IoT Hacking: Momentum IP Camera - Intro
Table of Contents
This post is part of a series:
II. Passive Recon
III. Active Recon
IV. Getting Root
I am nearing completion of my B.S. in IT Security at WGU, and two of my final courses involve a research paper and capstone project. I had lots of ideas, but narrowed it down to these 3:
- Write a security related program, patch, or exploit
- Work on a bug bounty on Synack or HackerOne
- Pentest an IoT device
In the end, I actually chose to do a web pen test because it met the requirements of the project better, but decided to pentest an IoT device in my free time as well. It’s something that I’ve spent alot of time studying, especially since the Mirai botnet. I’ve attended several talks at hacker conferences, all of which peaked my interest in the subject. Just how insecure are most of these devices? Almost all of them are horribly insecure, from what the security community is telling us.
But would I be able to pwn one for myself? I have limited experience in hardware hacking, reverse engineering binaries, or buffer overflow exploits, three important IoT hacking skills. But I have no problem manipulating API requests, scanning, and inspecting network traffic.
Choosing an IoT device to hack
I set out to find an IoT device, and my journey began at Walmart. I didn’t go straight to the electronics section, I actually walked up and down many other aisles looking for household items that had a “Wi-Fi” sticker on them. I found lots of bluetooth devices - blood pressure pumps, a pregnancy test, a scale. But I decided against hacking bluetooth, because it is unlikely to be remotely exploitable and therefore I felt that any hack discovered would have less of an impact.
I wanted to have the potential to find a vulnerability with a big impact
So I was looking for Wi-Fi devices instead. But not just any Wi-Fi device, I wanted one that connected to “the cloud” and could take commands remotely. In particular, I was hoping to find a device that would use UPnP to forward a port to itself. If I found a vulnerability on that port, the impact could be that thousands of devices could be taken over remotely, just like the type of device the Mirai botnet searches for to add to its zombie army.
I ended up choosing this Momentum IP Camera.
I didn’t choose Nest or one of the other established brands, because I know they have been under scrutiny and are starting to care more about security. I chose this camera because it was cheap, only $40, and the company looked small based on a quick Google search. I also searched for ‘Momentum+hacked’ and ‘Momentum+cve’ but found nothing, a sign that no one has tried hacking it yet. Another bonus? It comes with an app for remote control, so there is a possibilty for a remote hack, and that potential “big impact” that I was looking for.