Commit 6453bfc9 authored by Chipp Jansen's avatar Chipp Jansen
Browse files

Intro and Finding out info edited

parent a217fc99
......@@ -86,7 +86,7 @@ For connecting to and re-programming the device (Section \ref{sec:rooting-device
\item Mouse, keyboard and monitor peripherals
\end{itemize}
A note about the SD-CARD for the NEOS SmartCamera. The device is sensitive to having a SD-CARD of 512MB in size (very small!). Instead of having an old and small SD-CARD, you can create a 512MB partition on a larger SD-CARD, but the camera will only be able to access this small partition.
A note about the SD-CARD for the NEOS SmartCamera -- the device is sensitive to having a SD-CARD of 512MB in size (very small!). Instead of having an old and small SD-CARD, you can create a 512MB partition on a larger SD-CARD, but the camera will only be able to access this small partition.
As an alternative to using the Raspberry PI, you can use a laptop with a USB to TTL Serial cable, also known as a Serial Console cable \footnote{\url{https://www.adafruit.com/product/954}}.
......@@ -95,29 +95,31 @@ As an alternative to using the Raspberry PI, you can use a laptop with a USB to
\subsection{Good devices to Hack}
Early IoT devices have the worst security. Also, lesser-known or ``generic'' brand of devices might not have the incentive or motivation to instill good security. For example, for Apple or Amazon, having an insecure device makes headlines and bad press. Also, larger companies have the resources to invest in security.
Bad security is great, because it leave routes through which to access the device and allow us to modify it's behaviour.
Bad security is great, because it leaves routes through which to access the device and allow us to modify their behaviour.
The device we will be working on is the \textbf{NEOS Cam 2 (NS-CAM-02)}, which is also sold under different brand names -- the Xiaomi Xiaofang or Dafang and Wyze Cam. It's common for an original equipment manufacturer for more generic devices to sell to companies that re-brand the device. The advantage here is that often the device has the flexibility to be re-configured for branding, and this is to our advantage to re-configure the device for our purposes.
The device we will be working on is the \textbf{NEOS SmartCam 2 (NS-CAM-02)}, which is also sold under different brand names -- the Xiaomi Xiaofang or Dafang and Wyze Cam. It is common for an original equipment manufacturer (OEM) for such generic devices to sell to other companies that re-brand the device. The advantage here is that often the device has the flexibility to be re-configured for re-branding. This flexibility is to our advantage to re-configure the device for our purposes.
\subsection{Gathering Information about Device}
Simple internet searches on the device name with the keywords ``hacking'', ``security audit'' or ``tear-down'' will reveal a number of pages where others have already taken the device apart \footnote{Here is a nice tear-down link \url{https://rasmithuk.org.uk/entry/neos-teardown}}. Tear downs are nice, because it helps guide opening a device up, as well as images of another device to compare what's inside one's own device (even though the outside product looks the same, the inside guts might differ from being a different version). Repair sites, such as ifixit (\url{https://www.ifixit.com/}), are good repositories for step-by-step teardowns.
Simple internet searches on the device name (\textit{``NEOS SmartCam 2''}) with the keywords \textit{``hacking''}, \textit{``security audit''} or \textit{``tear-down''} will reveal a number of pages where others have already taken the device apart \footnote{An example of a nice tear-down link \url{https://rasmithuk.org.uk/entry/neos-teardown}}. Tear-down guides are nice, because it helps guide opening a device up. It also provides images of another device to compare what's inside one's own device. Even though the outside product looks the same, the inside guts might differ as a different version. Repair sites, such as \textit{ifixit} (\url{https://www.ifixit.com/}), are great repositories for step-by-step tear-downs.
Often, security professionals probe at new devices to discover how vulnerable they are. They often do security audits on write-ups on a blog-post \footnote{\url{https://research.nccgroup.com/2020/07/31/lights-camera-hacked-an-insight-into-the-world-of-popular-ip-cameras/}}.
Often, security professionals probe at new devices to discover how vulnerable they are. They often do security audits on write-ups on blog-posts \footnote{\url{https://research.nccgroup.com/2020/07/31/lights-camera-hacked-an-insight-into-the-world-of-popular-ip-cameras/}}. Security audits are nice because they highlight how one might access and modify your device. As you'll find out, the NEOS SmartCam is a very open device security-wise.
\subsubsection{Communication Compliance Databases}
Any wireless devices that requires certification or compliance, is required to deposit screenshots of their interior guts online.
Any wireless devices that requires certification or compliance often is required to deposit screenshots of their interior guts online. In the US, the Federal Communications Commission (FCC) provides a way to look up the device on the web-page. A device is required to have the FCC ID on the device or in the user manual. You can look up the device at \url{https://www.fcc.gov/oet/ea/fccid}.
Look-up the device on FCC's web-page. A device is required to have the FCC ID on the device or in the user manual. You can look up the device at \url{https://www.fcc.gov/oet/ea/fccid}. However, a better search engine for FCC registrations is at \url{https://fccid.io/}. Searching for ``NEOS'' reveals the original equipment manufacturer, TianJin HuaLai Technologies, and looking up their listing of registered products (\url{https://fccid.io/2ANJH}) reveals the WyzeCam 2, which is what the camera is branded for the US market. On that page (\url{https://fccid.io/2ANJHWYZEC2}), you can External and Internal photos of the device, which helps verifies that you found the correct device. While the filed schematic, block diagram and operators manual are confidential, the Internal photos are useful to see what is inside the device instead of tearing it apart (\url{https://fccid.io/2ANJHWYZEC02/Internal-Photos/Internal-Photos-4793839}).
However, a better search engine for FCC registrations is at \url{https://fccid.io/}. Searching for \textit{``NEOS''} reveals the original equipment manufacturer, TianJin HuaLai Technologies. Looking up their listing of registered products (\url{https://fccid.io/2ANJH}) reveals the WyzeCam 2, which is what the camera is branded for the US market (the Neos SmartCam 2 is a UK device and has no FCC ID).
On the WyzeCam2 page (\url{https://fccid.io/2ANJHWYZEC2}), you can find external and internal photos of the device, which helps verifies that you found the correct device. Often though, the required filed schematic, block diagram and operators manual are confidential. The internal photos are useful to see what is inside the device instead of tearing it apart (\url{https://fccid.io/2ANJHWYZEC02/Internal-Photos/Internal-Photos-4793839}).
\subsubsection{Phoning Home}
IoT devices especially, since they are connected to the internet, often communicate to the mothership. You can intercept this communication, and even possible see what the communication is about. This can be done by monitoring the web-traffic that is conducted by the device, through a proxy or your internet router.
IoT devices especially, since they are connected to the internet, often communicate to a hosted cloud-base service (i.e. the mothership). With a network protocol analysis tool such as WireShark \footnote{\url{https://wireshark.org}}, you can interpret this communication, and possibly see what the communication is about. This can be done by monitoring the web-traffic that is conducted by the device, through a proxy or your internet router.
One of the main reasons is check if there are updates to the devices firmware, the operating system that the device is running. IoT devices often have feature to update their firmware.
One of the main reasons here is to check if there are \textit{over-the-air} updates to the devices firmware, the operating system that the device is running. IoT devices often have feature to update their firmware regularly via network connections.
Security audits online have found that these NEOS Cameras make a series of connections to the following urls:
Security audits online \footnote{\url{https://research.nccgroup.com/2020/07/31/lights-camera-hacked-an-insight-into-the-world-of-popular-ip-cameras/}} have found that these NEOS-like Cameras make a series of connections to the following urls:
\begin{itemize}
\item \url{https://www.hualaikeji.com/en}
......@@ -126,25 +128,27 @@ Security audits online have found that these NEOS Cameras make a series of conne
\item \url{https://wyze.com/}
\end{itemize}
\subsubsection{Online Communities}
This is another good reason to take apart and look into these IoT devices that we are bringing into our homes. Once connected to our home networks, we really don't know what or how often these devices are connecting to outside services.
Hardware hacking communities spring-up around modifying these devices. Often hacking communities spring up around devices, as the challenge and curiosity to gain access and tinker with a device is compelling.
\subsubsection{Firmware Download}
% They might also publish vulnerabilities via CVE. % TODO look-up certs
From this network analysis, you can discover where the updates to the firmware of the device are downloaded from online. Sometimes the company's web-sites even have ``Software Updates'' or ``Firmware Download'' sections where you can get a copy of the firmware. The firmware is often a large single binary file, which you can run the tool \verb|binwalk| to see what is in the firmware. % TODO - Here is what is in the NEOS SmartCam 2's firmware.
For example, the IoT camera we are looking at had a flurry of hacking that got into modifying and creating their own firmware. You can often find these communities share their research on Github such as the Xiami Dafang Hacks Repository \footnote{\url{https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks}}
The video, \textit{Back-dooring a IoT Camera} (\url{https://www.youtube.com/watch?v=hV8W4o-Mu2o}), is a nice overview of this technique.
\subsubsection{Firmware Download}
\subsubsection{Online Communities}
You can download the firmware. Youtube \footnote{Back-dooring a IoT Camera \url{https://www.youtube.com/watch?v=hV8W4o-Mu2o}}).
Hardware hacking communities spring-up around modifying these devices. The challenge and curiosity to gain access and tinker with a device is compelling.
% They might also publish vulnerabilities via CVE. % TODO look-up certs
Use \verb|binwalk| to see what is in the firmware.
For example, the IoT camera we are looking at had a flurry of hacking that got into modifying and creating their own firmware. You can often find these communities share their research on Github such as the \textit{Xiaomi Dafang Hacks} Github Repository \footnote{\url{https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks}}. This workshop relies a lot on the efforts and work of this community.
\subsection{Opening and looking at the Device}
From our research online, we can find the main processor of the NEOS, which is the Ingenic T20 \footnote{\url{http://www.ingenic.com.cn/en/?product/id/14.html}}. It operates at 1 GHz with a floating point processing unit (FPU) and has built in memory (64/128 MB of RAM). It also have video processors which allows the encoding of video captured from the camera to encode H.264 (a common web video format) at a resolution of 1080 x 970 pixels at 60 frames per second (FPS). It has a 32-bit MIPS core, which is the chip architecture which is important to know if you want to compile your own software or firmware to use on the device.
From our research online, we can figure out the main processor of the NEOS -- the Ingenic T20 \footnote{\url{http://www.ingenic.com.cn/en/?product/id/14.html}}. It operates at 1 GHz with a floating point processing unit (FPU) and has built in memory (64/128 MB of RAM). It also has additional video processors which allows the encoding of video captured from the camera to H.264 (a common web video format) at a resolution of 1080 x 970 pixels at 60 frames per second (FPS). It has a 32-bit MIPS core, which is the chip architecture. Knowing the chip architecture important is important if you want to compile your own software or firmware to use on the device.
\textbf{What does this mean?} This means that it's a pretty powerful (embedded processor) equipped with some specialised video processing capabilities, which can be used for your own custom Audio/Video creations.
\paragraph{What does this mean?} This means that it's a pretty powerful (embedded) processor equipped with some specialised video processing capabilities, which can be used for your own custom Audio/Video creations.
\subsubsection{Tear-down}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment