This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course.
Student ID: IoTE- 766
Following my interest in going deeper on IoT – specially on hardware hacking, I grabbed a chinese IP cam – Loftek and started checking its internals. I already had researched the web application itself and the mobile app for Checkmarx but now I wanted something different.
My main goal was to find a serial port where I could connect to my laptop and see where it takes me. I was really hoping for root access…
After identifying the components I got what I wanted. A UART connection in J2 that I hoped that allowed me to create a serial communication. In this case it was pretty easy to identify them because they were printed on the PCB – RX – TX – GND – VCC (5V).
I grabbed a couple of pins and started soldering them to the RX – TX – GND. This last one was not very well positioned because the pin holes were very close to each other.
Now the fun part. Connect to my laptop. I used 3 jumper cables and the Attify Badge.
RX – D0
TX – D1
GND – GND
Next step, detect the baudrate for the communication. I used the python script from Craig Heffner on Kali Linux and it returned:
In the following case I used screen but you can also use minicom – with the previous detected baudrate:
And guess what! A root shell dropped in the console.
Other interesting thing that I already did on a previous research was to use this IP camera to sniff the network. What I did was to install a tcpdump binary and created a small script:
#!/bin/bash ifconfig ra0 down iwconfig ra0 mode monitor ifconfig ra0 up ./tcpdump -i ra0 --monitor-mode -w cap.cap & sleep 30 killall tcpdump ifconfig ra0 down iwconfig ra0 mode managed essid network-2g key s:myKeyto_Wifi ifconfig ra0 up
After a while I got few hits on the Wireshark that allow me to see people using Dropbox inside the network and some other services:
LLMNR/NBNS Poisoning anyone? 🙂
I hope to continue my path on hardware hacking because it’s really fun. Don’t forget also to check my BLE article where I wrote my notes on this “smart bluetooth” thing.