Hacker Time
Join Evan Johnson as he speaks with security professionals about recent security news!
Transcript (Beta)
All right. Welcome to the number one security show in the world. This is Hacker Time.
I am your host, Evan Johnson, coming to you live. I'm out of breath from Austin, Texas, where I just ran and put my cat upstairs because she was meowing like crazy all of a sudden.
And I am from the Cloudflare product security team, talking about a fun project I've been working on over the last couple of weeks.
Gotta catch my breath.
This is going to be hard while talking. So let's start telling you about the project I've been working on.
And make sure I have my chat up so I can see when I get message.
So picture this. My wife and I purchased a house here in Texas a few months ago, and we moved in and there was a box in the closet that I've never seen before.
And it said on it, Claire controls. And apparently it was a home security system after some Googling.
So I went about Googling what it was. And I'll point my camera over at the box to show you what it looks like.
It looks just like a regular old server.
I've got my coffee here. And, and I have a camera here, but it looks like a server that sits in your closet.
And these cameras were positioned around the house a little bit.
And, and I didn't know how to make it work. It didn't seem like it was working.
It wasn't plugged in. And I wanted to go about making it work, setting it up and making it useful.
But I also didn't want to pay a lot of money.
A lot of these camera services have monthly subscription fees, and they can cost a lot of money to store the video, all of that stuff.
And this is a pretty common problem.
You'll see, we just published a blog post on the Cloudflare blog about a similar thing where somebody built a, not a home security system, but a pet cam from a few parts, Raspberry Pi using Cloudflare tunnels and teams.
And looks like a super, super similar kind of problem that I was trying to solve, except I went from the position of having a lot of hardware, trying to make it solve the problem that I wanted to solve.
And they're building something from scratch at a, at a budget price using Cloudflare services.
And this is a fantastic blog post.
Give it a read. I've got to reach out to the author and give them some credit because they just beat me to the punch on this, publishing this.
So this is all also inspired by, there's a Brad Fitzpatrick lightning talk a few years ago, building his own camera as well with a little bit of go glue and, and some other stuff.
And all in all, I wanted to build something that was just like that so that I could have a really just basic hackable thing that worked for, for monitoring my house and looking at things through the camera.
So let's talk about what I ended up doing starting, starting with the box.
I already showed it to you, but the box that was in my closet is one of these things.
It is a, Oh, now it doesn't want to load.
So Claire controls CV, CVB8810A or something.
This is what the box looks like. This is the brochure for it. And, and it helped me kind of like figure out some of the features and how things worked.
And I kept Googling around. I wanted, I really wanted the installation guide.
And so the first thing I did when I got the installation guide, I plugged this in, had no idea what it was, got the installation guide and I control F for the word password.
And as luck would have it, it's right here, enter the admin password by default, the password is secure seven.
So this is basically, you can, you can have a very nice career in information security, just reading documents and finding default passwords.
Default passwords are a way of life. And the, the default password for this box is secure seven.
So very helpful to know. But then I needed to figure out how do I talk to this thing?
So I plugged it in. I took the ethernet cords. I plugged in on my windows machine, ethernet over to this thing.
I got down a camera. I went and unscrewed a camera from, from a ceiling and plugged that in as well.
And, and so I had it all rigged up, couldn't talk to it or anything.
And then I plugged in the HDMI.
And so I have a few pictures of what it looked like from the HDMI. In the HDMI, there's a huge menu.
Once you plug in the HDMI and hook up the monitor, there's a big menu showing a lot of information that was really, really helpful to get this thing set up.
So one was network, has an IPV4 address that's hard-coded in 192.168.1.200.
Additionally, it has a few ports that are open.
There's an RTSP port open on 8554 or on 8554 and HTTPS port on 443, HTTP on 80 and server port on 8,000.
And it's all doing, it's listening on all, all addresses.
Super helpful to know. And then actually on the box on the bottom, there's a ethernet address on the model number sticker, the sticker that, that kind of identifies the box and serial number and all that.
And it has the ethernet address here.
So the, one of the first things I did was actually plug in the ethernet address from the box into Wireshark and started sniffing all the traffic.
So Wireshark is a great tool. If you're getting into reversing different pieces of hardware, different IoT devices, this is definitely a must-have tool and really easy to use.
I plugged in the ethernet address here and, and I was off to the races kind of looking at all of the traffic that was, that was being produced by the device.
And you'll see that the source IP address on this device is actually 192.168.1.200, which is the same that we were seeing in, when we plugged in to the video.
So 192.168.1.200, when I identified the physical address here, I started seeing the IP traffic from that.
So I can be fairly certain that it's running 192.168.1.200.
Great. The other useful information there is that it's got some HTTP port open.
So like we should check that out. Let's go over to 192.168.1 .200.
And actually, I'm able to get here to a username and password login.
A little more Googling, I was able to figure out what the username is.
It's not just admin, it's ClairAdmin, because that's the type of device it is.
And then the password, secure7, like we figured out, secure7.
And it works, it really, really works. So CVB881002, that's the model number.
We can configure all sorts of things, camera settings, network settings, power over ethernet, I guess.
I guess this is for email notification.
I'm not sure why you would want your home security system to do email unless it was emailing you like links or something.
Not really sure what this, why it would support email.
Ports, you can change ports to custom port numbers that might be useful.
And you can turn different things on or off. I think I had to turn one of the services on to get this working end to end.
But overall, can see that like we're actually talking to the device.
This device that I found in my closet, I plugged it in, I figured out how to talk to it.
And now we're able to configure it.
So we haven't gotten the camera part working yet. But that's probably the next bit.
And we see that it supports RTSP, which if you're unfamiliar, I was actually unfamiliar before this.
I've never done anything with video protocols.
And so I was basically just Googling RTSP VLC. And I have one open already here.
But it's pretty simple, the RTSP protocol. I might cheat here and get the answer.
But the idea is, this might be too small to see, but I'm typing in RTSP as the scheme.
And then I'm going to do basic auth with Claire admin secure seven.
And I'm going to skip to the end here and get the whole URL.
Because I would never remember this. This actually took a fair bit of Googling to try to figure out how to get RTSP to work.
But I ended up needing to connect to that 8554 IP address.
And then there's a path here. I wasn't sure how the pathing in RTSP works, because there's a URL path here at the end that kind of is needs to be specific in order to get the correct video stream.
But after I figured it out a lot of Googling, I was able to get the working.
So here's the camera. Here I am live.
Hi. And I'll show you the camera, the box is here. You'll see that the camera is plugged into the box.
And then there's another gray wire over here. This goes back to the computer that I'm using right now, this Windows computer.
And blue goes to the camera, gray goes to the computer.
And then there's a bunch of other ports back here for other cameras and such.
I should unplug this because it's really, oh no, my screen just went completely.
Okay, it's back. And yeah, so we actually have a video stream going.
And so if my goal, let's center this around goals again, and what I was trying to accomplish from the beginning.
I wanted to take what was in the the closet and turn it into something working, something low cost, and something that was like helpful and useful to me.
And some of the things that I wanted was to be able to be anywhere and to look at these cameras, which looking at this now, it doesn't seem like it would be useful to on the go.
It would be very useful to me for recording deliveries and such.
If somebody walks off with a package, I'm sure everybody's seen videos of packages getting stolen off of people's front porches.
That's actually never happened to me, but I'm sure having recorded video would be useful for something like that.
So recording video and storing it on this device isn't very cool.
I want to be able to go somewhere and go to a webpage and see what my place looked like recently.
And so I went to work. The idea that I had was that I could connect to the camera, take a snapshot, and then upload it to Cloudflare Workers KB, Cloudflare KB, store just an image every couple seconds from all the cameras, and then and then put that behind Cloudflare access.
So the second half of that, put it in workers KB.
All of that is very well documented or something close to it in this blog post about building a pet cam.
So this is basically stuff that I haven't quite finished yet that I will probably be copying and going through the blog post to make that work.
So this is really, really great stuff. I had exactly the same idea. And the idea is, I'll just say it one more time, I want to write a small bit of code in this blog post.
They're running motion on a Raspberry Pi. I had never heard of motion before.
I just tried it a little bit before this. And but some shell script, something on a Raspberry Pi, I do have a Raspberry Pi that I was planning to orchestrate everything from.
Take an image every couple seconds, every second or so, upload it to upload it to the cloud to workers KB, protect it with Cloudflare access so that I can access it anywhere.
And that's all. But the one kind of missing piece in all of that is that I need to be able to get an image off of the camera.
So how do I go from having this camera that's always running to taking a still image of it.
And I also wasn't familiar with FFmpeg, but Brad Fitzpatrick talked about it a lot in his lightning talk.
So I went about trying to replicate it.
And so I whipped up this little shell script.
And let's start with just a single image first.
And so if I run this shell script here, it'll run FFmpeg.
And let's get the man page side-by-side here.
So we can actually see what is getting run. So we have first the dash y argument.
So dash y is used for overwrite output files without asking.
So the dash y is necessary because I'm writing to the same file every time, img.jpeg.
If I didn't have dash y, FFmpeg would ask me, are you sure you'd like to overwrite this file?
And I would have to press y, enter, and to overwrite that.
I don't care about overwriting it because I'm copying the file to a new place every time I run this.
And so that's why y is there. What is dash i? The URL. So that should be evident here because it's followed immediately by a URL.
But you'll see that the URL is rtsp-clair -admin-secure-7.
So in order to do RTSP, you have to authenticate.
And it's authenticating with the username and password here to the box 192.168.1.200, port 8554, the RTSP port that we knew about, and then this path that I didn't know a ton about that I googled and just found, and it eventually worked.
So that's the whole URL. Okay, so we have that.
And now what is vframes? vframe, set the total number of video frames to output.
This is an obsolete alias for frames colon v, which you should use instead.
Okay, so let's actually try that. Frames colon 1.
That might be better. And then last is the output file. And the last argument is output URL, which is just a file.
If I am correct, img.jpg is just a file.
And we are then finally running that and then copying the image to the desktop.
So I'm going to run this program. I hope it works because we just changed it.
And I think we'll be able to get an image. So let me do this. Holding up the peace sign here.
At least one output file must be specified.
That didn't seem to work. Hmm. Let me just double check the man page really fast.
vframe, vframes number.
This is an obsolete alias for frames colon v. Huh.
Okay, let me look at what frames colon v is because I think I used this wrong.
Let's actually read the frames argument.
Okay.
Frame count. Oh, okay. Okay. So I'm specifying here frames and then the specific stream.
I don't need to specify the stream. I don't believe. I just need to say frames one instead of colon one.
And I think this should work. Let's try one more time.
Okay.
And we open. There I am. Holding up the peace sign and everything like that. And so the next thing that I would need to do is kind of get this running every couple seconds.
And then it should probably just, let's try to make it instead of every 10 seconds, let's try to run it every like one second.
I don't know if that'll be too slow.
Or like if it'll be too much for this to handle.
So one second and I can see it just updated. Oh, that's me sitting here. Let's see.
Update again. Okay. It updated again. So it's a little slower than a second.
Sleep one. Just FFmpeg by itself takes a couple seconds to run.
It seems like. And so the sleep doesn't seem like it's doing much.
I feel like if I have this in production, when I have six cameras or something like that, I can have FFmpeg, CP, and then I don't need to have any sleeps here.
I can just do six FFmpeg calls in my shell script and upload all the images to workers KB.
So that's a lot, but that was kind of the entire process that I've gone through so far from beginning to end about reversing this box from knowing nothing about it and not being able to log in.
It not really working to hacking together my own kind of, it's not completely put together yet, but my own home camera system.
So what to do next? I think one thing that would be useful is to maybe play with the paths for a moment, because I was one thing that I'm still really unsure about is how these paths work.
If I could just change it, I'm kind of curious what will happen if I do streaming channels 102.
And let me actually get rid of this.
I don't want to run this in a while loop, run it for forever.
I just kind of want to run it one time. Does it work? Let me take an image of my coffee or something.
Does it work one more time? Hey, it does.
Okay. So I changed the frame and I changed the channel and it still seems to work.
Let me just change it. Let me just get rid of the path completely streaming channels.
Let me just do ASDF. Picture of me.
Nope. ASDF doesn't like ASDF. So streaming channels one. Let's try that.
Hmm.
100. 100 it likes.
Oh, what did I run?
It seems to like 100 a little less than 101 and 102.
It doesn't like it at all, but it seems like 105.
Would 105 work? No.
Wow. That is bizarre. So 101 and 102 works. I can't believe 102 worked.
Streaming channels. Oh, this whole device just rebooted.
If you just heard that beep beep, then I did something to make this thing reboot and I'm not quite sure what.
It seems like this thing is a little tired.
So I'm going to give it a second to come back. Let's get VLC set up again so that we know when it's working.
And I want to try that one more time.
Seems like we might've just found a a bug in the system where an improper.
What's going on back here?
Do I see any lights? I do see lights. Seems to be running.
I see the ethernet blinking around. But when I run this, okay, this looks a little better.
Let me try running this one more time.
Yes. Okay. Now it looks like it's back up. Just needed a second to reboot.
Cool.
Okay. I'm going to keep this running and I'm going to run with some weird paths and see if it crashes again.
See if I did that or if it was just by chance.
Let's start with one ASDF. I'll do it in the same order. ASDF.
I can still see my hands moving. Okay. Let's do 100. Oh, that's fine.
Let me try 105. Nope.
105 is fine. Let me try 101. It seems to not be happening again.
Oh, duh. I forgot the servers channel. Streaming channels 100.
Try that again. And look at that. Just like that, the video cuts out and the entire box crashes.
I'm sure we'll hear it reboot in a second. Yeah, the video cut out.
I'm sure we'll hear a beep beep in just a moment. And I don't know anything about RTSP, but I know that this box is not handling getting 100 as an argument properly.
And I am pretty sure we just found a zero day live on stream.
What would this be called?
You can trigger a crash. For some reason, the common name for this is escaping me.
There's our beep beep.
But it very clearly is not handling streaming channels 100 properly.
And it is, I'm guessing, doing some null pointer dereference deep in the code that is running this box and crashing.
So might want to... That's probably an issue.
It's definitely a software reliability issue. And I hope that this stream just picks right back up.
But this has been really fun. I really appreciate everybody who's watched.
And I hope you learned something. I kind of showed you the entire process I went through beginning to end in a very compressed timeframe.
This took me a couple hours, one night, to figure all of this out, to read the docs, to get everything working.
And so lots of reading, lots of using Wireshark to debug.
And was not rocket science, though. Just default passwords and some good old sleuthing.
So with that, I really appreciate you all joining me this week.
And I will see you next week to maybe finish this whole thing up.
So adios.