 Our next talk will be on hacking your new web camera by Aaron Standridge, distinguished engineer, and Aaron Rosenberg, head of technology, Logitech. Good morning. My name is Aaron Rosenberg. I'm head of engineering for the Logitech Circle Group. I'm going to talk today about how to hack an insecure Wi-Fi camera and why we wait for the presentation to come up. I'm going to talk about a couple different things today this morning. First, what are Wi-Fi cameras? How we can do some basic hacking and accessing of the Wi-Fi cameras? Finally, what makes our products a little bit more secure than everybody else? What is a Wi-Fi camera for everybody? For those who don't know, they're probably one of the most personal electronics that you may have in your home. They are both literally a camera. They have microphones. They have speakers. They have image sensors. You'll put them in probably some of your most personal spaces inside of your house. People put them in garages. They put them in living rooms. They put them in bedrooms. They put them in kitchens. They put them in patios. They put them in far more interesting places than your phones will. If you think about where you might have your phone at home, it's oftentimes in your pocket, maybe it's sitting beside a bed. But on a Wi-Fi camera or a home security system, that camera is almost always pointing at something that is interesting and other people, not just yourself, will want to see. From a technology perspective, almost all the cameras on the marketplace are Linux. They're tiny little Linux computers. Most of the time they're about the same as your phone. They've got processors. They've got hardware. They've got image sensors. They've got microphones. What sets them apart usually from your regular phone is they've got much nicer quality image sensors, much nicer quality optics. The lenses in these cameras are on par with or better than your DSLR equipment for the size that they do and the image quality that they can produce. They will also have night vision. This can be combined with infrared emitters and infrared sensors. Oftentimes they'll also have little mechanical infrared cut filters inside of it so that we can produce a high quality image both daytime and in nighttime. And finally, the most important thing and why they are hackable and interesting for hackable targets is almost always they're connected to the internet. They usually are connected to your local land at home or business connections and most generations of these cameras now are cloud-based or pseudo-cloud-based. What's the first step and how we can get access to it? Let's find the IP address. The first and easiest technique is open up a terminal on your system and let's use a broadcast ping. This will automatically find any devices that are open and answering ping bases on your system. Start with, in this example, and it may be a little bit hard to read, but we're looking for a, if you know your internal IP address at home, replace the last digit with a zero, do a ping to that and you'll usually get a couple of devices that are on your network automatically responding. This is one way to get an IP address. Second step, a number of cameras on the market support a standard called Envith. This is an industry-constandard consortium. There are regular free software programs out there called Envith browsers that will do local land discovery and can find IP addresses for you. There are also a whole set of cameras that support auto-discovery through MD&S or Bonjour. You can pull any free Bonjour browser and use that to look for an IP address. You'll find lots of systems on your network when you do a Bonjour scan. These are things like Apple computers, phones, Teavos, cable TV boxes. Most anything these days will support both auto-discovery through Bonjour. And lastly, if you still don't find your camera on the system and you have access to it, you can always log into your router's web interface. This will pull the DHCP client tables and is usually the last resort way to find the IP address of the device that's been auto-set up. First step that I like to do is take the IP address that you've discovered and plug it straight into a web browser. If we get the screen that shows up here, this means that the camera, whatever device it may be, is not running a local web server. Nothing on by default on port 80. So let's try one of the other IP addresses that we found. So this device is running a web server. Something comes up in Chrome when I plugged its address in. In this case, I found my laser jet printer at home. Not really what I want, that's a talk for another day on how to hack printers. Lastly is, so I found one of the other addresses that I found via auto-discovery was 192.1681.80. I pull up its web page address and suddenly I have what looks like the web login for a security camera. If you want to go move beyond standard port 80, standard HTTP, there's one of the best tools out there is called Netcat. Netcat is an automated UNIX tool that will allow you to port scan programmatically any device on your network. You can either scan your entire home network or if you know the IP address, you can just scan a singleton one on this. So in this case, I probed the ports on 192.1681.80, which was the IP address that showed up that web address like my camera. And I found two open things. The first is the HTTP, that was running the web server on port 80. And the second was port 554, which Netcat will tell me is the protocol port for a protocol called RTSP. RTSP stands for real-time streaming protocol and is another industry standard for how to operate. Other cameras, some that are even less secure, will also be responding on ports 21 and 22. You can try telneting into them or SSHing into them. Most of the common ports that you'll find for Wi-Fi cameras are on this list. One other thing to note is cameras that are used dynamically assigned systems will advertise themselves via bonjour and will use bonjour dynamic records. So modern cameras that are supporting Apple's home kit protocol will have both a half TCP record and the controlling computers will have a home kit TCP records. You can usually then find the ports in there if you look inside of the dynamic area. And you can probe those directly with other tools as well. So now that you know which port it's listing on and which IP address you go, now we get to the fun and interesting parts, which is we can start probing all the RTSP endpoints that a camera has. Now every manufacturer puts their RTSP usually on a slightly different URL in this system. What I've pulled here is the top five URLs on here and you then have a fully formed RTSP URL that you can then probe. And usually what you'll need to do is plug this into a piece of software that's capable of investigating and pulling up RTSP streams. VLC is a great open source piece of software, no charge, multi protocol, RTSP support fully inside of it. So how do you know what those URLs should be? The internet has helped us. There's a company called SolarTech which has maintained a massive library of pretty much every camera ever manufactured. You can look by manufacturer's model and find out what the sub-piece of the RTSP URI that they support. So now that we have an IP address, we have a path that we can go at it, we can start trying to actually experiment with it. Some cameras will stop us at this point because they'll want authentication. Most cameras won't, but even the cameras that do stop us, it's usually not that hard to get through. Most of these cameras have default usernames and passwords. The top six most common are on that list right there. Yes, admin, admin, admin password will get you in to most any camera by default unless you've gone and changed it. And most of these lower, earlier generation Wi-Fi cameras do not make you change the passwords and the usernames from the defaults. So now we're in business. So we plugged in one of the fully working RTSP URIs into VLC and we pulled up my colleague Aaron's garage. So I generated this image about three days ago and it's a fully working video URL. You can watch it, you can see it, you can interact with it. Now, one of the things that you'll notice is even if cameras did put any forms of authentication, most of these are still going to be found on the open internet. And this is where we get into how dangerous some of these devices, if they're not properly secure, can be. For those who don't know, Shodan is a tool for scanning embedded devices on the internet. So what I've done here is plugged RTSP into the Shodan tool and the picture may be a little small, but there are about 3.8 million devices that were found on the internet that are responding on RTSP. That's a huge potential pool of systems that can be operated. These systems were actually what were exploited in the recent Mirai botnets where using a list of automated user names or the default user names and passwords, somebody built a worm which would connect to a camera, log in, self propagate and then turn that into a DDOS platform. So if you do play with a web camera and especially Wi-Fi cameras, don't put them on the raw internet unless you know that they're locked down and secure. These are people who probably didn't know that they've done this. Remember that any IP address that you find from Shodan is from somebody else's device and to be careful and follow the creed. So my last little advertisement slide since we're here. So what makes Logitech secure and why are we in this business? All of our cameras are highly secured locked down. If you scan us, if you run search for us in any of the search engines, we don't run any open ports. We are a pure client server model. We do everything fully encrypted. All of our encryption, AES 128, 256 are better. Full perfect for secrecy. All of our systems in our cloud based cameras are used full data encryption at rest. We've designed the system so that even us, the Logitech employees, we don't have access to your video feeds. I, as the head of the engineering department, as the super admin in the systems, I can't access anybody's encoded content. It's all blind encrypted. There are multiple layers of encryption algorithms and keys that are all protected by your account credentials. We also do full Bluetooth secure setup and we do full unique RSA keys in every single camera that we produce. So thank you guys. Any questions? We're going to be running a workstation where you can play with some of the Wi-Fi cameras. We'll also be giving away a free web camera, one of our HD web cameras for anybody who shows up. Thank you.