Hack turns cheap D-Link webcam into a network backdoor
The vulnerability allowed allows attackers to turn the camera into a persistent backdoor
US security firm Vectra Networks has hacked a ‘tiny' D-Link web camera and turned it into a persistent backdoor into corporate networks.
In a 12 January blog, Vectra describes how its Threat Labs researchers bought the consumer-grade WiFi webcam for US$ 30 (£20), and cracked open its Linux kernel to create a persistent access point into a network. This meant criminals could use the camera to control remote attacks and siphon out stolen corporate data - without having to infect more protected devices such as servers or laptops.
The webcam continued to work normally, hiding the hack. Vectra also installed code to stop network administrators making any firmware updates that would remove the backdoor.
The company said its work, “verifies that consumer-grade IoT products can be hacked and re-programmed to serve as permanent backdoors. It essentially gives hackers 24x7 access to an organisation's network”.
Vectra explained that most IoT attacks are “considered relatively inconsequential” because the devices themselves contain no valuable data and typically don't have enough CPU and RAM to interest botnet owners.
But it said: “These devices get more interesting to sophisticated attackers when they can be used to establish a persistent point of access in a network. Putting a callback backdoor into a webcam, for example, gives a hacker full-time access to the network without having to rely on infecting a laptop, workstation or a server, all of which are usually under high scrutiny and may often be patched.”
In its blog, Vectra describes how it accessed the D-Link webcam's memory chip and Linux image file system, and reverse-engineered its upgrade binary to add a backdoor in the form of a “simple connect-back Socks proxy”.
Vectra said the attack does not necessarily show D-Link's webcam has a major security issue, as it is unrealistic to expect firmware update features on a low-cost webcam.
It told D-Link about the hack early in December but as of last week the supplier had not provided a fix.
Asked about the significance of the attack, Vectra EMEA director Matt Walmsley told SCMagazineUK.com via email: “The hack throws up major privacy and potential child safety concerns, as well as network security issues. In a business context, it allows the hacker to harvest high-value data for a prolonged period of time. Or they might use the camera to orchestrate more developed attacks to modify or steal useful data from storage and application servers.”
He said other consumer-grade IoT products can be hacked and re-programmed in a similar way.
But, analysing the significance of Vectra's research, independent security expert Paco Hope, principal consultant with Cigital, pointed out that the attack requires physical access to the webcam.
He told SCMagazineUK.com via email: “It is clear that D-Link only anticipated trivial corruption of the software like a failing flash RAM storage part or corruption on the network – it did not anticipate malicious software inserted either directly through a physical attack or through man-in-the-middle attacks over the internet.
“Putting persistent malware into a device when one has physical access to it is not novel or remarkable. The fact that our ecosystems are full of so many easily compromised devices and we have no idea which ones are trustworthy is the key problem.”
Hope advised: “Any device that has a network connection as well as a camera and/or microphone should be handled with significant diligence. Any organisation that owns such devices should isolate them to a dedicated network segment, to minimise the threat they pose to the rest of the corporate infrastructure.”
Walmsley at Vectra said: "Organisations that embrace the IoT need to supplement traditional security with behaviour-based models of threat detection. Using behaviour-based analysis, if any of these devices begin scanning the network, spreading malware or creating covert connections out to hacker sites to funnel data, that activity immediately generates alerts.
“Signatures can only spot what they already know about and no defence is foolproof. Only by focusing on observed behaviours, both within and outside the network, can organisations spot in-progress attacks before they escalate and cause damage and disruption.”
Vectra CSO Gunter Ollmann said in a statement: “The irony in this particular scenario is that WiFi cameras are typically deployed to enhance an organisation's physical security, yet they can easily become a network security vulnerability by allowing attackers to enter and steal information without detection.”