Hacking Around With Network Cameras
I was recently given 3 rather locked-down network cameras. Each camera was pre-programmed to communicate with a specific website, and only attach to a predefined wireless access point. Naturally, there was no supplied username or password.
I thought about how I might get access. Using a man-in-the-middle attack to sniff the password, or trying to dump the firmware and examine that. Sadly, all the vulnerabilities previously reported no longer work. After a little bit of thought, I went for decided low-tech solution; I hit the reset button! Yes, each camera had a recessed switch, accessible only with a paperclip, which reset the device to factory settings after holding it down for 10 seconds.
Anyway, this is my voyage of discovery with the three cameras. They are:
RC8221 - a basic internal camera.
OC821D - an external camera with weatherproof features.
RC8230 - a pan/tilt camera.
All of them are manufactured by Taiwanese OEM Sercomm. Annoyingly, Sercomm don't have any customer services. They mostly resell the cameras to Linksys, Cisco, Xanboo.
SerComm don't offer any firmware, GPL downloads, or much information about the cameras - so it's all very much trial and error.
Defaults
After resetting the cameras, they'll happily attach up to any wired network via the Ethernet port. Visit the IP address assigned by DHCP and you'll get to the admin panel. The default username is "administrator" - there is no password set. You can now go and fiddle with all the settings.
High Resolution Mode
The cameras are meant to be able to record at 720p - yet the user interface doesn't seem to allow it.
Luckily, the API allows us to force the resolution.
http://192.168.0.42/adm/set_group.cgi?group=H264&resolution=4
http://192.168.0.42/adm/set_group.cgi?group=JPEG&resolution=4
Wait! What? API?!
Oh yes, all the cameras come with a variety of commands which can be controlled by simple a HTTP GET request.
Discovering The API
As I said previously, Sercomm provides no documentation. Luckily, their resellers do! EyeSpy247 have the admin manual for the RC8221. Use-IP have the admin manual for the OC821D. I haven't yet found a manual for the RC8230 - but it uses most of the same API commands. The only main addition is the ability to move the camera via its pan/tile functionality. After a bit of digging, I found a discussion on how to activate this functionality.
Up:
http://192.168.0.42/pt/ptctrl.cgi?mv=U,10
Down:
http://192.168.0.42/pt/ptctrl.cgi?mv=D,10
Left:
http://192.168.0.42/pt/ptctrl.cgi?mv=L,11
Right:
http://192.168.0.42/pt/ptctrl.cgi?mv=R,11
The manuals give all sorts of instructions, how to view video streams, get photos, set and get various options. There are, sadly, some omissions.
Sending Sounds
One of the tasks I wanted to accomplish was to make the cameras play some of the turret sounds from the video game "Portal". This is proving tricky, despite the manual's promises to the contrary.
It should be possible to POST an audio file to the cameras, either in G.726, or G.711 (a-law or u-law). Despite creating the audio files correctly, and POSTing them to the cameras - they make not a peep!
curl -vv --data-binary @alaw8k.wav http://user:pass@192.168.0.42/img/g711a.cgi
curl -vv -X POST -d @alaw8k.wav http://user:pass@192.168.0.42/img/g711a.cgi --header "Content-Type:audio/x-wav"
I get a 200 OK, and the volume is set on the camera. Most vexing!
If you think you can help, please leave an answer on StackOverflow.
Arming - or lack thereof
With my other cameras, I can send a command to arm or disarm. I don't need the motion detection to send me emails every second of the day - only when I'm out of the house.
Looking at the source code of one of the pages, it looks like it's possible to POST some data to /adm/file.cgi - but it's not clearly documented which parameters are required. It will take me some time to work through the tangled nest of JavaScript.
The cameras will send video when they detect motion - although getting this to work isn't at all obvious.
Firstly, the password is hard-coded to be a maximum of 16 characters. If your password is "StarTrekIntoDarkness1" you're out of luck.
Secondly, the "Test the Server" button doesn't actually work. It randomly gave me errors about not being able to reach the server. I struggled for hours until I discovered that the error messages were lying to me! If you enter the details correctly, and the camera has access to the Internet, it should just work.
That said, once enabled, it will happily send emails with large video attachments to you.
Video Audio
All the cameras have microphones, and all do audio triggering (sending an alert when noise levels rise). Yet none of the cameras would embed audio in with the video. When streaming over RTSP, it was possible to pick up audio from the microphone. Lowish quality, 8kHz, mono - but better than nothing. Again, if anyone knows how to get the alert videos to include audio, please let me know!
Motion Detection
Setting the motion detection area is very useful. You might want to ignore movement on the floor if you have a pet, or concentrate on a door handle. Sadly, with these cameras, you have to use IE6 or greater to set the detection area.
You can try and use the API to set areas - but without being able to see the area in question, it's an exercise in frustration.
For my needs, having full screen video detection is fine. I may have to borrow a Windows machine if that changes.
Open Source
Each camera has an embedded Open Source page at /adm/Licenses.txt which includes all the text of the relevant GPL etc.
All three cameras have the following Open Source components: Davicom Ethernet driver Linux kernel 2.6.18 wireless_tools 26 busybox 1.16.0 dhcpcd 1.3.22-pl1 ez-ipupdate 3.0.11b7 iptables 1.3.4 ppp 2.4.1 cron daemon samba client 3.06 glibc 2.8 alsa-lib-1.0.16 wpa_supplicant 0.4.5 NTP thttpd-2.25b
Interesting to note that BusyBox is an unstable release version from 2010, thhtpd supports IPv6 even though the cameras don't appear to. wpa_supplicant is ancient - that may explain why it can't cope with SSIDs with spaces in them. I presume it's the hardware which won't scan the 5GHz range. The Linux kernel is from 2006 - that's common enough in embedded systems, but I do wonder if it presents a security risk.
Security
The cameras offer an SSL connection. However, the certificate is self signed and uses MD5 with 1024 bits. Basically, a security signing which was advised against in 2010.
There's no way to replace the certificate without replacing the firmware. If you are willing to trust it, the connection is secured via SSL.
Assuming you can confirm the certificate is correct, the encryption should be sufficient to stop anyone but the NSA peeking through your cameras.
That said, the RTSP channel isn't protected by SSL. You can give a username/password, set time of day access, and restrict to specific IP addresses - but the video is transmitted in the clear.
For now, I'm keeping my cameras on my LAN with no external access to them.
What Next
At the moment, I've set the cameras up, but I'm not actively monitoring them - it's just too much work to switch each of them on when I leave for work.
So, if you can help....
- How do I send sound to the cameras?
- How do I get audio with the video alerts?
- How do I arm the cameras via the API?
James says:
Victor Marquez says:
oops says:
peter says:
compguy65 says:
Peeter Indrek Solnask says:
Tomi says:
Brian says:
Mitch Brewer says:
Veritas Acerbum says:
Tom says:
Anne newland says:
james says:
Diego says:
anna says:
Adam Smith says:
Jas says:
Terence Eden says:
Y C says:
Danny says:
Danny says:
Bittoo says:
Anne newland says:
Johnny says:
Johnny says:
Anne newland says:
Anne newland says:
Anne newland says:
Anne newland says:
Anne newland says:
Anne newland says:
Anne newland says:
Anne newland says:
Johnny G says:
Craig Comstock says:
Craig Comstock says:
Charles says:
Jeremy says:
Jeremy says:
Pete Klick says:
Danin says:
flo says:
flo says:
casiean says:
Pedro says:
Jim B says:
Jim B says:
Antoine Ingram says:
Jim B says:
Antoine Ingram says:
krytos says:
Michael says:
Michael says:
Michael says:
Michael says:
Jonathan L. says:
Ryan says:
James says:
JOhn says:
Paulo says:
Paulo says:
YOR2012 says:
Terence Eden says:
Eric Andersen says:
Rick says:
Rick says:
Rick says:
Pascal says:
Pascal says:
Nathan says:
DaRichMan says:
Jim B says:
Danin says:
JM says:
techology says:
Terence Eden says:
Sam says:
Sam says:
Jim B says:
Edd M. says:
Jim B says:
Tim says:
Dennis Vitali says:
@edent says:
Dennis Vitali says:
Dan Wil says:
Dan Wil says:
Dan Wil says:
Jeremy says:
Eric Andersen says:
Jeremy says:
Dan Wil says:
Jeremy says:
techology says:
Tom says:
techology says:
techology says:
krytos says:
vic says:
Susan Macaulay says:
Pete says:
Terence Eden says:
Peter says:
Terence Eden says:
vic says:
Adam Steidl says:
Adam Steidl says:
yc says:
Dan Wil says:
Dan Wil says:
Dan Wil says:
jdillinger says:
Jim B says:
Edd M says:
Jim B says:
Dan Wil says:
Jim B says:
DanWil says:
Jim B says:
Dan Wil says:
vic says:
jaanus rebase says:
VO says:
techology says:
Jim B says:
krytos says:
Edd M says:
krytos says:
Edd M says:
krytos says:
krytos says:
Edgar242 says:
krytos says:
Laoshi1 says:
Bmac says:
Ian Philp says:
Jim B says:
Johnny Cakes says:
Scott says:
Oscar says:
James B says:
Oscar says:
Oscar says:
I have one plugged into a powerline adapter but it still using the wireless radio.
thanks
Jim B says:
Scott says:
Tim says:
Oedi says:
Oedi says:
JoJo says:
wilner nau says:
@edent says:
admin
as the username and the password? If not, I suggest speaking to the retailer.Greg says:
Fenerli says:
@edent says:
David says:
Johnny Cakes says:
Johnny Cakes says:
josh says:
@edent says:
josh says:
paul says:
Cabana says:
Casiean says:
Cabana says:
marcelo says:
apb says:
Bob says:
Kelsey says:
Kelsey says:
@edent says:
Kelsey says:
Bryan says:
@edent says:
Bart says:
farid says:
Krimou8049 says:
Erik Finskas says:
Charles says:
Eugen says:
DaninFuchs says:
VO says:
Chris Phillips says:
Krytos says:
Xech says:
Krytos says:
Xech says:
paLINKrk says:
Sid says:
Sid says:
Marcelo Cláudio says:
Gene D says:
JJ says:
eFix says:
Kris says:
MK says:
Antoine Lovelace says:
Dan Roman says:
ta6point6litre says:
oops says:
oops says:
ta6point6litre says:
oops says:
oops says:
Krytos says:
oops says:
Johnny says:
Johnny says:
ian says:
Ian says:
Church says:
fawmum says:
Seano says:
@edent says:
seano says:
Mihai says: