IoT Hacking: Momentum IP Camera - Getting Root

April 12, 2018 in Hacking
https://rchase.com/static/img/momentum-getting-root.png

IoT Hacking: Momentum IP Camera - Getting Root

Table of Contents

This post is part of a series:

I. Intro

II. Passive Recon

III. Active Recon

IV. Getting Root

V. Custom Firmware

VI. The Penetration Test Report

Getting Root

I quickly hit a dead-end after my port scan came back with 3 ports, 2 giving resets to my HTTP requests, and 1 RTSP port requiring authentication. Also, all network traffic to and from the device and cloud servers was encrypted over HTTPS. After researching what else I could try, I came across UART and JTAG connections to the device board itself. Opening up the camera, I quickly was able to identify a UART port.

UART consists of 4 pins - Voltage, RX, TX, and Ground. I used a multimeter and connected to the ground and voltage pins, and found 3.3V. A UART to USB cable is required to interact with the serial connection to the board, and can be purchased for less than $10 on Amazon, but I used an Arduino instead because I already had one.

To connect the Arduino to the camera’s UART:

  • Connect wire from Arduino Ground to Arduino Reset pin
  • Connect wire from Arduino RX to camera TX
  • Connect wire from Arduino TX to camera RX
  • Arduino Ground to camera Ground

This is pictured in the blog post image. I could not find a UART pin connection that fit the size required, so instead I broke the plastic surrounding the pins and bent them different directions, then taped wires in place. A very precarious solution, but was perfectly fine and reliable (as long as it is not bumped into of course).

Next, I used Putty to connect to the Arduino COM port, but I did not know which baud rate to use. I tried 9600, one of the most common, but saw garbled output in the window. I looked up ‘common baud rates’ and began trying all of them, one at a time. I eventually discovered that the camera’s UART port baud rate was 115200.

After using the correct baud rate, I was finally able to see the output from the camera and interact with it. To my surprise, after the camera finished booting, I was given an interactive root shell through the console.

I began exploring all of the internals of the device, jumping around the directories, reading the config files, and searching for clues about how it works. For more information about what I found, checkout my penetration test report which I sent to the vendor.

Subscribe for updates

comments powered by Disqus

Latest Posts

IoT Hacking: Momentum IP Camera - Penetration Test Report
Apr 23, 2018
IoT Hacking: Momentum IP Camera - Penetration Test Report
Read More
IoT Hacking: Momentum IP Camera - Custom Firmware
Apr 13, 2018
IoT Hacking: Momentum IP Camera - Custom Firmware
Read More
IoT Hacking: Momentum IP Camera - Active Recon
Apr 11, 2018
IoT Hacking: Momentum IP Camera - Active Recon
Read More