I was recently given 3 rather locked-down network cameras. Each camera was pre-programmed to communicate with a specific website, and only attach to a predefined wireless access point. Naturally, there was no supplied username or password.
I thought about how I might get access. Using a man-in-the-middle attack to sniff the password, or trying to dump the firmware and examine that. Sadly, all the vulnerabilities previously reported no longer work. After a little bit of thought, I went for decided low-tech solution; I hit the reset button! Yes, each camera had a recessed switch, accessible only with a paperclip, which reset the device to factory settings after holding it down for 10 seconds.
Anyway, this is my voyage of discovery with the three cameras. They are:
- RC8221 - a basic internal camera.
- OC821D - an external camera with weatherproof features.
- RC8230 - a pan/tilt camera.
All of them are manufactured by Taiwanese OEM Sercomm. Annoyingly, Sercomm don't have any customer services. They mostly resell the cameras to Linksys, Cisco, Xanboo.
SerComm don't offer any firmware, GPL downloads, or much information about the cameras - so it's all very much trial and error.
After resetting the cameras, they'll happily attach up to any wired network via the Ethernet port. Visit the IP address assigned by DHCP and you'll get to the admin panel.
The default username is "administrator" - there is no password set.
You can now go and fiddle with all the settings.
High Resolution Mode
The cameras are meant to be able to record at 720p - yet the user interface doesn't seem to allow it.
Luckily, the API allows us to force the resolution.
Wait! What? API?!
Oh yes, all the cameras come with a variety of commands which can be controlled by simple a HTTP GET request.
Discovering The API
As I said previously, Sercomm provides no documentation. Luckily, their resellers do!
EyeSpy247 have the admin manual for the RC8221.
Use-IP have the admin manual for the OC821D.
I haven't yet found a manual for the RC8230 - but it uses most of the same API commands. The only main addition is the ability to move the camera via its pan/tile functionality. After a bit of digging, I found a discussion on how to activate this functionality.
The manuals give all sorts of instructions, how to view video streams, get photos, set and get various options. There are, sadly, some omissions.
One of the tasks I wanted to accomplish was to make the cameras play some of the turret sounds from the video game "Portal". This is proving tricky, despite the manual's promises to the contrary.
It should be possible to POST an audio file to the cameras, either in G.726, or G.711 (a-law or u-law). Despite creating the audio files correctly, and POSTing them to the cameras - they make not a peep!
curl -vv --data-binary @alaw8k.wav http://user:[email protected]/img/g711a.cgi
curl -vv -X POST -d @alaw8k.wav http://user:[email protected]/img/g711a.cgi --header "Content-Type:audio/x-wav"
I get a 200 OK, and the volume is set on the camera. Most vexing!
If you think you can help, please leave an answer on StackOverflow.
Arming - or lack thereof
With my other cameras, I can send a command to arm or disarm. I don't need the motion detection to send me emails every second of the day - only when I'm out of the house.
The cameras will send video when they detect motion - although getting this to work isn't at all obvious.
Firstly, the password is hard-coded to be a maximum of 16 characters. If your password is "StarTrekIntoDarkness1" you're out of luck.
Secondly, the "Test the Server" button doesn't actually work. It randomly gave me errors about not being able to reach the server. I struggled for hours until I discovered that the error messages were lying to me! If you enter the details correctly, and the camera has access to the Internet, it should just work.
That said, once enabled, it will happily send emails with large video attachments to you.
All the cameras have microphones, and all do audio triggering (sending an alert when noise levels rise). Yet none of the cameras would embed audio in with the video. When streaming over RTSP, it was possible to pick up audio from the microphone. Lowish quality, 8kHz, mono - but better than nothing.
Again, if anyone knows how to get the alert videos to include audio, please let me know!
Setting the motion detection area is very useful. You might want to ignore movement on the floor if you have a pet, or concentrate on a door handle. Sadly, with these cameras, you have to use IE6 or greater to set the detection area.
You can try and use the API to set areas - but without being able to see the area in question, it's an exercise in frustration.
For my needs, having full screen video detection is fine. I may have to borrow a Windows machine if that changes.
Each camera has an embedded Open Source page at /adm/Licenses.txt which includes all the text of the relevant GPL etc.
All three cameras have the following Open Source components:
Davicom Ethernet driver
Linux kernel 2.6.18
samba client 3.06
Interesting to note that BusyBox is an unstable release version from 2010, thhtpd supports IPv6 even though the cameras don't appear to.
wpa_supplicant is ancient - that may explain why it can't cope with SSIDs with spaces in them. I presume it's the hardware which won't scan the 5GHz range.
The Linux kernel is from 2006 - that's common enough in embedded systems, but I do wonder if it presents a security risk.
The cameras offer an SSL connection. However, the certificate is self signed and uses MD5 with 1024 bits. Basically, a security signing which was advised against in 2010.
There's no way to replace the certificate without replacing the firmware. If you are willing to trust it, the connection is secured via SSL.
Assuming you can confirm the certificate is correct, the encryption should be sufficient to stop anyone but the NSA peeking through your cameras.
That said, the RTSP channel isn't protected by SSL. You can give a username/password, set time of day access, and restrict to specific IP addresses - but the video is transmitted in the clear.
For now, I'm keeping my cameras on my LAN with no external access to them.
At the moment, I've set the cameras up, but I'm not actively monitoring them - it's just too much work to switch each of them on when I leave for work.
So, if you can help....
- How do I send sound to the cameras?
- How do I get audio with the video alerts?
- How do I arm the cameras via the API?