Exploring Surveillance System Vulnerabilities

DEF CON 32 - The edges of Surveilance System and its supply chain - Chanin Kim, Myounghun Pak

Estimated read time: 1:20

    Summary

    In this captivating DEF CON 32 presentation, Chanin Kim and Myounghun Pak delve into the world of surveillance system vulnerabilities, focusing on Network Video Recorders (NVRs) and their supply chains. The duo shares their four-month journey that started with a $30,000 bounty, leading to their participation as DEF CON speakers. They explore a range of vulnerabilities, targeting key vendors like Hikvision, Dahua, and others, demonstrating how these flaws can be manipulated to hijack real-time video feeds and modify device configurations. By leveraging these vulnerabilities, malicious actors can take over NVRs, posing significant security risks. The speakers emphasize the importance of addressing these vulnerabilities to protect both consumers and organizations reliant on surveillance devices, amidst an ever-growing market fueled by pandemic-driven demand.

      Highlights

      • Unveiling vulnerabilities in popular surveillance system devices 🕵️‍♂️.
      • A whirlwind $30,000 bounty hunt led researchers to DEF CON 🎯.
      • Detailed methods used to exploit Hikvision and Dahua systems 🛠️.
      • Scary implications of real-time video feed manipulation demonstrated 📹.
      • Importance of securing supply chains in the surveillance market 🔗.
      • Real-world implications as 130,000+ devices may be vulnerable globally 🌍.
      • Call to action for stronger security practices in surveillance technologies 🔒.

      Key Takeaways

      • Surveillance systems have critical vulnerabilities that can be exploited by hackers 🕵️‍♂️.
      • Targeting Network Video Recorders (NVRs), the researchers identified major security gaps 🔍.
      • Hikvision and Dahua are some of the main vendors with exposed vulnerabilities 💣.
      • Exploiting these systems could allow hackers to manipulate real-time video feeds 📹.
      • The supply chain of surveillance systems is complex, involving OEM vendors who may also be affected 🔗.
      • Mitigating these vulnerabilities is crucial to ensure safety and privacy 🔒.
      • Security researchers can focus on HTTP processes but should also explore varied attack surfaces ⚔️.
      • Users are advised to keep devices off external networks when possible 🌐.
      • Researchers played a crucial role in uncovering these hidden threats 🔦.

      Overview

      Welcome to the intriguing world of surveillance system vulnerabilities, as presented by Chanin Kim and Myounghun Pak at DEF CON 32. These tech wizards embarked on a journey rooted in a $30,000 bounty quest, digging deep into the often overlooked but critically important domain of Network Video Recorders (NVRs) and their far-reaching supply chains. The research underscores how vulnerable these systems can be, especially in the hands of seasoned hackers who can infiltrate and exploit these devices for nefarious purposes.

        In their exploration, the duo targeted renowned vendors such as Hikvision and Dahua, uncovering severe security flaws that could enable attackers to control real-time video feeds, potentially compromising security and privacy. By detailing their findings and methodologies, they highlighted the critical need for robust security measures and the role of researchers like themselves in preemptively identifying and tackling such vulnerabilities before they can be exploited by malicious actors.

          These revelations are a call to action for both manufacturers and consumers in the surveillance market to prioritize security. By ensuring these devices stay protected from external network exposure and strengthening internal security protocols, we can safeguard against the evolving landscape of digital threats. The session is a reminder of the interconnected nature of our global tech ecosystem, and the responsibilities we carry in maintaining its security.

            Chapters

            • 00:00 - 05:00: Introduction and Motivation The chapter begins with a warm welcome to the audience, expressing excitement about the presentation titled 'Watchers being Watch It: Exploiting the Surveillance System and its Supply Chain.' The presenters aim to discuss their findings on vulnerabilities within surveillance system devices. Chanik Kim is introduced as an offensive researcher at S2W, accompanied by a colleague referred to as M.P., who is a student.
            • 05:00 - 15:00: Target Selection and Methodology for Firmware Extraction In this chapter, the author describes their journey in offensive research while attending a university in Korea. They recount how this work led them to achieve a significant milestone - a $30,000 bounty and an opportunity to become a speaker at DEFCON. The chapter outlines the process of extracting firmware, analyzing vulnerabilities, and discusses various vulnerabilities that could be exploited globally along with possible scenarios. The chapter concludes by highlighting the impact of their research work.
            • 15:00 - 35:00: Vulnerability Discovery and Exploitation Scenarios In this chapter titled 'Vulnerability Discovery and Exploitation Scenarios,' the focus is on understanding how vulnerabilities within supply chains are discovered and exploited. The chapter discusses a specific scenario involving Iranian hackers. They posted content related to their activities, which is used as a case study in this chapter. The chapter outlines the researchers' efforts to analyze these exploits and demonstrates their findings through a video presentation. The chapter underscores the importance of vigilance and strategic defense mechanisms in combating such cybersecurity threats.
            • 35:00 - 44:00: OEM Supply Chain Impact and Conclusion The chapter discusses the ubiquitous presence of surveillance devices in everyday life, a trend driven significantly by the COVID-19 pandemic. This surge in demand highlights the importance of enhancing the security of these devices to protect privacy and data.

            DEF CON 32 - The edges of Surveilance System and its supply chain - Chanin Kim, Myounghun Pak Transcription

            • 00:00 - 00:30 okay hello defon um thank you for coming to our presentation we are excited to share our talk titled Watchers being watch it exploiting the surveillance system and its supply chain we'll talk about our vulnerability search on surveillance system devices please enjoy first let us introduce our research group I'm chanik Kim and I'm currently working as an offensive researcher at s2w and he is m p and he's a student
            • 00:30 - 01:00 attending a university in Korea enjoying offensive research and this is what we'll show you in this talk we'll be talking about a $30,000 Bounty and a four month journey to become a defon speaker in our talk we'll cover how we exct the fare then the steps we took to analyze the vulnerabilities and after that the various vulnerabilities that could be exploited in the world and their scenarios in the last the impact of our
            • 01:00 - 01:30 research on the supply chain that's it please look forward to uh this video be the final girl which happened in Lear world we wanted she while doing this research this was posted by an Iranian hackers and we would like to show that we have successfully demonstrated as what the video is showing let's watch the video
            • 01:30 - 02:00 this like a Hecker from movie isn't it next why is making our surveillance device more secure important we can see surveillance device everywhere in our lives because of the covid-19 pandemic's outbreak the demand of the surveillance
            • 02:00 - 02:30 devices is has been surged for various purposes such as a m store smart cities and for those Access Control th the global surveillance device Market is currently worth $4.1 billion so in these circumstances surrounding by such devices MV are taking on a more essential l in our lives and those those users next is our Target
            • 02:30 - 03:00 many people don't know much about MVR but as we just highlighted MVR is more than just important since it plays brand like lore in order surveillance system therefore we selected MVR as our Target so what is an MVR Network video recorder called MVR stores recorded video from cctvs and I cameras and monitors or manages Real Time video due to the nature of managing these videos
            • 03:00 - 03:30 many devices can access them over the internet and the screen you see below is the MVR screen this is our detailed research motivation first as we investigated in our online there was not as much as studies on it compared to CCTV or IP camera system and as a result of Showdown search we found that more than 30,000 devices are exposed to the
            • 03:30 - 04:00 internet however there are cases where critical vulnerability have been discovered previously there was a case when the Mir Bonet became popular in 2021 hack Vision Bri us rce vulnerability was maliciously used foras attack so we are motivated by such examples which are serious vulnerabilities next is vender choice we chose four vendors hike vision and Tower
            • 04:00 - 04:30 because they have the highest market share in the world's surveillance system and we chose Bender a which has the highest market share in Korea lastly legal is market share we also selected Shi surveillance station package as a Target vender this is because Shi is famous for security and has an image of being safe so we wanted to check whether surveillance related pack package were
            • 04:30 - 05:00 also the same next let us tell you about our fare extraction methodology we tried a variety of methods to extract the fare and this picture is a list of what we tried since three of these products had Art Port available we try to extract the F to Art and Technology allows the loot share access via SSH so no other method was needed
            • 05:00 - 05:30 it uh before that uh let us tell you why we didn't perform the extraction via limot access hi vision and towa supported liote access but only limited share access was possible we tried many ways to bypass the but they buil so we had no choice but to use art we identified the art port on the PC board and connected the cable to make it interactable with the UB sh however all three devices were not regular UT but
            • 05:30 - 06:00 modified UT so we couldn't use the UT share as shown in the picture on the right we started looking for a way to bypass it first in the case of high Vision we couldn't bypass you mitigation mitigation on the first MVR we purchased so we use the D method of repurchasing a older version of the Hy Vision device and older version device
            • 06:00 - 06:30 had lower you versions and there were differences from mitigation applied to the latest you we are able to access the ubit share using H Vision UT mitigation bypass Technique we could find on the internet in last we update the older version of the product to the latest forare the bass technique already known in the older version
            • 06:30 - 07:00 [Laughter] done all right oops uh yeah okay thank you all follow uh on the latest version there was no reaction even though we tried our best on giving comment input but as shown in the picture on the right which is the older version using set EMV and semicolons cuz the command injection
            • 07:00 - 07:30 so we was able to insert ubit command since we could use the ubit commment this we were able to obtain a corner share for the device by adding be share to the Rd argument in BO args next the case of dawa in dawa several youth commments were available but the most important commanders such as print EMV did not exist so we use set EMV to print the change it argument once
            • 07:30 - 08:00 again to check the value of the environment variable with the KE Keys we know however bigger problem awaited us we modified boot a address and booted the device but we couldn't see the colal output in order to use the con share of course there must be colal output so we looked the borrow away to check the colal output first we knew that the environment section exist using the MTD
            • 08:00 - 08:30 part command and to print the content of this environment section we use the N command to print the contents of the environment variable now that we are able to check the key values of the environment variable we change the value of each environment variable one by one to see if we could grab the col output we found out that there was an environment variable called d H keyboard that
            • 08:30 - 09:00 specifies the colal output mode so we could change it to zero to get colal output um next is vendor a in the case of vendor a un like the previous two cases it was not possible to even use the the you share as you can see as soon as we booted the device type password has appeared and we couldn't use have any you command this vender a was calling this CQ Ard and we started doing a lot of research to bypass
            • 09:00 - 09:30 this we learned about the glitching attack through a lot of research and let the UB code to perform this attack by Leading the code boting algorithm in the you system says that if the initialization process was successful all Lo launch the cter and if he fails it restart the bo sh we assumed that vendor a wouldn't have exception handling for this method and we found a way to to make the initialization
            • 09:30 - 10:00 process fail let us tell you how to perform this attack uh first we will explain the process of loading Corner during the nor sequence first load the corner into lamb from flash memory second the shpu rest the color loaded into RAM and decompresses it if the decompression is successful the CPU start the corner and terminate the execution of utot
            • 10:00 - 10:30 now let us tell you the booty sequences difference between performing the attack and Visa verer as with the normal process load the corner into RAM from fresh memory at this time we gave it a electric shock which caused the corner uh to be broken and to be loaded into lamb as the CPU tries to decompress the broken Corner in lamp it naturally fails when this happen the CPU you restart the bo share as I mentioned
            • 10:30 - 11:00 earlier through previous research we learned that the attack is carried out by connecting the chip select and data out on the pad of flash memory therefore we check the data sheet of the flashh memory available at vender a and found out which chip should be connected we are now upet but how do we connect these two PS we created a specialized t for performing this attack this particular
            • 11:00 - 11:30 attack by attaching the heads of jumper cable together looks very easy right here is a demo of this attack if we give it an electric shot and boom we can use the with roller [Applause] share once we had the Conor for all
            • 11:30 - 12:00 devices we needed to extract the fire system we ejected out the fire system to our Nas using NFS and USB one thing we didn't know was that the USB had to form it as xfs for the device to recognize it as you can see we are able to successfully transfer all devices by Sy stems to our Nas however we encounter the big variable where configuring daas analysis
            • 12:00 - 12:30 environment because most fire system were read only so no FES could be modified or written now even though we had a loot Shir the sh becomes unusable once the device push up so we had to bypass it we found out that only the loot fire and device directory were modifiable so we decided to use bind Mount we discovered that when we bind mount on our fire in a right T directory the fire
            • 12:30 - 13:00 becomes editable we immediately bind mounted it password to a light location now we can modify it password however the main binary R A Integrity check and lied the device when changes to fire conten were detected so we found a way to get around this first we clone it password to a light directory if you look at the picture on the right
            • 13:00 - 13:30 you can see that loot share is set to dsh a restricted share second bind Mount is performed in the RS script after the initialization process is completed and immediately before starting the main binary next we run the main binary and when the web service becomes available we change the content of the bind mounted
            • 13:30 - 14:00 file finally we have a restricted loot share access V SSH now we can replicate the fire system using NFS additionally this m mounting replaces the original fire content when the device is limited so we create the previous process as a sh script and used it next we'll discuss the vulnerabilities we discover and the MV hacking scenarios we create by linking disabilities here we will explain one
            • 14:00 - 14:30 scenario for each vendor we targeted first let's look at the scenario for vendor a the code on the left is the Cory string passing logic used in the web page you calculate the start and end of the parameters based on the equal and % characters this parameter named lens is used as the parameter for S and copy therefore since the length is is a control over parameter by the attacker
            • 14:30 - 15:00 it can cause above overflow so let's insert a large number of character in into the qu string parameter as you can see the return address is overwritten because there is no con successfully manipulating the P register however we encountered a few problems first anx was enabled so we needed to perform the RP next since the parro must be successfully delivered to
            • 15:00 - 15:30 the server we could only insert print characters and or Gadget in the binary start with one so we could not use Gadget in within binary for this reason we also couldn't leak the lip address so how do we write the exploit code we found several Solutions first we discovered that the r register holds St address at certain s and we confirm that this Tech address
            • 15:30 - 16:00 contains the string we inserted into the query string next since the main binary has Au Sor to beat add space it has low entropy lastly the Lighty binary spawn a new child process whenever the child process dies what do you think doesn't it seem like everything except for verose look here um as I mentioned the AR register holds a St address
            • 16:00 - 16:30 containing the string we can manipulate at that time we can control the pish register now we needed to reboot the binary until the pish register holds the lipy system address here is the method uh we send a request that makes the r register to hold the LI share command pay road then we set an arbitrary Ley system address in the piece register now let's start start BR ping
            • 16:30 - 17:00 before along we obtain a share fortunately we got the share with seen 600 PR not the expected two to the power of 16 tce great we got a root share but what can we do with it or critical files like video account user password were encrypted so we found additional vulnerabilities in the device so we can take over the aom web page unfortunately since this vulnerability
            • 17:00 - 17:30 has not been patched yet we cannot disclose it in here all right uh we can now access the device management page with other privileges now we can do anything this is the realtime video manipulating scenario cre by chaining the explained vulnerabilities theaker Infiltrate The MVR to RC then using a vulnerability we cannot
            • 17:30 - 18:00 disclose here the attacker gain access to the autom web page finally the attacker manipulate the Lear Time video yeah uh here is the demo video of the scenario when we send off pay Road and yeah the EM screen is temp
            • 18:00 - 18:30 birt okay thank you next uh let's discuss the mission authorization scenario for chology chology performs the low of MVR through the surveillance station package let's look at the authorization code of these packages API Handler first it verifies if the user sending the request is loed in through the is authorized function then it TS if the user has permission to use the surveillance station package
            • 18:30 - 19:00 doesn't it seem like something is missing it doesn't check if the user has necessary permissions to use specific features whether the user is an admin or a guest so we found that even with guest permissions one could abuse all features of the chology surveillance station we discovered that surveillance station features include reboot shutdown and package installation additionally we found something unusual
            • 19:00 - 19:30 something some request usable in surveillance station are forwarded to the nas score package regardless of like the requesters identify these request are fored to the core package as admin allowing a guest using surveillance station to request to theology Nas with admin peges we Lei the sh with the sh SS score 9 .9 from schology
            • 19:30 - 20:00 next let's look at the scenario of hijacking Real Time video in a normal flow guests do not have access to the camera so they cannot view video on the front end however due to the vulnerability even guests can obtain a video information chology Returns the rtsp server address and access credentials in the response granting aers all limited access to the videos let's look at the scenario here we
            • 20:00 - 20:30 included a request to terminate the layout the attacker sends a request to terminate the layout and this connecting all live video layout connected to chology on our computers then the attackers and get live view pass reest to steal the video information and request the video from the rtsp
            • 20:30 - 21:00 server using the Solen information now the attacker has hijacked the Lear Time video here is the demo when we send the payro and boom the layout is terminated and we can watch the live video thank
            • 21:00 - 21:30 [Applause] you the next we will introduce the vulnerabilities and scario of dawa the first vulnerability is called Rover assertion and we will explain how we found it on while analyzing the Logan function we discover that there are many Logan options and showing the tail below there are six types of assort type and
            • 21:30 - 22:00 passord type pairs by Theo the assort type and passord type are set to defa and the data sent in the request includes username has the password session author type and password type if the request is successful a response containing true is received on WE C we are curious about what would be happen when attempt to log in with different authentication types will lead us to unable to analyze the
            • 22:00 - 22:30 Logan options and during the analysis we found the developers mistake in the processing of the Logan reest data and we're able to shut down the device with a recover assertion as a result now let me explain the vulnerability um first before processing the Logan Logic the functions get password type and is password value code on the get password type function extracts A S type and password type by paring and Compares specific strings
            • 22:30 - 23:00 such as dep port and Def respectively um if the strings match the functions returns a type for their own if the type is both def it returns four and if it is O depend SS it return seven next function is called isor valid on passes the log parameters based on the type value returned by the previous function cap passor type and create a string object the series of process enters when assort
            • 23:00 - 23:30 type and passord type are set to deforge you can see that there is an exception handl logic that check to see if those parameters are nor before generating a string object for both par parameters U most of the branches had this no exception handling logic but not all of them the forign Code handles the case when the sonication type is OTP andw SSC as see in the code below string object
            • 23:30 - 24:00 for Authority input and password type variables are created but there is no exception handling Logic for this object so we remove the S parameter set the authentication type top SSC and sent a request as a result by a s input is set to know on which causes a Rover assertion to be drawn when creating a string object for the parameter causing the main bind order to exit um when the
            • 24:00 - 24:30 main buying terminates the watch causes the device to re reboot um this is a pretty simple vulnerability all right um the following vulnerabilities are very important because they require the device reboot the second vulnerability is L injection first that was set permissions by group and once creating an account it can only perform tasks including the permissions of the assigned group gr this chrome information is stored in a
            • 24:30 - 25:00 file named group SEC and is encrypted using asbc we tried analyzing the source code to find the key and IV but it was quite complicated and eventually failed to find them however since the configuration information must be decrypted and roded into memory during the main binary boot process so we performed a dynamic analysis of the boot process and unfortunately we able to find the decrypted
            • 25:00 - 25:30 data um the structure of the decrypted group SE file is as follows the columns are ID name Authority and memo on each column is separated by a colone and each line is separated bya line fed on when adding or modifying gr information the get line function is called as part of the process of the saving the change change data this function generates a line with the ID name Authority and memo extracted from
            • 25:30 - 26:00 the Logan request separated by columns we found out that there is no validation checking procedure of the infut value until generating a line with the G line function so we added a line feed to the memo to temper the structure and then restarted the device to see what would happen during the passing process of the gr SE fire as a result the device entered the
            • 26:00 - 26:30 initialization routine and recreated the group SE file and when entering the initialing routine the user can change the adding password on the web and perform any actions and we are curious if the initialization routine would still be entered if the file was deleted um after deleting the file and rebooting the device we found that this te enters the initialization routine REM intr introduced the first scenario of dawa using two
            • 26:30 - 27:00 vulnerabilities mentioned above on by using Rover assertion and air injection the attacker can take over the device and obtain admin privileges first the attacker obtains an account with us user manage privileges through credential stopping next the structure of the GC file is tempered through Alp injection then the attacker reboots the device using Rover [Music]
            • 27:00 - 27:30 assertion when rebooted the device enters the initialization routine allowing the attacker to change the admin password and perform malicious activities next is Tech forlow first this vulnerability occurs not in the main binary but in a background service called AO air this service is used to
            • 27:30 - 28:00 attempt online recovery when the device is abnormal and is open on Port 8088 um since this port is not fored it can only be accessed from the same network it consists of 16 bytes of fixed size of headers and data and for header the Constitutional data bite at index zero indicate the function index and the B ched indexes 4 to7 indicate the data size um the data is then used as an
            • 28:00 - 28:30 argument for the input Handler remitted by the data size defined in the header however the pinpoint is that the data size can be publicated now let me explain the request processing procedure um the following function is called for message first this function uses the structure Resto array on which consists of functions and variables related to to each feature as showing the table on the left
            • 28:30 - 29:00 um each structure includes the permission level in this verification function parameter pressing function hand function on parameter or location free function and next table pointer there are about 20 such tables here is how it works internally the function iterate through a loop cing the index verification function of each structure with the first fight of the header as an argument the index verification function
            • 29:00 - 29:30 as see in the code on the bottom right checks if the value obtained by subtracting a specific constant number from the argument is not zero if the result is zero it returns zero or otherwise it returns minus one um referring back to the code on the rep if the return value is greater than zero meaning a matching index is found the c table pointer is stored in the A2 variable and zero is returned if the
            • 29:30 - 30:00 matching is index is found minus one is returned and the request is not processed on next the D St par function is called this function retrieves the table corresponding to the index and C the pass FR function as showing the pass FR function on the right it appropriately processes the data according to requested function and then Returns the result finally fin once all pre-processing steps are complete the DP
            • 30:00 - 30:30 handle CR function is C to register the input Handler and then executed there are many different functions that could be C including login quy and update but they all required login so we started analyzing the login function first the function is executed if the first fight is a Zer the data consists of user name password and Lon value with
            • 30:30 - 31:00 a double m per used as a Dieter the vulnerability occurs when passing this data which we'll explain in a moment as you can see in the code on the right the strings for the username and password are set 128 and 160 bytes respectively and the memory is initialized when M set next s string string function is called to find the p conditions of the double ENT and N the data before the
            • 31:00 - 31:30 double first double ENT is copied to username and the data before the next Double ENT is copied to password the problem is that there is no length validation checking during the coping process allowing us to inut data of any size as a result a v overflow occurs or you can cover the return address by putting 156 bytes of random data the desired value the password in
            • 31:30 - 32:00 location as shown below since there was no stary um we could manipulate the P register however we encountered an issue where we couldn't include the n in the parad making RP impossible we didn't want to conclude with just a simple V flow so we began analyzing the source code fortunately we found some useful functions there are function for rebooting starting SSH removing inter
            • 32:00 - 32:30 settings performing a soft recovery and killing all MVR related fineries among these the most interesting function was the sof recovery this function deletes the config directory resetting all configuration information as SE in the previous vulnerability if the grip file is deleted or tempered the initialization routine is entered upon reboot allowing the admin password to be changed therefore we manipulated the PC register
            • 32:30 - 33:00 to call the soft recovery function however soft recovery deleted to even the network files making external access impossible unfortunately we faced another challenge after several days of analysis and contemplation it sudden came to my head that during boot during the boot there is a process where configuration Parts in the configur directory or de crypted and loaded into memory so we
            • 33:00 - 33:30 began analyzing the boot loads as a result we found that the network configuration file is loaded first and then the account file is loaded around 5 seconds later I was curious to see what would happen at the main binary Senter of to recovery fail within 5 Seconds of loading the network configuration file the most fortunate point is that AO is loaded before the main binary
            • 33:30 - 34:00 boot first we kill the main binary using the Rover assertion causing the device to reboot then we wait until the network configuration file is loaded in our case it took approximately 20 seconds for the device next we send the soft recover fil to AO which deletes all configuration files then the main binary can't access the account configuration file and enters the initialization
            • 34:00 - 34:30 routine as a result we are able to change admin account let me explain the admin take over vulnerability using recover assertion and St bu overflow first we will reboot the device via recover assertion after rebooting I'll wait for the network configuration file to be loaded and then send the sub to recover fa to AOL to remove all configuration
            • 34:30 - 35:00 files in the process of loading a account setting file such as group SEC it enters an initialization routine because the PES do not exist the attacker changes the admin password and gain access to the admin page this is a demo
            • 35:00 - 35:30 the last vulnerability is from hke beion hke beion was much more solid compared to other devices making it more challenging however we found an interesting Vector a local Subs component that is a plugin that must be installed for users to view video from the web this plug Lars with admin playabilities on Windows and it is
            • 35:30 - 36:00 accessible on Port 33686 meaning annual on the same network can access it it was very interesting plog so we started analyzing it and found the vulnerability um due to an end associated with Bounty Bard dis vendor we can't discuss detailed loot C in short it is a vulnerability that allows rce by sending a crafted message instead we show your demo on through IC
            • 36:00 - 36:30 we can completely take control windows with admin privileges we can perform any actions the next vulnerability is W command injection which allows a user with admin probabilties to execute arbitrary commands um we create a sign you to take control the internal network using these
            • 36:30 - 37:00 two vulnerabilities first we obtain admin privileges through credential stopping next we open a reverse share through command injection to enter the MVR then we perform Network scanning to find Windows computers using the application named local service component finally by exploiting the plugin IC we could take control windows and perform manous
            • 37:00 - 37:30 activities here's the demo by just pressing the button by pressing the button we can automatically take contr Windows computer in the so sorry [Music] so video doesn't work um one of the
            • 37:30 - 38:00 things we learned during the project is the H vision and da hu om supplier both companies also Ser under their own Brands but they are reled and sell various retailers in the US such as lorx and Luma this means the devices are being used or around us without realizing that they are made in China first o stands for original equipment
            • 38:00 - 38:30 manufacturer um it refers to the manufacturing method in which your company outsources the production of which product to another company and then sets them under its own brand if a product is made by company a is sold under the name brand name of company B and Company a becomes the OM supplier and Company B becomes the O vendor the images below show that was MBR and om M they look very similar don't
            • 38:30 - 39:00 they this picture illustrate the OM sales process products manufactured by om suppliers like hi vision and dawa or relabeled by om vendors and sort users if a vulnerability occurs in a product produced by an OM supplier can affect the product sold by o by the OM vendor as well this mean the many devices can be impacted by the same
            • 39:00 - 39:30 vulnerability so we decided to check if the vulnerabilities were valid for OMS using the same form first we l be deep on the main binaries of dawa and om vender Bush and found that the loic was similar he Vision also conver confirmed similar through steing after confirming that om vendors used similar from whereare we decided to purchase device and test them forke Vision we purchased an and arpes four
            • 39:30 - 40:00 out of six vulnerabilities each were valid for dawa we purchased Jon and each piece four and six of the seven vulnerabilities were bued respectively we confirmed that the vulnerabilities were validly exploited and reported them to Mitra Kisa which which is the Korean CNA to get CBS and KES on which is increased the numbers of recognized vulnerabilities by
            • 40:00 - 40:30 61% finally we will show you a video of vulnerability testing on o vendors the first video is the OM vendor testing for dawa by sending daas to recover assertion payload with could shutdown or devices the second video is om Bender test for hike Vision after sending the O command injection fail road we could connect a r First share and input the shutdown command to turn up the all
            • 40:30 - 41:00 devices also we are curious about how many devices were affected by the vulnerabilities we found so we searched using sha in the case of hke vision most most most model devices name or formal versions were not present in the banner data so we needed a different approach to identify as many as possible we found that for MV devices
            • 41:00 - 41:30 when accessing the login page a config.js file is requested this file contains the configuration information related to MV for verion information we use the web version and plug-in version coded in the CJs to search for devices with versions equal to lower than the one we did our study as a result we found that approximately 130,000 div were vulnerable for dawa since the device
            • 41:30 - 42:00 name was present in the banner we simply searched for it as a result we found approximately 100,000 devices finally we came to the conclusion part first of all this is what we would like to comment to offensive researchers in mfield Legos the vulnerabilities were discovered during our research period include even when analyzing one day cases we found that these vulnerabilities were statically numerous so when you want to
            • 42:00 - 42:30 analyze your MVR we let comment that you focus on this vulnerabilities we conducted an analysis focusing on HTTP communication process of the main binary in order to achieve good result as much as F over the project of four months however MV have numerous surface including Pro private protocols with their cloud service SDK communication with BMS on be PR private
            • 42:30 - 43:00 protocols used to communicate with mvs or IP cameras and communication with other sensors therefore we let comment that you do not focus sory on analyzing the HTTP process but analyze barious of texal Paces the following is what we would like to recommend to users on what effect while conducting a one day case study is that as long as MBR is not
            • 43:00 - 43:30 exposed to the external network it is safe from these attacks major M vendors provide solutions that allow external access using things like ddns without exposing the device to an external network you can take advantage of these solutions to keep your devices same from the tech thanks to people who help us with research it's especially thank you to the Dr junsang
            • 43:30 - 44:00 Yu thank you for listening our presentation and if you any question please please contact us on Twitter below more details of our research can be found via the QR code on the right thank you