Reverse Engineering a WiFi Security Camera

The Internet of Things is slowly turning into the world’s largest crappy robot, with devices seemingly designed to be insecure, all waiting to be rooted and exploited by anyone with the right know-how. The latest Internet-enabled device to fall is a Motorola Focus 73 outdoor security camera. It’s quite a good camera, save for the software. [Alex Farrant] and [Neil Biggs] found the software was exceptionally terrible and would allow anyone to take control of this camera and install new firmware.

The camera in question is the Motorola Focus 73 outdoor security camera. This camera connects to WiFi, features full pan, tilt, zoom controls, and feeds a live image and movement alerts to a server. Basically, it’s everything you need in a WiFi security camera. Setting up this camera is simple – just press the ‘pair’ button and the camera switches to host mode and sets up an open wireless network. The accompanying Hubble mobile app scans the network for the camera and prompts the user to connect to it. Once the app connects to the camera, the user is asked to select a WiFi connection to the Internet from a list. The app then sends the security key over the open network unencrypted. By this point, just about anyone can see the potential for an exploit here, and since this camera is usually installed outdoors – where anyone can reach it – evidence of idiocy abounds.

Once the camera is on the network, there are a few provisions for firmware upgrades. Usually, firmware upgrades are available by downloading from ‘private’ URLs and sent to the camera with a simple script that passes a URL directly into the shell as root. A few facepalms later, and [Alex]  and [Neil] had root access to the camera. The root password was ‘123456’.

While there’s the beginnings of a good Internet of Camera in this product, the design choices for the software are downright stupid. In any event, if you’re looking for a network camera that you own – not a company with a few servers and a custom smartphone app – this would be near the top of the list. It’s a great beginning for some open source camera firmware.

Thanks [Mathieu] for the tip.

22 thoughts on “Reverse Engineering a WiFi Security Camera

    1. It is not just cameras, I did a WiFi scan recently and over 90% of the results indicated installations with one or more known security flaws. Even if the cams were secure they are often connecting to a WiFi router that is easily compromised so with a little more work you can get the credentials for the cam anyway. It is all one big house of cards….

    2. Let’s make one thing clear. The “Motorola”, that built that camera is the 1/2 of the “old” Motorola. The old CONSUMER side of the company purchased by Google, then Lenovo, then now changing it’s name to something else. The “other” – still around – Motorola, is Motorola Solutions. THEY are the opposite of the consumer business. Their core audience are mission critical communication systems (ie. police radios). So please don’t think that MSI built that camera. They did not. Think of it as a Lenovo camera.

    3. Because they don’t produce it. They slap their name on a China premade assembly that already had crap firmware.

      Motorola has not made quality devices for over a decade, it’s all about using the brand recognition to sell low grade junk at premium prices.

      I get China no name stuff that is nearly identical for about 1/5th the price. And the china stuff still has the full ONVIF protocol available.

  1. I was just thinking about how ping packets timeout after 30 hops. Is there an option in TCP packets where you could claim that the source device was actually hop number 27 or 28 so as to limit the dire security to localised hackers ?

    Just thinking outside the box a little :)

    1. You can set a TTL (time to live) on packets. After so many jumps, they’ll just disappear.

      Also, it isn’t 30. It varies all over the place. (some Google-Fu) Recent versions of Windows are 128.

      I just ran a traceroute and you’re right, it says “30 hops max” at the top. I don’t know why they have that arbitrary limitation built in. Huh. Anyway, I don’t think it has anything to do with TCP because that can do way more hops.

      1. RTFM?

        I don’t have a non-busybox *nix box here at the moment, but from my paltry Windows machine:

        C:\>tracert -d -h 255 google.com

        Tracing route to google.com [173.194.46.46]
        over a maximum of 255 hops:

        1 <1 ms <1 ms <1 ms 10.0.0.11
        2 * * ^C

        It bombs with more values greater than 255, but it certainly accepts more than 30.

        This doesn't seem any more arbitrary than using C to program the tool in the first place.

      1. A very common china onvif camera you can get root access due to it’s root password being leaked and a login to the linux inside, I set the hop to 1 I WILL NEVER want to see the cameras outside my home, I will connect to the recording server for that access that has far better security on it.

        and if I really really need to access the camera remotely I can VPN into the network.

  2. They just don’t care, and they don’t care because 90% of consumers don’t, or are willing to believe the sales pitch that says they are. We when through this with cars – for a period just about all of them were rolling deathtraps and people blindly bought them. It was a real fight by some pretty committed people just to get the population to give enough of a damn for the politicians to get off their asses and legislate some minimum standards. All of this nonsense from porous security to companies bricking consumer equipment on purpose, or crappy quality control will not stop until a critical mass of average consumers get pissed off enough to force change.

  3. These cameras are a crap shoot, and they’re way over-priced, especially for the PT[Z] models. At best, the hardware is decent, the application software is decent, but the firmware sux big-time. Glad to see someone is trying to fix the broken leg.

  4. I actually assume they all have bad design and just get the cheapest to spec china ones off ebay. I payed $35 and have 1080p, IR night vision and motion detection, IP54 protection, and WPA2-PSK AES, Mine are powered by solar charged AGM deep cycles..

    They are protected by NAT and MAC filtering, so by all means let them have chinese foundry malware or weak configurations, as long as it’s not exploiting video software bugs..

    1. A NAT router and MAC filtering won’t help here because STUN packets bypass NAT by design. Read the bit about STUN spoofing or CSRF in the article. No port forwarding necessary to exploit this on your LAN…

      1. I also have cheapo ‘HD’ chinese cams with all the bells & whistles. (£20 each and actually decent image)
        I’ve set firewall rules so any data to the WAN is dropped, rather than plain NAT toying.
        The cams are then controlled/accessed by ‘Zoneminder’ which also has a better quality set of apps available.

        What I found prior was that they would happily ferry off your WiFi name/pass and the camera’s use/pass list off to you unencrypted, if you used the app remotely to access the cam.

        Oddly, after preventing data exit, the cams will occasionally look off into the sky – maybe some phone-home issue causing it to reset… (of course, in ‘wifi host mode’ it works fine).

  5. “Running ‘ps’ on the camera reveals lots of threads for the ‘msloader’ binary which handles the camera’s core functionality, alerting and command and control. This complex binary presumably leaks memory judging by the cron jobs we found which reboot the binary on a precise schedule in the early hours of the morning. We won’t publish the hours it reboots as no skill is required to exploit that feature but hopefully criminals will be sleeping then anyway…”

    Dumbest part of the whole thing. Lets just disable the entire camera on a predictable schedule, and lets do it in the middle of the night when the security is most needed! This will be great!

  6. I’ve found openipcam point com has some useful info about some of the cheap webcam firmwares. It had an API document that gave me URLs to pull a VLC friendly stream from the cheap cam I’ve got..

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.