Keeping a Critical Eye on IoT Devices

By Sam Quinn · April 21, 2022

Trellix Labs is excited to announce the beginning of a new video series which captures one of our senior vulnerability researchers work on hacking an IoT device from beginning to end. This will conclude with the releasing of a new zero-day CVE-2022-28743 which the team discovered and reported to the vendor through Trellix’s responsible disclosure program. If you are technically minded, interested in the nitty gritty details, or maybe want to learn how to hack yourself, the five-part video series maybe a better fit for you, than the rest of this blog. In this video series, we will tag along with Sam Quinn, who found this vulnerability, and walk through the entire process of hacking this IP camera, live.

We are now in the age of the smart home; no longer are Ironman’s Jarvis-type homes so far-fetched. Insurance specialists with PolicyAdvice claim that 47% of US-based millennials have at least one smart home product within their homes. With new technology being integrated into more and more products, also known as IoT (internet of things), the proportion of homes with smart gadgets is expected to keep rising. The Threat Labs team at Trellix recently investigated one such smart home device: the Foscam R2C IP camera.

Typically, the team goes through a target selection and review process before we begin to investigate new research projects. However, this project did not originate from the formal process and instead became of interest since it was installed in Sam’s home. As you may have expected, no piece of technology inside of a senior researcher’s home is safe from a little extra exploration. However, only after the camera started to misbehave did it gain a spotlight. Being a security-minded person, he began to dive into the issue. This is when he noticed that the device’s software was out of date, but Foscam had taken many security precautions that other IoT devices lacked. Most importantly, Foscam sends their firmware updates encrypted. This sparked Sam’s interest to dive into just how deep was their security applied?

After poking around physically on the device using advanced hardware hacking techniques, Sam eventually discovered a vulnerability that allowed for an authenticated user to upload a specially crafted “fake” update file to gain access to the operating system of the camera. If someone can gain access to the operating system on the camera via physical access, they can bypass the login settings and control the device in a way that even a legitimate administrator wouldn’t be able to identify or block, essentially giving them full access to the device, including the video feed.

It is common for IoT devices, which are vying for prevalence in a very competitive market, to undergo extreme measures of cost cutting. Often, this results in the omission of the critical engineering time needed to incorporate security principles from the start of development. However, this did not appear to be the case when speaking to the Foscam team about mitigations for this issue. Foscam was responsive to our team and worked with us to make sure that this vulnerability was patched.

So, you now may be wondering how you can keep your devices safe on your own network. The first step is to first ask the question, “does this need to be on my network?”. Many new home appliances ship with network connectivity, but do you really need your coffee maker or your toaster linked to your other devices? Second, if you want a smart home device on your network, it is best practice to have that device live on a sperate network where it is logically isolated from your PC and smartphone. This can easily be achieved by placing your smart gadget onto, for example, the guest network that many routers have support for. The third and arguably the easiest precaution to take is to simply keep your devices updated with the latest firmware. Our research pair with responsible disclosure helped bring this issue to the attention of Foscam, to which they have since released a security update which mitigates this issue entirely. Keeping devices patched and up to date is the best way to prevent attackers from accessing any of your devices. If you own a Foscam R2C we suggest you patch by looking for the firmware version 2.72 or newer.

What makes an attacker take interest in a simple IP camera in the first place? IP cameras are a great target for attackers since not only were there speculated to be around a billion active cameras in 2021, but they often inherit poor security practices from traditional IoT devices. Typically referred to as “low hanging fruit” these vulnerabilities can not only allow the camera feed to be viewed through a compromised camera but history has shown compromised cameras can be used in large-scale botnet attacks. Sometimes we often forget that modern cameras are actually minicomputers, providing enough power and technology to accomplish more than just viewing live footage. If you like to watch live footage and are eggar for a more in-depth look at CVE-2022-28743 remember to keep an eye out for our five-week video series that is starting today!