Hacking (at least the kind of hacking that breaks in) is very much a skill you learn by doing. There’s no substitute for hands-on experience. But that doesn’t mean you can’t learn by watching. Exploiting the root password on a cheap IP video camera is a great way to get a good grasp on the basics.
The background to this project is [Matt Brown] Previously, he had disassembled a VStarcam CB73 security camera, a generic IP camera he’d acquired cheaply, identified the flash memory chip and extracted the firmware. His first goal was to see if the camera was connecting to a suspicious server, and after some string searching he found the expected suspicious items, finding a hardcoded IP address and that the camera was running some sort of Linux variant.
Evidence of sloppy coding practices [Matt] I set out to find the hardcoded root password. In the second video I’ll explain this effort, which started with finding the UART pins and getting a console session. Luckily the bootloader was unlocked, so [Matt] He forced the camera to boot into a shell session in an attempt to find the root password hash. Brute-forcing the hashes didn’t work, so he used Ghidra to understand the structure of a suspicious program in the firmware called an encoder. After a bit of digging and fiddling with endianness, he was able to identify the root password that was hardcoded into every camera made by this company, and likely any made by others.
Admittedly, camera manufacturers have made this a lot easier than it should be, but given that many IoT products suffer from similar bolt-on security, the techniques presented here are likely to have broad application. [Matt] Thanks for the effort and for a clear, concise presentation that makes me want to dig through the junk bin and hack away at this.