Over on YouTube [Matt Brown] hacks a Chinese security camera recently banned by the US government. If you didn’t hear about this you can find out more over here: Major US online retailers remove listings for millions of prohibited Chinese electronics.
After powering the camera with a power-over-Ethernet (PoE) adapter [Matt] sets about monitoring network activity with Wireshark. The first data comes from DNS for the host devaccess.easy4ipcloud.com, which whois reports is operated by Alibaba Cloud LLC in California. This is a Chinese owned company with servers in the United States.
[Matt] covers some basics of TLS and how it works. He then goes on to explain how a Man in the Middle (MITM) attack works at a high level. To setup a MITM attack against the camera [Matt] sets up some port redirections using iptables for ports 443, 15301, 8683, 9898, and 12337 which his Wireshark analysis indicates were being used. His MITM attack works, which means the device is not properly verifying its certificate signing chain.
[Matt] goes on to reverse engineer the custom UDP protocol used for transmitting video data. He uses a vibe-coded Python program along with ffmpeg for that and manages to reconstruct a few frames of video taken from the UDP packet capture.
We think it would be safe to say that [Matt] did indeed find a few security problems with the camera as-is, but we don’t think that’s the point of the ban. The real problem is that there is auto-update facilities for the device firmware which means that in future malicious software could be uploaded by the manufacturer in the form of a firmware update. So even if this device was secure against MITM attacks and didn’t send unencrypted video data over UDP you would still have the problem of the firmware update if there is no trust.
There should be a different term between people who don’t know how to program using AI, and people who do know how to program but simply go “Eh, I can’t be bothered.”
Like, “I just slopped out the code with AI”.
I agree. But, also, I think vibe-coding is a misleading term in general. Sounds like someone’s writing pseudo-code, not “I told an AI to do it”. Should just be called “AI coding”.
How about ” an untested piece of code got from the ‘net ” ?
Presumably the same logic applies to any networked camera should the parent company’s government decide the device’s owner was worth snooping on? Plenty of countries in this world with overstepping authoritarian regimes that think the constitution is a guideline…
Well yeah, Snowden and others revealed that the US is capable of and is actively infiltrating the supply chain to insert exploits into network devices, there is absolutely no reason to suspect they stopped or that any other technically capable country isnt doing exactly the same.
A little Google digging will give you all sorts of examples of state security services hacking, overstepping boundaries etc to surveil all sorts of domestic organisations and you’d have to be dangerously naive to believe they weren’t also doing the same to gather intelligence on other countries.
The mildly cynical among us might even suggest that bans on Huawei gear were only put in place because they refused to backdoor their gear for western security services.
Also don’t forget the generic gag orders that companies have against disclosing that the us government has forced them to implement backdoors.
devaccess.easy4ipclound.com
(Clound?)
firmeware – firmware?
Does anyone even spell check anymore?
ipclown*
Sorry. Fixed those. Thanks for pointing them out.
Let us collect some open source pointers for all the Iot related stuff that is more secure.
camera: Thingino
switch: Tasmota
Never tried it, but there’s https://openipc.org/
Along the lines of Tasmota, there’s also ESPHome: https://esphome.io . A little less turn-key, maybe, but probably a little easier to do simplistic hacks on top of.
The auto-update feature “which in future could be used to upload malicious firmware from the manufacturer” sounds like Standard Operating Procedure for just about every device and software maker. Using it as justification for banning devices is just thrashing around looking for something the ‘rubes can swallow.
I don’t like external accesses being done without permission which is why we run a PiHole on our network.
I don’t think devices should ever be allowed to auto-update unless the end user specifically opts-in.
Too many companies are now sending out ransomware updates that break features unless you pay to have them reactivated. If I were the kind of poor sod who buys cloud-reliant devices, I would be pretty displeased to find that my thermostat which has been working fine for 4 years suddenly requires a $10/month payment.
Cameras are one of those things that should be kept local.
Yeah. There’s a very widely-used home-computer operating system made by an American software vendor. It ships mandatory updates about once a month.
Sometimes these mandatory updates include firmware updates provided by the hardware manufacturer.
Sometimes the hardware manufacturer is in a country that may be on the “outs” with the current government of the United States.
Sometimes that hardware includes a camera.
I recently found a generic pan-tilt webcam in the trash. “I’ll hack it” I though… What a disappointment! The factory root password is LITERALLY “1234”, it’s burned in the ROM portion of the firmware, it can’t be changed!
That’s like saying that it’s “operated” by AWS.
Lets look for ms windows home calls too..