Last chance to enter The Hackaday Prize.

Samsung NX300 Gets Rooted

sammy

[Ge0rg] got himself a fancy new Samsung NX300 mirrorless camera. Many of us would just take some pretty pictures, but not [Ge0rg], he wanted to see what made his camera tick. Instead of busting out the screwdrivers, he started by testing his camera’s security features.

The NX300 is sold as a “smart camera” with NFC and WiFi connectivity. The NFC connectivity turns out to be just an NXP NTAG203 tag embedded somewhere in the camera. This is similar to the NFC tags we gave away at The Gathering in LA. The tag is designed to launch an android app on a well equipped smartphone. The tag can be write-locked, but Samsung didn’t set the lock bit. This means you can reprogram and permanently lock the tag as a link to your favorite website.

[Ge0rg] moved on to the main event, the NX300’s WiFi interface. A port scan revealed the camera is running an unprotected X server and Enlightenment. Let that sink in for a second. The open X server means that an attacker can spoof keystrokes, push images, and point applications to the camera’s screen.

In a second blog post, [Ge0rg] tackled attaining root access on the camera. Based on the information he had already uncovered, [Ge0rg] knew the camera was running Linux. Visiting Samsung’s open source software center to download the open source portions of the NX300 confirmed that. After quite a bit of digging and several red herrings, [Ge0rg] found what he was looking for. The camera would always attempt to run an autoexec.sh from the SD Card’s root folder at boot. [Ge0rg] gave the camera the script it was looking for, and populated it with commands to run BusyBox’s telnet daemon.  That’s all it took – root shell access was his.

 

[Image via Wikimedia Commons/Danrok]

Comments

  1. Pun says:

    Hacks like this really make me wonder whether device engineers know the difference between securing a device and crippling it. The first issue, the wide open X server, was a legitimate security flaw. The second “issue”, the boot script with root privileges, was actually a desirable feature. Many companies seem to think that the owner of a device should have the same level of access to the device as every other person earth, and make no effort to distinguish the two in their model of “security”.

    • Dax says:

      No they don’t.

      They just drop Linux in whatever because it’s there and it’s free and then never mind what it takes to secure it.

    • ajgio says:

      Why bother when only one in 1M consumers will try messing with firmware? Everyone else will just take pictures.

      • Why bother locking your door if only 1 in a Million will brake into your home?

        • MG says:

          Maybe the consequences of having you camera hacked vs a home invasion? Maybe the ease of flipping a deadbolt vs developing real security? Maybe half a second to protect yourself and your family vs months of development time to protect someone else’s photos?

        • Marcus says:

          Ever lived in the country? No one does bother locking the door. And in this metaphor, it’s not your house full of your valuables that is left unlocked, it’s a photo albulm full of cat pictures.

          OK OK, you could put some malware to autorun when the camera is connected to a PC and pretend it’s more camera bloatware. But the metaphor was funnier this way.

  2. chris says:

    will it run quake?

  3. delmadord says:

    Brilliant! Author of the hack has indeed some nice skills in his pocket. However, this makes me thinks, that if most of today’s “smart” electronics are made this way, they may not be that smart. Is this done to save cost on the “invisible” ?

  4. Ted says:

    Any benefits for an owner here? Could live video out be turned on?

  5. Me says:

    >>…the camera is running an unprotected X server and Enlightenment. Let that sink in for a second.

    Ok, it’s sunk in. Awesome!

    >>The open X server means that an attacker can spoof keystrokes, push images, and point applications to the camera’s screen

    Yes they can. And they probably will, that is if you are taking pictures near an infinite improbability engine! Come on! Is this thing even connected to the internet? Maybe it connects via Wifi? Are you going to set up port forwarding on your router to let the hackers in? Maybe your camera can be a demilitarized zone? Do you leave your camera on all the time?

    Here’s what it means to me: IF I were to buy one of these then I “can spoof keystrokes, push images, and point applications to the camera’s screen”.

    Cool!

    I’m glad people are at least thinking about security but lets not go overboard. Features like this are far more fun to play with than they are likely to be exploited.

  6. Krinkleneck says:

    Does this thing actually jump onto any open wifi or connect to anything without your given permission? All the cameras I use have a prompt come up halting all other actions waiting for my response when it connects to anything. If that’s the case then the open x-server is the least of the worries.

  7. Leonard says:

    more importantly, can this lead to Magic Lantern like functions for this camera?
    like stacking shots, and other tweaks?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 91,150 other followers