Make the world a safer place Menu

Talk

Say Cheese! How We Pwned Your Security Camera

Data privacy and network security are threatened by the rapid spread of Internet-connected devices. This includes IP cameras which can be found in both residential and commercial environments. This talk outlines step by step how we successfully hacked the Synology BC500 and the Ubiquiti AI Bullet IP cameras for Pwn2Own 2023 and 2024.

This talk will describe the following topics:

Intro:

  • Who are we?
  • Quick introduction to pwn2own

BC500

Getting access:

  • How we extracted the firmware
  • Analysis of the extracted firmware
  • Obtaining root access to the camera

Attack surface:

  • Quick overview of all the services exposed by the camera

Bug discovery:

  • Showing the unauthenticated APIs
  • Showing some peculiarities of the software:
    • Discovery of the “almost” LFI using the language parameter
    • Discovery of JSON parsing issues

Exploitation of the Vulnerability:

  • Analysis of the JSON parsing issue
  • Code analysis showcasing the weakness
  • Identifying constraints for exploiting the weakness:
    • Key stack variable
    • Tuning the payload to skip code
  • Writing the exploit using UTF-8
  • Bypassing ASLR
  • RCE payload used
  • Tuning the exploit for reliability
  • Live demo of the working exploit against the physical BC500 device or quick video showing the working exploit

Ubiquiti AI Bullet

Attack surface:

  • Quick overview of all the services exposed by the camera

Bug discovery:

  • Showing non-obvious attack surface

Exploitation of the vulnerability:

  • Analysis of the discovered vulnerability
  • Dealing with obstacles for Pwn2Own
  • RCE payload used
  • Live demo of the working exploit against the physical Ubiquiti AI Bullet device or quick video showing the working exploit

Pwn2Own events:

  • How we experienced the Pwn2Own events
  • Key takeaways from the Pwn2Own events

We participated in the Pwn2Own 2023 and 2024 events, focusing on the Surveillance Systems category. In this talk, we will take you on a deep dive into how we successfully exploited vulnerabilities in the Synology BC500 and Ubiquiti AI Bullet IP cameras.

We’ll show how we performed firmware extraction, subsequent analysis to identify attack surfaces, and how we obtained a root shell for debugging. In the next section, we’ll explain the vulnerabilities we discovered during our investigation, and we’ll talk about the exploitation to obtain an unauthenticated RCE, highlighting the unique challenges presented by the Pwn2Own competition, such as time constraints and exploit reliability.

Finally, we will describe the development process we used to write the proof-of-concept exploits. We’ll talk about various challenges we encountered and design choices we made to ensure the creation of robust and reliable exploits.

About the Speakers