 So you're in the Joe Grand opening warm up act or go pro or get the fuck out which they wouldn't say in the marketing promotions for this. This is a fairly short talk but Todd and I have basically been working on messing around with these cool awesome cameras. 20 minutes and 20 minutes which we actually just for 20 minutes before the talk. Our entire research project is 40 minutes long including this talk. Right. So our agenda the you know the intro that which we will cover. Entourage mother fuckers do you speak it. Wow only a 20 minute talk and he just lost three of it that's too bad. This is completely expected. We are here. Yeah. We figure that they have spot the fed. We have shot the noob and noob has a number of meanings and so there's only one that applies. We also need somebody from the audience who's a new new person. You sir preferably a female once again. He sees midway through the change. Come on up. You know guys try to act like they're going to make you drink but they won't give you two. You know I mean I don't know. I guess ticket prices are going to be a little higher next year you know. That's all right because we didn't really have the material. GoPro GTFO. Thank you young lady. Do I get a GoPro? You know I thought about it but no you don't. The young lady might have gotten a GoPro. Bring more booze next time. Okay so continuing on. So we'll have our brief intro. If we basically didn't already do that while drinking. We'll talk a little bit about the GoPro due to time limitations. We're going to gloss over some stuff. We're going to cite previous research because we're not the first ones to mess with this but we want to give credit where credit is due. We'll talk a little bit about what we've done so far and we're certainly not finished as well as some of the things that have kind of come out of this research up to this point. We'll talk a little bit about what we're going to do next and then finally we'll conclude with a bunch of useless slides. So first Todd. What's up? I'm Todd Manning, senior research consultant at Accuvant Labs. Horror for hire you know. I used to work at Breaking Point managing their security research team and now I turn it over to my co-presenter. Hi I'm Zach Lanier or some of you know me as Quine. I'm also a senior research consultant. I guess we'll put a whistle at. That's awesome. I'm not even wearing a dress this year. He is wearing panties though. Backwards. I'm also a senior research consultant with Accuvant Labs. Just old timey net web app mobile pen tester guy. Anyway so why did we pick the GoPro? Because I had one basically. It's an incredibly popular camera. I'm sure some of you have seen it out in the wild used in music videos featuring scantily clad men and women and skateboarders who put them on their skateboards and fall a lot like me. It's Wi-Fi enabled which was attractive because it's got all these cool features on it that you can use your phone to control the camera. One of the more interesting facts is there's this company called Amberella. It makes the eponymously named SOCs that are used not only in the GoPro but also in commercial security installations which we found to be intriguing so that's you know another future research thing. We focus mainly on the GoPro Hero 3 Black Edition which is what we've got up here. So a lot of the details that will be in here will apply but some of the hardware is a little bit different as we'll kind of see a little bit later. And plus it's really extreme. I can't say that with much more emphasis but I can. It's fucking extreme. Mountain Dew. So anyway. So an overview of the GoPro. It features an Amberella mistyped A770 camera SOC. So they basically just stamped this SOC with like an ARM V6 core with all of like all the other usual things you'd expect. JTAG, you are blah, blah, blah, blah, blah, there and their IOs for their light sensors and accelerometer and whatever. And then they put this stupid LCD on it and then they put on this atheros wireless controller which has Bluetooth but they don't use it. I don't know why. And there's a bunch of other stuff that's really not relevant to security or hacking this thing but in any case it has a lot of stuff that's not used. All packed into this tiny little form factor. I figured it was my turn to talk. Okay. So one interesting thing, the first thing that we kind of found when we busted this camera open, it runs two operating systems, not just one. So two for the price of one. One is the ITRON embedded operating system. It's kind of like this open source sort of real time operating system standard really. So the version that runs on here is kind of one implementation to the standard developed by a Japanese academic in the 90s I guess. So it's primarily responsible for the operation of the camera. So capturing images, doing, encoding a video, that kind of thing. And then it also runs Linux kernel version 2.6.38. So the way the real time OS works if you guys know about that, typically there's like a bunch of threads that are all doing different things. One thread is dedicated to running Linux. And so basically the Linux operating system is on there to run some of the sort of higher order functions that deal with remote control of the camera via like mobile application, that kind of thing. And so yeah, two operating systems. There's a private network that runs in between the two. The networking address is given here, 10.9.9 slash 24. The real time operating system side runs one web server that kind of handles certain requests, actually looks like it serves up some of the preview mode files. And then the Linux side runs the version of the open source Cherokee web server that handles actually taking requests from the mobile remote control applications and then passes commands from that onto the real time operating system via a mechanism we'll describe shortly. Yeah, so some previous research, right? So looking into this camera it's like somebody's got to know something about it, right? Otherwise we're screwed. So the OG of like, you know, GoPro kind of like dissection is this cat called Evil Wombat hangs out on this, the GoPro user form, super real friendly guy that I've talked to, real willing to give information about how it works. He's developed a number of open source tools that are available on GitHub slash Evil Wombat. He's got, let's see, he's an arm firmware developers. All he's told me, I know he lives on the west coast. Other than that, you know, I haven't really talked to him for more than just a few hours. Stop dropping docs, okay. Anyhow, sorry about that. Let's see. So yeah, so in his firm, in his repository he's got like tools for breaking apart the firmware updates that come from GoPro so that you can kind of like do some further analysis yourself, break some up into different sections. He's got a tool that will let you connect to USB and then boot your own custom Linux kernel so that if you, you know, brick your camera like I've done, you can, you know, ostensibly unbrick it. There are some cases where that doesn't actually work, but yeah, real nice guy that has made some tools and so, you know, we've stood on the shoulders of at least one giant and that would be Evil Wombat. So if you're here, man, I would buy you like dinner and a drink and, you know, take you to a movie, you're a real sweet person. So one of the things that Evil Wombat provided was this autoexec.ash script which we mentioned here and that's for the umbrella shell. So if you put that on the SD card at the root of the SD card in the GoPro, it will basically autoexec whatever you put in there. So it wasn't that he provided it, it's rather he discovered that the camera will execute a script called autoexec.ash that's in the root of the SD card and so there are a number of like commands that you can provide and he can't kind of give us our first foothold into understanding what it was that we could do, you know, with the camera by doing that. That's better. And so one of the things is this, there's actually a command in the umbrella shell called T and it does a lot of low level control of the RTOS and in case it actually, what you see down at the very bottom, this T app test, USB RS232, one, sets that it will just basically provide a serial console over USB. So it gives you this access to the RTOS' umbrella shell. One of the things that you should, there's a slew of commands in there that we can't even go through in even 30 minutes, but one of the things you shouldn't do is run as someone did, the T NAND op erase command, which successfully bricks your camera. So don't do that. Yeah, I would say don't do that. When you run that command, you know, and that heinous deleting all the NANDs comes up, you don't die right at that moment, but when you reboot, you really wish you hadn't. Let me just put it that way. One of the other commands that Yvo Wombat shared or discovered and shared was this LU util command and what this effectively does is allows the RTOS to talk to the Linux task over this IPC channel, and one of the things that it does is there's an exec parameter and that will effectively allow the RTOS to instruct Linux to execute any command as root like you do. So in this case, these snippets here, as provided effectively by Yvo Wombat, kill the Cherokee web server and start Telnet D listening on 80 because 8080 externally is forwarded to 80 internally on Linux, so that's really the only port that you can, one of the only ports you can get to externally on the Linux internal operating system. So it effectively just kills Cherokee and runs Telnet on 80, which drops you directly into a root shell like you do. So, you know, we are here, hey cool, we got root on a camera. Yay, everyone go home. Todd's a badass. So a little bit about the methodology and kind of findings that we did. One of the first things that we actually looked at while maybe drinking was looking at the GoPro app mode of the camera. So it runs in one of two modes, Wi-Fi remote or GoPro app, the first of which is this GoPro app mode. And that allows you to install a Linux or iOS app on your device. The camera acts as an access point. You associate with it with your mobile device of choice. And it connects to those two web servers. The web server that it talks to on 80 is the one running an ITron that it uses as a control channel and for retrieving and setting configuration directives. And then on 8080 it actually retrieves this streaming preview. And what's interesting about this is, and by the way, the Wi-Fi backpack uses 10.5.5.9. There are a few interesting things about this. One, it uses MDNS for discovery as what we kind of observed, but it connects to 10.5.5.9 anyway. That's hard coded in there. So I don't know if it's a fallback or what, or whatever. The other thing is that it uses IMPECTS for streaming of the preview video, but what it does is it continually retrieves this playlist, like an MUA file or whatever. And in that file each time are 8.3 second video files that it retrieves. So it's not really streaming the data directly so much as just retrieving these 0.3 second files, playing one, retrieving the next one, playing that, retrieving the next one, playing that, retrieving the playlist again, and then retrieving a new set of files. And this just kind of rotates through. You can actually just point quick time or VLC or whatever insecure media player you like at the MUA file and effectively just stream the preview video from the camera, kind of turning it into a surveillance device if you so actually were able to authenticate and associate with it. We'd ask that the NSA not avail themselves of that offensive technology, please. Right. So the other mode that's notable is the Wi-Fi remote mode, and this one we actually find to be a little more interesting, which we can discuss in the hallway track. In this case the Wi-Fi remote, which I don't know if we have with us, it's the smaller device, a little key chain device. In this case the camera acts as a mobile station or client and associates to the AP, which is the remote. When you first pair them it just scans for an ESS ID of hero-rc-xxxxxxx where those are the last three octets of a given remote. Once it's paired it'll record that information and prefer that, but you can always pair it to a new remote. So you can draw your own conclusions as to what attacks might be possible there. It's also totally open. There's no security whatsoever, so you can just associate with a remote if you see one. We're still sort of exploring what the implications are about attacking the remotes, but anyway. Network attack surface. The Cherokee web server runs as root, even though it listens on an unprivileged port on the Linux side of things. We notice that there are absolutely no additional mitigations. The compiler options and the linker options are available like on the file system of the camera, so you can totally have fun there. The executable base itself is not randomized, so reliability of a payload is not really difficult if you find a bug, which some people might have. We're at five minutes, so...itron side. Okay, so like we said, two web servers on the real-time OS side, on the on-site. There are these URLs that the remotes connect to to engage different behavior of the camera itself. Some are configuration type commands that will, you know, reconfigure capture settings for the camera that will, you know, start recording, stop recording that kind of thing. Basically, you know, once you connect to the Wi-Fi access point, you can just hit these in a browser and kind of reconfigure the camera willy-nilly. We're working on a Ruby-based library that basically access the control. Let's see. And then it actually, it passes the passphrase in. And I haven't found the code path that cares about that, and I'm not sure why that happens, but it seems kind of silly. I mean, I guess it's, you know, the key is protected by WPA, so whatever, but yeah, it seems kind of strange. And basically once you, you know, if you were to find a bug, you know, in either the real-time OS or the Linux side, you know, I guess from the real-time OS side, you're done. If you find like a Cherokee bug, for instance, then you've got some work to do there to bridge the gap over to the real-time OS side. In terms of local attack surface, again, everything runs as root, so there is no privilege separation. Everything except for the actual, so sorry, all the libraries are loaded at randomized addresses. The web server itself, so Cherokee and the Cherokee worker load their images at hex 8000. There's actually a couple of sections that get mapped there. Sorry, 8000, and then like hex 8300. Let's see. It runs busybox, so there's, excuse me, there are some useful, you know, busybox utilities there, but there's no, you know, build tools or no netcat. You know, sometimes you see that on like random busybox devices. I feel like you want to break in there, my friend. So basically it's just in the, ASLR is enabled system-wide, but the, pretty much every executable base is mapped at a static address, or always mapped at static addresses, so it's not terribly difficult to get like reliable code exact. I feel like I had already said that actually, but you know, maybe not. So there are a number of like interesting, you know, quote-unquote services that are running. A couple of them listening on TCP ports, 78, 78, and 78, 77. They handle JSON, while one of them handles JSON-formatted messages from the I-tron side, which I thought was kind of strange. They, basically it's, you know, their mechanism of communicating across like these two operating systems, so they share the same memory and they're kind of using like this Q-based message passing thing. And hey, it's a great time to talk about that. So the, we're like two minutes left, so we'll probably breeze through all this. Whatever, running IPCS-P, we see that there are these message queues that are there, and they point to this AMBA MQ handler, which is the Amborella MQ, message queue handler, which is for receiving and sending messages from Linux to I-tron. Worth exploring. They're on the Amborella or the I-tron side, and Amshel, you can run IPC Prague, I know it's probably hard to read, but it just spits out like a thousand bajillion lines of all these different IPC programs that are registered, so it's kind of like SunRPC-ish. There's like a program ID that maps to a specific program that's actually listening in this IPC channel. And that's basically all we're going to talk about for there, because we're running out of time. Future research, remote monitoring, legitimate monitoring, using like bespoke or third-party clients, using the camera to spy. That sounds really cool. Next thing would be to dump firmware from the Wi-Fi remote, as well as deal with this fancy little GoPro 30-pin bus interface, which is remarkably similar to the Apple iPod 30-pin connector, and it uses things for like LCD and a bunch of other stuff. Backdoors, persistence, blah, blah, blah. So with that, we're going to be releasing code eventually, maybe like tomorrow when we're sober, at github.com slash coin slash GoPro GTFO. So watch that space over the next couple months. We'll have some stuff up there. And finally, if you want to reach us, T-manning on Twitter, coin on Twitter, or email us, and then these are really cool people down at the bottom. And if you aren't on that, and you should be, we're really sorry. We're out of time, so we'll take questions in the hallway track, I guess. Thank you for coming. Lovely Todd.