IoT Hacking: Momentum IP Camera - Active Recon
Table of Contents
This post is part of a series:
II. Passive Recon
III. Active Recon
IV. Getting Root
Active recon is to engage the target in order to obtain more information about it.
I started by simply taking the camera out of the box, setting it up, and connecting my iPhone app to it. Without analyzing any attack surface, I was learning how it is used in the way it is intended to be used and what kind of features it has. Here is what I learned:
- It has Android and iPhone apps
- The apps can control the camera’s microphone, speaker, and view the video feed
- The apps can set motion detection
- There is a cloud based web interface, but only used for billing - no features
- There is a cloud subscription service for video storage
Next I port scanned it with Nmap, as seen in the blog post image, and learned that it has 3 open ports - 80, 554, and 8000.
The first thing I tried is opening port 80 and 8000 in my web browser, but was dissapointed to see Chrome give an error message - connection reset. There seemed to be no way to view any type of web interface that this might have.
After that, I took a look at the RTSP port, 554. I read this guide on how to connect to the RTSP stream using VLC Media Player. But upon connecting I was stumped once again, the RTSP stream required a username and password for authentication.
Next, I tried using Wireshark to examine the network traffic to and from the device. I setup my switch to mirror all traffic from my wireless acess point to my desktop, and filtered the results to see only the traffic of the camera. However, all of the traffic was encrypted using HTTPS, and I was not able to read the requests. I could only see where the traffic was coming and going to, which was a few different momentum-cam.com servers on AWS.
Not so easy to hack after all, I was bummed that this camera might be tougher to hack than I had anticipated. I seemed to be at a dead end, with no attack surface left. I could try fuzzing random stuff at the HTTP ports? I didn’t know what to try next. So I began reading about other IoT hacks and came across some tutorials on UART and JTAG, serial connections to the device board itself.