Cheap web cams can open permanent, difficult-to-spot backdoors into networks

They might seems small and relatively insignificant, but cheap wireless web cams deployed in houses and offices (and connected to home and office networks) might just be the perfect way in for attackers.

Researchers from the Vectra Threat Lab have demonstrated how easy it can be to embed a backdoor into such a web cam, with the goal of proving how IoT devices expand the attack surface of a network.

They bought a consumer-grade D-Link WiFi web camera for roughly $30, and cracked it open. They dumped the content of the camera’s flash memory chip, went through it and discovered a boot loader, a Linux kernel and image.

After accessing the Linux image filesystem, they unearthed a binary that performs verification and update of the firmware (checks if the filed opened correctly – its size – its signature – if the update is newer than the current one – checks if the file checksum is the right one).

“At this point, adding a backdoor roughly devolves to adding a service inside a Linux system – in our case, all we want is a simple connect-back Socks proxy. This can either be accomplished with a srelay and netcat in the startup script or more optimized C code, or one could go with a simple callback backdoor with a shell using netcat and busybox which are already present on the system,” the researchers explained.

“While we are making the modification, we can also remove the capacity to reflash the device in the future. This would prevent an administrator-initiated firmware update which would remove our backdoor.”

Repackaging the backdoored flash image and fixing the file checksum was trivial, and once the update was implemented, the backdoor worked beautifully.

“Using the telnetd / busybox / netcat we can bring back a telnet socket to an outside host to have remote persistence to the webcam. With the webcam acting as a proxy, the attacker can now send control traffic into the network to advance his attack, and likewise use the webcam to siphon out stolen data,” they noted.

Limitations to this type of attack are obvious: attackers must be skilled enough to create a backdoored flash image, and find a way to deliver it to the device – either by “updating” an already deployed device, or by getting their hands on it before it’s installed.

The advantages are obvious:

“Putting a callback backdoor into a webcam, for example, gives a hacker full-time access to the network without having to rely on infecting a laptop, workstation or a server, all of which are usually under high scrutiny and may often be patched,” they explained.

“On a tiny device, there is no anti-virus and no endpoint protection. In fact, no one thinks of the device as having software on it at all. This makes these devices potentially inviting for persistent attackers who rely on stealthy channels of command-and-control to manage their attacks.”

“The irony in this particular scenario is that Wi-Fi cameras are typically deployed to enhance an organization’s physical security, yet they can easily become a network security vulnerability by allowing attackers to enter and steal information without detection,” pointed out Vectra Networks CSO Gunter Ollmann.