Hacking Linksys IP Cameras (part 1-6)

[begood]

I found the camera to be quite good functionalities-wise, although I’ve experienced availability problems with it. It seems the camera freezes every once in a while. Well, this is true at least when you heavily customized its configuration which is what I’ve ultimately done after playing so much with it.

I’ve loved playing with embedded devices for a while, and as a security researcher I find it quite an interesting topic as many "de facto" security principles that are usually (attempted to be) followed when designing other types of systems are not often applied to embedded devices. This, I believe is due to lack of limitations in hardware resources, and lack of awareness on consequences of getting a miscellaneous device compromised. i.e.: "who cares if my IP camera gets owned?"

During the next days, I’ll be posting some vulnerabilities I’ve found. Some of them are fun and serious, while others you might find kind of boring.

Meet the target

You can learn a lot about the specs of a device by simply reading the product’s literature. However, sometimes not enough info is provided in these documents. The following are some of the specs I confirmed by interacting with the camera in various ways:

* CPU: Faraday FA526id(wb) rev 1 (v4l) according to /proc/cpuinfo

* OS: Linux version 2.4.19-pl1029 according to /proc/version plus Busybox (confirmed as the file /bin/busybox exists on the filesystem)

* HTTPD: thttpd 2.25b (extracted from banner returned on default html error pages and ‘Server:’ HTTP headers)

* Memory:30908 kB (32 MB?) according to /proc/meminfo

* Firmware Version: V1.00R22 and V1.00R24 (latest version available as on 16th April 2009)

Hacking Linksys IP Cameras (pt 1) | GNUCITIZEN

Hacking Linksys IP Cameras (pt 2) | GNUCITIZEN

Hacking Linksys IP Cameras (pt 3) | GNUCITIZEN

Hacking Linksys IP Cameras (pt 4) | GNUCITIZEN

Hacking Linksys IP Cameras (pt 5) | GNUCITIZEN

Hacking Linksys IP Cameras (pt 6) | GNUCITIZEN