just on. It's still connected to my laptop. I have, but it's very difficult to get any response at all back and they don't publish who, uh, you know, who they're selling these things to. Except for the like NYP, you can go to these guys' websites. They have a couple of their big contracts on there. No, they won't even send me the software I bought. So cool.