IoT Hacking: Momentum IP Camera - Passive Recon
Table of Contents
This post is part of a series:
II. Passive Recon
III. Active Recon
IV. Getting Root
Passive recon involves researching the target without actually engaging it.
Before I even got the camera out of the box, I began researching the company that makes it, Momentum. I want to know if they are a big company, if they have a security engineer or team, how long have they been developing cameras, what other products do they make, how many developers they have. Are they outsourcing the development work, or doing it in house?
First impression is that the company’s website is nice and modern, and I assume they are a big company based on that and the fact that their product is in Walmart and Target. In the footer there is a reference to what I assume is their parent company, Apollo Tech USA, but a quick Google search for it turns up nothing.
I run a whois search to find out how old the domain is, this might give me an idea of the age of the company.
Created Date: 2014-04-11
Four years old, so a pretty new company, or at least a new brand. Next I check the Internet Archive to get a look at older versions of the website. The oldest snapshot is from November 2015
That snapshot contains an address “8608 Utica Ave #220 Rancho Cucamonga, CA 91730”. I Google that address and it leads to this FCC application https://fccid.io/2AML4. I notice the contact email ‘[email protected]’. Hikvision? Maybe Momentum is a shell brand of Hikvision?
Next I try to find Momentum employees on LinkedIn. I am looking for CEO, CTO, developers or security engineers. But I actually couldn’t find a single employee. So Momentum is probably a Hikvision brand?
I search Google with ‘site:momentumcam.com’ to see if I find anything interesting that I haven’t already seen. I see they are using WordPress. I click through a few more results, and see ‘Order #2090837’, what’s that? For some reason their Wordpress cart plugin is posting all of their order numbers to public pages? https://www.momentumcam.com/samcart_order/
Click back and you can see the first order was placed in June 2017, about 50 orders or so total so far. Interesting. You might also notice that the orders are all being placed by “Olibro Design”, probably the WordPress admin username. That reveals the web designer: https://www.olibro.com/about-us/
The next thing I turn my attention to is the ‘My Account’ page. The first thing I notice is the domain name change from momentumcam.com to momentum-cam.com, a confusing choice (why not just account.momentumcam.com?). A whois on momentum-cam.com shows:
Created Date: 2016-10-28
I also notice under the Momentum logo it reads “powered by pepper”. So naturally I wonder, who or what is “pepper”? A Google search for Pepper IoT gives some more information. http://pepper.me/
Pepper is a Kansas based ventured backed IoT development company that closed $8.5M of Series B funding in March of 2017. Their most recent Twitter post was in August 2017.
I’m assuming pepper developed the “cloud” backend.
This product looks like it will be a great choice for some security research.