Product testing. TV show viewers can win a powerful computer. Turn a webcam into a surveillance camera.

Remote access to webcams and surveillance cameras is the most obvious hacking practice. It does not require special software, allowing you to get by only with a browser and simple manipulations. Thousands of digital eyes around the world will be accessible if you know how to find their IP addresses and vulnerabilities.

WARNING

The article is of a research nature. It is addressed to security professionals and those who are planning to become them. When writing it, publicly available databases were used. Neither the editors nor the author are responsible for the unethical use of any information mentioned here.

With eyes wide shut

Video surveillance is used primarily for security purposes, so don’t expect funny pictures from the first hacked camera. You may be lucky enough to quickly find an HD broadcast from an elite brothel, but more often you will come across boring views of deserted warehouses and parking lots with VGA resolution. If there are people in the frame, they are mostly the waiters in the lobby and the hoggers in the cafe. It’s much more interesting to watch the operators themselves and the work of all sorts of robots.

IP cameras and webcams are often confused, although they are fundamentally different devices. A network camera, or IP camera, is a self-sufficient surveillance tool. It is controlled via a web interface and independently transmits the video stream over the network. Essentially, it is a microcomputer with its own Linux-based OS. The Ethernet (RJ-45) or Wi-Fi network interface allows direct connection to the IP camera. Previously, proprietary client applications were used for this, but most modern cameras are controlled via a browser from any device - be it a computer or a smartphone. As a rule, IP cameras are always on and accessible remotely. This is exactly what hackers take advantage of.

A webcam is a passive device that is controlled locally from a computer (via USB) or laptop (if it is built-in) through an operating system driver. This driver can be of two different types: universal (pre-installed in the OS and suitable for many cameras from different manufacturers) and custom-written for a specific model. The hacker’s task here is different: not to connect to the webcam, but to intercept its video stream, which it broadcasts through the driver. The webcam does not have a separate IP address and a built-in web server. Therefore, hacking a webcam is always a consequence of hacking the computer to which it is connected. Let's put the theory aside for now and practice a little.

Hacking surveillance cameras

Hacking IP cameras does not mean that someone is in control of the computer from which the owner is watching their video stream. It’s just that now he’s not watching it alone. These are separate and fairly easy goals, but there are plenty of pitfalls on the way to them.

WARNING

Spying through cameras may result in administrative and criminal penalties. Usually a fine is imposed, but not everyone gets off easy. Matthew Anderson served a year and a half in prison for hacking webcams using a Trojan. Those who repeated his feat were sentenced to four years.

Firstly, remote access to the selected camera can only be supported through a specific browser. Give some people fresh Chrome or Firefox, while others only work with old IE. Secondly, the video stream is broadcast to the Internet in different formats. Some cameras will need to install the VLC plugin to view it, other cameras will require Flash Player, and others will not show anything without an old version of Java or their own plugin.

Sometimes there are non-trivial solutions. For example, Raspberry Pi is turned into a video surveillance server with nginx and broadcasts video via RTMP.

By design, the IP camera is protected from intrusion by two secrets: its IP address and account password. In practice, IP addresses can hardly be considered a secret. They are easily detected at standard addresses, and the cameras respond equally to requests from search robots. For example, in the following screenshot you can see that the owner of the camera has disabled anonymous access to it and added a CAPTCHA to prevent automated attacks. However, using the direct link /index.htm you can change them without authorization.

Vulnerable surveillance cameras can be found through Google or another search engine using advanced queries. For example:

Inurl:"wvhttp-01" inurl:"viewerframe?mode=" inurl:"videostream.cgi" inurl:"webcapture" inurl:"snap.jpg" inurl:"snapshot.jpg" inurl:"video.mjpg"

Another great Internet of Things search engine is ZoomEye. Cameras in it are located by requests device:webcam or device:media device.

You can search the old fashioned way, simply scanning ranges of IP addresses in search of a characteristic response from the camera. You can get a list of IP addresses for a specific city on this web service. There is also a port scanner in case you still don’t have your own.

We are primarily interested in ports 8000, 8080 and 8888, since they are often the default ones. You can find out the default port number for a specific camera in its manual. The number is almost never changed. Naturally, other services can be found on any port, so the search results will have to be further filtered.

RTFM!

It is easy to find out the model of a detected camera: it is usually indicated on the title page of the web interface and in its settings.

When I talked at the beginning of the article about controlling cameras through a “proprietary client application,” I was talking about programs like iVMS 4xxx, which comes with Hikvision cameras. On the developer's website you can read the Russian-language manual for the program and the cameras themselves. If you find such a camera, then most likely it will have the factory password, and the program will provide full access to it.

With passwords to surveillance cameras, things are generally extremely fun. On some cameras there is simply no password and there is no authorization at all. Others have a default password, which can be easily found in the camera manual. The website ipvm.com published a list of the most common logins and passwords installed on different camera models.

It often happens that the manufacturer has left a service entrance for service centers in the camera firmware. It remains open even after the camera owner has changed the default password. You can’t read it in the manual, but you can find it on thematic forums.

A huge problem is that many cameras use the same GoAhead web server. It has several known vulnerabilities that camera manufacturers have been slow to patch.

GoAhead in particular is susceptible to stack overflows, which can be caused by a simple HTTP GET request. The situation is further complicated by the fact that Chinese manufacturers modify GoAhead in their firmware, adding new holes.

In the code of other firmware there are such mistakes as curved conditional transitions. Such a camera allows access if you enter the wrong password or simply press the “Cancel” button several times. During our research, I came across more than a dozen of these cameras. So, if you are tired of trying out default passwords, try clicking Cancel - there is a chance you will suddenly gain access.

Medium and high-end cameras are equipped with rotating mounts. Having hacked this one, you can change the angle and fully examine everything around. It can be especially fun to play tugging the camera when, in addition to you, someone else is trying to control it at the same time. In general, the attacker gains full control of the camera directly from their browser by simply accessing the desired address.

When they talk about thousands of vulnerable cameras, I want to take a closer look at at least one. I suggest starting with the popular manufacturer Foscam. Remember what I said about service entrances? So Foscam cameras and many others have them. In addition to the built-in admin account, the password for which is recommended to be set when you first turn on the camera, there is another account - operator. Its default password is empty, and rarely anyone thinks to change it.

In addition, Foscam cameras have very recognizable addresses due to the template registration. In general, it looks like xxxxxx.myfoscam.org:88, where the first two xx are Latin letters, and the next four are a serial number in decimal format.

If the camera is connected to an IP video recorder, you can not only monitor remotely in real time, but also view previous recordings.

How does a motion detector work?

Professional surveillance cameras are equipped with an additional sensor - a motion detector, which works even in complete darkness thanks to an IR receiver. This is more interesting than always-on IR illumination, since it does not unmask the camera and allows it to conduct covert surveillance. People always glow in the near-infrared range (at least when they are alive). As soon as the sensor detects movement, the controller starts recording. If the photocell signals low light, the backlight is additionally switched on. And exactly at the moment of recording, when it’s too late to close yourself from the lens.

Cheap cameras are simpler. They do not have a separate motion sensor, but instead use frame comparison from the webcam itself. If the picture differs from the previous one, it means that something has changed in the frame and you need to record it. If the movement is not recorded, then the series of frames is simply deleted. This saves space, traffic and time for subsequent rewinding of the video. Most motion detectors are customizable. You can set a trigger threshold so that any movement in front of the camera is not logged, and set up additional alerts. For example, send SMS and the latest photo from the camera directly to your smartphone.

A software motion detector is much inferior to a hardware one and often becomes the cause of incidents. During my research, I came across two cameras that continuously sent alerts and recorded gigabytes of “compromising evidence.” All alarms turned out to be false. The first camera was installed outside a warehouse. It was overgrown with cobwebs that shook in the wind and drove the motion detector crazy. The second camera was located in the office opposite the blinking router. In both cases the threshold was too low.

Hacking webcams

Webcams that operate via a universal driver are often called UVC-compatible (from USB Video Class - UVC). It is easier to hack a UVC camera because it uses a standard and well-documented protocol. However, in any case, to access the webcam, the attacker will first have to gain control of the computer to which it is connected.

Technically, access to webcams on Windows computers of any version and bit depth is achieved through the camera driver, DirectDraw filters and VFW codecs. However, a novice hacker does not need to delve into all these details unless he intends to write an advanced backdoor. It is enough to take any “rat” (RAT - Remote Admin Tool) and slightly modify it. There are simply a lot of remote administration tools today. In addition to selected backdoors from VX Heaven, there are also completely legitimate utilities, such as Ammyy Admin, LiteManager, LuminosityLink, Team Viewer or Radmin. All that optionally needs to be changed in them is to configure automatic reception of requests for remote connections and minimizing the main window. Then it's up to the methods of social engineering.

The code-modified rat is downloaded by the victim via a phishing link or crawls onto the victim’s computer itself through the first detected hole. For information on how to automate this process, see the article “”. By the way, be careful: most links to “camera hacking programs” are themselves phishing and can lead you to download malware.

For the average user, the webcam is inactive most of the time. Usually an LED warns about its activation, but even with such a notification you can perform covert surveillance. As it turned out, the webcam activity indication can be turned off even if the power supply of the LED and the CMOS matrix are physically interconnected. This has already been done with iSight webcams built into MacBooks. Researchers Broker and Checkoway from Johns Hopkins University wrote a utility that runs as a simple user and, exploiting the vulnerability of the Cypress controller, replaces its firmware. After the victim launches iSeeYou, the attacker is able to turn on the camera without lighting its activity indicator.

Vulnerabilities are regularly found in other microcontrollers. A Prevx specialist has collected a whole collection of such exploits and showed examples of their use. Almost all the vulnerabilities found were related to 0day, but among them there were also long-known ones that manufacturers simply did not intend to fix.

There are more and more ways to deliver exploits, and more and more difficult to catch them. Antiviruses often give in to modified PDF files, have preset restrictions on scanning large files, and cannot scan encrypted malware components. Moreover, polymorphism or constant recompilation of the combat load has become the norm, so signature analysis has long faded into the background. Today it has become extremely easy to introduce a Trojan that allows remote access to a webcam. This is one of the popular pastimes among trolls and script kiddies.

Turning a webcam into a surveillance camera

Any webcam can be turned into a kind of IP camera if you install a video surveillance server on the device connected to it. On computers, many people use the old webcamXP, the slightly newer webcam 7 and similar programs for these purposes.

There is similar software for smartphones - for example, Salient Eye. This program can save videos to cloud hosting, freeing up the local memory of your smartphone. However, there are a lot of holes in such programs and the operating systems themselves, so hacking web cameras controlled by them often turns out to be no more difficult than IP cameras with leaky firmware.

Smartphone as a surveillance tool

Recently, old smartphones and tablets are often adapted for home video surveillance. Most often they are installed with Android Webcam Server - a simple application that broadcasts a video stream from the built-in camera to the Internet. It accepts requests on port 8080 and opens the control panel on a page with the self-explanatory name /remote.html. Once on it, you can change the camera settings and watch the image directly in the browser window (with or without sound).

Usually such smartphones show rather dull pictures. It is unlikely that you are interested in looking at a sleeping dog or a car parked near the house. However, Android Webcam Server and similar applications can be used in other ways. In addition to the rear camera, smartphones also have a front camera. Why don't we turn it on? Then we will see the other side of the life of a smartphone owner.

Anti-peeping protection

The first thing that comes to most people's minds after demonstrating how to easily hack cameras is to seal them with duct tape. Owners of webcams with a shutter believe that the problem of voyeurism does not concern them, and in vain. Eavesdropping is also possible, since in addition to the lens, the cameras have a microphone.

Developers of antiviruses and other software protection systems use confusing terminology to promote their products. They scare you with camera hacking statistics (which are really impressive if you include IP cameras), and they themselves offer a solution for controlling access to web cameras, which is technically limited.

The security of IP cameras can be increased by simple means: by updating the firmware, changing the password, port, and disabling default accounts, as well as enabling IP address filtering. However, this is not enough. Many firmwares have unresolved errors that allow access without any authorization - for example, using the standard address of a web page with LiveView or the settings panel. When you find yet another leaky firmware, you just want to update it remotely!

Hacking a webcam is a completely different matter. This is always the tip of the iceberg. Usually, by the time the attacker gained access to it, he had already managed to frolic on local disks, steal the credentials of all accounts, or make the computer part of a botnet.

The same Kaspersky Internet Security prevents unauthorized access only to the webcam video stream. It won't stop a hacker from changing its settings or turning on the microphone. The list of models it protects is officially limited to Microsoft and Logitech webcams. Therefore, the “webcam protection” function should be taken only as an addition.

Peeping sites

A separate problem is attacks related to the implementation of camera access control in browsers. Many sites offer communication services using the camera, so requests for access to it and its built-in microphone pop up in the browser ten times a day. The peculiarity here is that the site can use a script that opens a pop-under (an additional window in the background). This child window is given the permissions of the parent window. When you close the main page, the microphone remains on in the background. Because of this, a scenario is possible in which the user thinks that he has ended the conversation, but in fact the interlocutor (or someone else) continues to hear him.

The Kingston® brand is synonymous with the highest quality storage devices around the world. But, as is the case with other global companies that produce high-quality products, the high popularity of Kingston products could not protect them from counterfeits. Kingston's research has confirmed that there is a fairly large number of counterfeit products on the market, which are sold under the Kingston brand.

To protect our customers and brand quality, we have developed this guide to help you quickly verify the authenticity of the Kingston products you have purchased or plan to purchase in the future.

The labels placed on SSDNow SSDs are printed using color shift and Phantom technology. These drives have a Phantom technology zone that changes color from light red to dark red or gray to light gray when viewed from different angles.

The following products do not support Phantom technology or color changing technology: microSD cards, microSDHC (4GB-32GB), Ironkey drives, DataTraveler 2000 drives, DataTraveler SE9, DataTraveler SE9 G2, DataTraveler microDuo 3.0, DataTraveler microDuo 3C, DataTraveler Elite G2, DataTraveler Vault Privacy 3.0, DataTraveler Vault Privacy 3.0 with Anti-Virus and Management support, DataTraveler 4000G2 and DataTraveler 4000G2 with Management version, USB 3.0 Media Reader, MobileLite G4 Reader, USB microSD/SDHC/ SDXC Reader and MobileLite Duo 3C.

Watching the reality show "Battle of Gamers" can lead you to a valuable prize. Thus, the project organizers from the HyperX company presented a super prize for the audience - a dream kit consisting of a sophisticated gaming computer (including, among other things, top-end components from ASUS and WD), a HyperX Fury rug, a HyperX Alloy FPS keyboard and a HyperX Cloud Revolver headset. Also, 5 HyperX Cloud Stinger headsets, 5 HyperX Alloy FPS keyboards, as well as a HyperX Savage SSD, sets of DDR4 HyperX Predator RAM modules and 3 knife skins for CS:GO will be raffled off among the Battle spectators. Not a bad prize fund, right?

To get started, you just need to register on hyperxbattle.com and carefully follow the “Battle” on YouTube or directly on the project website. The main task is to find the four-digit code “hidden” in each video. For example, it can be said by one of the players, or it can simply flash in the frame.

Well, then everything is easy: enter the code in a special field in this section of the site, vote for one of the players and wait for the next episode of the “Battle of Gamers”. Have you watched all the episodes and found all the codes? Great, that means you're in the finals! A little luck, and a space computer with a set of peripherals is yours. Prizes will be drawn randomly among the finalists.

The reality show “Battle of Gamers” was organized by the guys from HyperX, a company that produces gaming devices. The project brought together the brightest stars of the gaming industry: seasoned esports players, popular streamers, game reviewers and geeks. In the first stage of the “Battles”, this entire company was pulled out of the virtual environment and placed in the most real reality. In the fight for an exclusive contract with HyperX, participants performed crazy tasks every day (for example, milking a goat), and those who could not cope were punished.

And now the second stage of the project has started, where the main role is given to the audience of the show! It is for them that a video version of the “Battles of Gamers” will be released weekly on the HyperX YouTube channel, and it is they who will determine which of the participants in the “Battles” is worthy of receiving a contract with HyperX.

There are many prizes, but to win you just need to be careful. The second stage of the show will last until February 15, so there is still plenty of time.

Already today, on the official website of the reality show http://hyperxbattle.com, every fan of computer games can vote for their favorite and help him become one of the finalists of the project.

30 candidates are competing for 13 places in the finals. Among them, such gaming and e-sports stars as the Kostylev brothers, Danil "Zeus" Teslenko, Ioann "Edward" Sukharev (Na'Vi), Maxim Starosvitsky, Misha Shevchuk (Room Factory Dota 2 Team), Elena "Meg" Urusova, Maxim Filipin (Filipin is bro) and many others. Without a doubt, a heated fight will begin at this stage and the vote of every fan may be decisive.

According to the rules of the show, only the winner of the fan vote is guaranteed to make it to the finals. Another 12 participants will be selected by the project jury.

The finalists of the project will have to live in a common house and fight every day for the title of the best. The most tricky and intriguing tasks, competitions and quests on the themes of the most popular computer games such as Dota2, CS:GO, PUBG, GTA, FIFA and others await them.

At the end of each battle, players will get rid of competitors until the strongest wins the final battle. Spectators can expect not only an exciting spectacle, but also the opportunity to give their favorite gamer the People's Choice Award, even if the gamer himself leaves the project.

Voting for the finalists will last until November 10, and the first episodes of the show will be aired on November 28, along with the start of the drawing for a gaming PC and other prizes from HyperX for viewers and fans of the project. In the future, new episodes of the show will be released every Tuesday and Friday until the New Year!

Traditionally, the organizers of the HyperX “Battle of Gamers” keep secret information about the main prize and the final list of participants, who only learn the names of their “neighbors”

in the 1st issue of “Battle”. But, judging by the information coming from the show’s organizer, the gaming brand HyperX, the awards for participants and spectators, in comparison with the premiere season, will become even more exclusive and interesting.

HyperX “Battles of Gamers” is the first reality show in the CIS with the participation of famous e-sportsmen, bloggers and other celebrities in the gaming industry.

During the first season of the show, 25 videos were filmed, collecting a total of more than 15 million views. According to the results of audience voting, the winner of the first “Battle” was game reviewer Max Shelest, who beat the Counter-Strike world champion Arseniy “ceh9” Trinozhenko by a minimal margin and took the main prize - an exclusive contract with HyperX!

The second “Battle of Gamers” from HyperX has started! Voting for the finalists on http://hyperxbattle.com is open and gamers are waiting for the votes of their fans.