Hacking An IoT Camera Reveals Hard-Coded Root Password

Hacking — at least the kind where you’re breaking into stuff — is very much a learn-by-doing skill. There’s simply no substitute for getting your hands dirty and just trying something. But that doesn’t mean you can’t learn something by watching, with this root password exploit on a cheap IP video camera being a good look at the basics.

By way of background on this project, [Matt Brown] had previously torn into a VStarcam CB73 security camera, a more or less generic IP camera that he picked up on the cheap, and identified a flash memory chip from which he extracted the firmware. His initial goal was to see if the camera was contacting sketchy servers, and while searching the strings for the expected unsavory items, he found hard-coded IP addresses plus confirmation that the camera was running some Linux variant.

With evidence of sloppy coding practices, [Matt] set off on a search for a hard-coded root password. The second video covers this effort, which started with finding UART pins and getting a console session. Luckily, the bootloader wasn’t locked, which allowed [Matt] to force the camera to boot into a shell session and find the root password hash. With no luck brute-forcing the hash, he turned to Ghidra to understand the structure of a suspicious program in the firmware called encoder. After a little bit of poking and some endian twiddling, he was able to identify the hard-coded root password for every camera made by this outfit, and likely others as well.

Granted, the camera manufacturer made this a lot easier than it should have been, but with a lot of IoT stuff similarly afflicted by security as an afterthought, the skills on display here are probably broadly applicable. Kudos to [Matt] for the effort and the clear, concise presentation that makes us want to dig into the junk bin and get hacking.

Continue reading “Hacking An IoT Camera Reveals Hard-Coded Root Password”

The Big List Of Naughty Strings Helps Find Those User Input Problems

Any software that accepts user input must take some effort to sanitize incoming data, lest unexpected and unwelcome things happen. Here to make that easier is the Big List of Naughty Strings, an evolving list of edge cases, unusual characters, script-injection fragments, and all-around nonstandard stuff aimed at QA testers, developers, and the curious. It’s a big list that has grown over the years, and every piece of it is still (technically) just a string.

These strings have a high probability of surfacing any problems with handling user input. They won’t necessarily break anything, but they may cause unexpected things to happen and help point out any issues that need fixing. After all, many attacks hinge on being able to send unexpected inputs that don’t get properly sanitized.

Finding bad inputs is not always entirely straightforward, but at least the Big List of Naughty Strings is available in a variety of formats to make it easy to use. [Max Woolf] has been maintaining the list for years, but if you haven’t heard of it yet and think it might come in useful, now’s the time to give it a look. Now you can help ensure your system can handle things like someone registering a company named ; DROP TABLE “COMPANIES”;– LTD.

Bass Guitar Gets Shapeshifting Pickups

Electric guitars were the hip new thing back in the mid-century. The electrification of the common and portable guitar opened up a lot of avenues in terms of sound and technique. Specifically, the use of the pickup, an electromagnetic device which converts the vibrations of the guitar strings into electrical signals, increased the number of ways that a musician can alter the guitar’s sound on-the-fly. Some guitars have several rows of pickups which can be used in any number of ways, but this custom guitar has a single pickup which can be moved around the guitar’s body instead.

[Breno] was gifted this Dolphin bass guitar to start learning after years of playing a regular guitar, and while they aren’t known for high-quality instruments this guitar seemed to play and sound well enough to attempt this modification. First, a hole had to be cut all the way through the guitar’s body in order to accommodate the build. The pickup for this guitar is then mounted on two rods which allow it to move in various positions along the strings, and a second set of adjustments can be made to bring the pickups closer or further away from the strings. Some additional custom circuitry was added to control it and also to handle the volume and tone knobs, and while this was being added [Breno] and his friend [Arthur] decided this would be a great time to build some effects into the guitar’s now-custom electronics as well.

While this was largely a project for [Breno] to understand in greater depth the effect of moving the pickups around an electric guitar, the finished product looks ready to play some live shows. The addition of some extras like the effects really adds some punch to this guitar and it looks to be completely original. The nearest thing we could find is this guitar which uses hot-swappable pickups but even those are mounted in fixed locations.

Simple Hack Completely Changes The Sound Of This Piano

We’re partial to musical instrument hacks around here, mainly because we find instruments to be fascinating machines. Few are more complex than the piano, and, as it turns out, few are quite so hackable. Still, we have to admit that this ragtime piano hack took us by surprise.

We always thought that the rich variety of tones that can be coaxed from a piano, from the tinny sound of an Old West saloon piano to the rich tones of a concert grand, were due mainly to the construction of the instrument and the way it’s played. Not so, apparently, as [Measured Workshop] demonstrated by installing a “mandolin rail” in a small upright piano. The instrument had seen better days, so step one was disassembly and cleaning. A wooden rail spanning the entire width of the string board was added, with a curtain of fabric draping down to the level of the hammers. The curtain was cut into a fringe in the same spacing as the hammers – marking the hammer locations with cornstarch was a nice trick – and metal clips were crimped to each fringe. The completed mandolin rail can be raised and lowered using a new foot pedal, completely changing the tone as the hammers hit the strings with the metal clips rather than their soft felt heads. It makes the piano sound a little like a harpsichord, or the aforementioned saloon instrument, and at the touch of a foot, it’s back to its original tone.

Most of the piano hacks we offer tend toward the electronic variety, so it’s nice to see a purely mechanical piano hack for a change. And if the hacked piano doesn’t work out as an instrument, you can always turn it into a workbench.

Continue reading “Simple Hack Completely Changes The Sound Of This Piano”

ADSL Robustness Verified By Running Over Wet String

A core part of the hacker mentality is the desire to test limits: trying out ideas to see if something interesting, informative, and/or entertaining comes out of it. Some employees of Andrews & Arnold (a UK network provider) applied this mentality towards connecting their ADSL test equipment to some unlikely materials. The verdict of experiment: yes, ADSL works over wet string.

ADSL itself is something of an ingenious hack, carrying data over decades-old telephone wires designed only for voice. ADSL accomplished this in part through robust error correction measures keeping the bytes flowing through lines that were not originally designed for ADSL frequencies. The flow of bytes may slow over bad lines, but they will keep moving.

How bad? In this case, a pair of strings dampened with salty water. But there are limits: the same type of string dampened with just plain water was not enough to carry ADSL.

The pictures of the test setup also spoke volumes. They ran the wet string across a space that looked much like every hacker workspace, salt water dripping on the industrial carpet. Experimenting and learning right where you are, using what you have on hand, are hallmarks of hacker resourcefulness. Fancy laboratory not required.

Thanks to [chris] and [Spencer] for the tips.

Save ESP8266 RAM With PROGMEM

When [sticilface] started using the Arduino IDE to program an ESP8266, he found he was running out of RAM quickly. The culprit? Strings. That’s not surprising. Strings can be long and many strings like prompts and the like don’t ever change. There is a way to tell the compiler you’d like to store data that won’t change in program storage instead of RAM. They still eat up memory, of course, but you have a lot more program storage than you do RAM on a typical device. He posted his results on a Gist.

On the face of it, it is simple enough to define a memory allocation with the PROGMEM keyword. There’s also macros that make things easier and a host of functions for dealing with strings in program space (basically, the standard C library calls with a _P suffix).

Continue reading “Save ESP8266 RAM With PROGMEM”

Disassembled D-Link Firmware

D-Link Fails At Strings

Small Office and Home Office (SOHO) wireless routers have terrible security. That’s nothing new. But it is somewhat sad that manufacturers just keep repurposing the same broken firmware. Case in point: D-Link’s new DIR-890L, which looks like a turtled hexapod. [Craig] looked behind the odd case and grabbed the latest firmware for this device from D-Link’s website. Then he found a serious vulnerability.

D-Link's DIR-890 Router

The usual process was applied to the firmware image. Extract it, run binwalk to find the various contents of the firmware image, and then extract the root filesystem. This contains all the code that runs the router’s various services.

The CGI scripts are an obvious place to poke for issues. [Colin] disassembled the single executable that handles all CGI requests and started looking at the code that handles Home Network Administration Protocol (HNAP) requests. The first find was that system commands were being built using HNAP data. The data wasn’t being sanitized, so all that was needed was a way to bypass authentication.

This is where D-Link made a major error. They wanted to allow one specific URL to not require authentication. Seems simple, compare string A to string B and ensure they match. But they used the strstr function. This will return true if string A contains string B. Oops.

So authentication can be bypassed, telnetd can be started, and voila: a root shell on D-Link’s most pyramid-shaped router. Oh, and you can’t disable HNAP. May we suggest OpenWrt or dd-wrt?