IoT Hacking: Momentum IP Camera - Getting Root
Table of Contents
This post is part of a series:
II. Passive Recon
III. Active Recon
IV. Getting Root
I quickly hit a dead-end after my port scan came back with 3 ports, 2 giving resets to my HTTP requests, and 1 RTSP port requiring authentication. Also, all network traffic to and from the device and cloud servers was encrypted over HTTPS. After researching what else I could try, I came across UART and JTAG connections to the device board itself. Opening up the camera, I quickly was able to identify a UART port.
UART consists of 4 pins - Voltage, RX, TX, and Ground. I used a multimeter and connected to the ground and voltage pins, and found 3.3V. A UART to USB cable is required to interact with the serial connection to the board, and can be purchased for less than $10 on Amazon, but I used an Arduino instead because I already had one.
To connect the Arduino to the camera’s UART:
- Connect wire from Arduino Ground to Arduino Reset pin
- Connect wire from Arduino RX to camera TX
- Connect wire from Arduino TX to camera RX
- Arduino Ground to camera Ground
This is pictured in the blog post image. I could not find a UART pin connection that fit the size required, so instead I broke the plastic surrounding the pins and bent them different directions, then taped wires in place. A very precarious solution, but was perfectly fine and reliable (as long as it is not bumped into of course).
Next, I used Putty to connect to the Arduino COM port, but I did not know which baud rate to use. I tried 9600, one of the most common, but saw garbled output in the window. I looked up ‘common baud rates’ and began trying all of them, one at a time. I eventually discovered that the camera’s UART port baud rate was 115200.
After using the correct baud rate, I was finally able to see the output from the camera and interact with it. To my surprise, after the camera finished booting, I was given an interactive root shell through the console.
I began exploring all of the internals of the device, jumping around the directories, reading the config files, and searching for clues about how it works. For more information about what I found, checkout my penetration test report which I sent to the vendor.