Inexpensive Webcam Turned into Backdoor

Researchers at Vectra Networks describe an attack against an inexpensive webcam and how they were able to turn it into a network backdoor.

Connecting a webcam to your home or office network might seem like a harmless thing, but researchers have figured out how to turn that connected device into a backdoor.

Researchers at Vectra Networks today released a report demonstrating how a $30 D-Link webcam can be abused by attackers and turned into a medium for sending additional commands or stealing data.

Vectra Networks said it contacted D-Link in early December and the issue has still not been addressed.

Chief security officer Gunter Ollmann said that such a threat is difficult to detect and remediate, especially on home networks.

“Devices that can be easily attached to the network and remotely controlled or managed via the Internet tend to be soft targets. The design of circuit boards, chipsets, and the requirement for software updates combined in to a simple and environmentally reliable package limits design options,” Ollmann said, adding that he would expect other vendors’ webcams and connected devices to be similarly vulnerable. “It doesn’t help that many of the popular ‘small footprint’ operating systems popularly used for mass-produced network devices are poorly secured themselves.”

Connected devices tend to lack the storage and processing power to be all that attractive to hackers. The Vectra report points out that attackers, instead, would focus on a device’s flash ROM, where running code is stored, and create a new flash image containing the tools necessary to run a backdoor.

“Once we have such a flash image, putting it in place could involve ‘updating’ an already deployed device or installing the backdoor onto the device somewhere in the delivery chain – i.e. before it is received and installed by the end customer,” the report said.

The report explains the attack against the D-Link WiFi Webcam, starting with the researchers being able to dump the contents of the device’s flash memory chip for analysis. This particular device’s firmware included a u-boot and Linux kernel and image. They were also able to dump the contents of the Linux image and access its filesystem, where they found an executable used to verify and update the firmware.

By analyzing the process by which the firmware is updated, they were able to eventually add a connect-back Socks proxy to the Linux system.

“This can either be accomplished with a srelay and netcat in the startup script or more optimized C code, or one could go with a simple callback backdoor with a shell using netcat and busybox which are already present on the system,” Vectra explained in its report. “Using the telnetd / busybox / netcat we can bring back a telnet socket to an outside host to have remote persistence to the webcam. With the webcam acting as a proxy, the attacker can now send control traffic into the network to advance his attack, and likewise use the webcam to siphon out stolen data.”

As more embedded devices become connected, experts and attackers alike are understanding that many of these tiny computers can be abused.

“From a criminal hackers perspective, the prospect of subverting cheap and ubiquitous [Internet of Things] technologies such as WebCams (which are widely deployed in both residential and commercial capacities) is a highly desirable target – and high up on the target list,” Ollmann said. “More to the point, devices that can be hijacked and server as backdoors, yet be popular second-hand items or items that can be easily concealed and physically deployed or swapped with an existing installations, are vital tools in organized crime and espionage.”

Suggested articles