Ask HN: Do I publish code that affects millions of wireless security cameras?
In a quest to have full local access to my wireless security cameras without the cloud I've figured out how to access the video and audio streams of any camera of a certain manufacturer (whose name I'm withholding) without any modification to the stock firmware.
I currently have a program that, given an IP of the camera, will connect to it, authenticate itself, and get the realtime video/audio stream. This isn't just intercepting an ongoing stream, it will actually start a new stream of its own.
Is this something that I just keep and use in my home setup as I originally intended or do I put the code on GitHub for the masses? What are the general considerations for something like this?
108 comments
[ 3.5 ms ] story [ 184 ms ] threadThe standard in the security research community is you inform the manufacturer and give them an opportunity to patch the flaw. Then you wait some number of days (some people say 30, other say "depends on the details of the vulnerability"). Then you publish the code along with enough text to explain the vulnerability to a reasonably technical audience.
[1] - https://krebsonsecurity.com/
I wouldn't feel great knowing that a camera somewhere in my space had an issue like this, because it seems somewhat naïve to assume nobody else ever figures this out.
personally if i were in OP's shoes: i'd hope that said company has a bug-bounty program and use that for a little side cash and a "look what i found" - along with denying auto-updates to my own devices to keep utilizing said functionality (ive always been a fan of choice vs enforcement of arbitrary updates).
I wouldn't be surprised if this happened to this company before.
Of course, if you keep the approach private and use it for yourself, there's no guarantee that someone won't find it in the future and either exploit it or report it themselves. Do you feel comfortable having cameras in your house that could (in theory) be accessed silently by an unknown 3rd party?
Mobile networks use IP, there is no translation needed. But mobile networks do not allow remote connections. Access would require cloud service, either from the provider or VPN.
Or is this just the way the camera is supposed to operate (even if undocumented)?
If it still requires user authentication it sounds like a useful feature that many users would appreciate!
Secrets are worth so much money, and knowing a stock will most likely move a certain direction at a specific time of your choosing has tremendous value.
You most likely don't owe any company a disclosure.
Hire a lawyer or do your own research on how to profit from this in a legal way. That's my advice.
I think a lot of us "unethical" geeks would love to gawk at your finding, but it's up to you whether you want to disclose it or not.
[0]: https://github.com/fuatakgun/eufy_security
2. Demonstrate the exploitation of the vulnerability (without giving the whole thing away)
3. Negotiate timelines. Find out how quickly they can patch the system.
4. Negotiate a bounty. You're not obligated to give them anything without payment.
5. Sign NDA.
6. Deliver evidence of vulnerability.
7. Collect payment.
8. Wait until blackout period is over and the issue has been patched.
9. Publish your report (if allowed under NDA).
If your values include maximizing the number of people who can tinker with their cameras, publish (make sure you're not falling afoul of the camera's license before you do).
If your values include doing whatever you can to keep the most people safe, then inform the camera vendor, and give them 60 days to come up with a patch or a response before you publish.
You must deal with much better vendors than my coworkers do.
If authentication is actually taking place, this sounds like a legitimate and useful feature that would steer me toward using this brand of camera. The only reasons that would make me hesitate to release would be 1) the cameras have an automatic remote firmware update mechanism, AND 2) it is likely the company would see this as a threat to a significant revenue stream. If one of those is not true I would release.
Either way, sounds very interesting!
There are plenty of IP CCTV solutions that use any number of manufacturer's cameras because of standard protocols, and that sort software should be fine to publish. However, if you're spawning the streams because the camera mfg. has a closed protocol and you're exploiting some bug, then maybe give it some more thought.
I'm automatically itchy when people talk about "ethical disclosure". If you truly do believe that people who become aware of vulnerabilities are ethically obligated to disclose them, setting terms on how they do that seems hard to defend. "Ethical" or "responsible disclosure" seem more like coercive rhetorical devices to get unpaid researchers to adopt the values and priorities of vendors than anything else --- that's part of the reason the term "responsible disclosure" has fallen out of fashion (it's been replaced with "coordinated disclosure", which is value-neutral).
If you don't believe that your value system binds anyone else to behave in a certain way then how much does it really bind you to behave that way? Ethics and morality are either objective and universally binding or they're merely an arbitrary personal inclination that isn't even binding on those that have the inclination beyond legal or professional implications.
Ethics is hard. There's a reason it's not a solved problem.
Why is generally not wanting to hurt people a "reasonable foundational belief?" It's definitely not universal in humanity right now let alone historically just look at the celebrations of war crimes in Russia. Everyone who thinks there are binding ethical beliefs in any way must ascribe it to others otherwise they're just talking about personal taste and we don't need words like "ethics" or "morals."
Unfortunately this point doesn't prove/refute any point about morality.
Because most of the russians pro-war idiots (including most propaganda producers) sincerely believe propaganda and from their moral perspective they really are doing good by fighting Ukranian war criminals.
It's also possible this is a feature, not flaw. There's longstanding suspicion that some Chinese made camera have vulnerabilities for their benefit. Several manufacturers are based from government use over these concerns.
Good job!
Google it. There’s entire websites to browse these streams. Some even have access to the PTZ.
You really can't let them know how to dial out. Most of them have hardcoded passwords and/or known exploits.
It's why they're so cheap on the 'zon.