Welcome back, my aspiring cyberwarriors!
As you know, Hackers-Arise played a key role in the Ukrainian resistance to Russia’s brutal attack. We did many things to support Ukraine including attacking Russia’s industrial infrastructure, DoS’ed the corporate and government websites, and trained hackers to protect Ukraine. What we may be most famous for is the hacking of IP cameras throughout Ukraine at the request of the Ukraine army to surveil Russian movements and war crimes in the country.
Here is a small sampling of some of the pictures we captured.
As you know, Hackers-Arise played a key role in the Ukraine resistance Russia’s brutal attack. We did many things to support Ukraine including attacking Russia’s industrial infrastructure, DoS’ed the corporate and government websites, and trained hackers to protect Ukraine. What we may be most famous for is the hacking of IP cameras throughout Ukraine at the request of the Ukraine army to surveil Russian movements in the country.
At the time, we did not reveal our techniques (for obvious reasons) but now that two years have passed and the vulnerability has been patched, we are ready to reveal to the world how we hacked so many cameras in both Ukraine and Russia!
As we revealed in earlier tutorials, we used default credentials for many of the cameras and brute forced the credentials for many others. This harvested about 15-20% of the cameras we targeted. It’s always important to try to get the “low-hanging fruit” first. The remaining 80% we were able to use two exploits, one that was a zero-day against Dahua cameras.m
Let’s focus on that one.
Dahua Zero-Day
Dahua is a China-based IP camera manufacturer that is among the world’s largest. Besides making cameras with their own name, they also private label cameras for many other re-sellers. Their cameras are literally all over the world!
On June 28, 2022, the good people at NIST announced a new vulnerability in the Dahua cameras and assigned it CVE-2022-30563 and gave it a base score of 7.8. They described the vulnerability as:
When an attacker uses a man-in-the-middle attack to sniff the request packets with success logging in through ONVIF, he can log in to the device by replaying the user’s login packet.
an article on SecurityAffairs.com described the vulnerability in a headline that read:
“A flaw in Dahua IP Cameras allows full take over of the devices”
This was several months after we had been successfully exploiting this flaw in cameras in both Ukraine and Russia.
What is ONVIF?
ONVIF is the Open Network Video Interface Forum. This is an open standard that is used in IP-based physical security products. ONVIF products allow access through a set of standardized API’s. These API’s allow the user to watch the video from the camera, unlock smart doors, and add users and passwords. ONVIF requests are transmitted through XML SOAP messages.
The ONVIF accepts, among other authentication mechanisms, WS-UsernameToken such as seen below.
<?xml version="1.0" encoding="iso-8859-1"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext">
<wsse:UsernameToken wsu:Id="sample"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">
<wsse:Username>sample</wsse:Username>
<wsse:Password Type="wsse:PasswordText">oracle</wsse:Password>
<wsu:Created>2004-05-19T08:44:51Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
<wsse:Security soap:actor="oracle"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext">
<wsse:UsernameToken wsu:Id="oracle"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">
<wsse:Username>oracle</wsse:Username>
<wsse:Password Type="wsse:PasswordText">oracle</wsse:Password>
<wsu:Created>2004-05-19T08:46:04Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<getHello xmlns="http://www.oracle.com"/>
</soap:Body>
</soap:Envelope>
Note that the WS-UsernameToken accepts:
a username
a nonce
Created
password
WS-UsernameToken then generates a Base64 digest. This helps to obscure this data, most importantly, the password from being intercepted an used in a MiTM attack. By incorporating the timestamp, it also prevents replay attacks.
To be successful, the attacker must first sniff a single unencrypted ONVIF request such as shown above. This is relatively easy as WS-UsernameToken is used by default on these devices and they use HTTP rather than HTTPS, so the transmission is unencrypted.
Next, the attacker then forges a new CreateUsers request that adds a new user with admin privileges!
Once the new admin account has been created, the attacker can then simply login into the new account and take control of the device. This includes zoom, tilt and pan (if enabled) and deleting other accounts including other admin accounts.
Summary
Internet of Things devices are everywhere and in most cases their security is lax. If an attacker understands the basics of these security mechanisms they can take control of these devices.
This exercise also demonstrates the good that hackers can do in the world. Helping to spy on Russian activities in Ukraine helps to make the world a safer place.