Friday, November 29, 2013

Seriously Samsung? Home surveillance cameras that exposes usernames and passwords to login.

SDE-4001N
Samsung's home surveillance IP cameras (including the SDE and SDR models) must be controlled with Silverlight Internet Explorer plugins, so I decided over the Thanksgiving holiday to see whether I could study the network traffic and understand how these devices worked.  While studying some of the endpoints, I came upon this security bulletin published 3 months ago.

http://www.securityfocus.com/archive/107/528120/30/0/threaded
Samsung provides a wide range of DVR products, all working with nearly
the same firmware. The firmware it's a Linux embedded system that
expose a web interface through the lighttpd webserver and CGI pages.

The authenticated session is tracked using two cookies, called DATA1
and DATA2, containing respectively the base64 encoded username and
password. So, the first advise for the developers is to don't put the
user credentials into the cookies!

Anyway, the critical vulnerability is that in most of the CGI, the
session check is made in a wrong way, that allows to access protected
pages simply putting an arbitrary cookie into the HTTP request. Yes,
that's all.

This vulnerability allows remote unauthenticated users to:

- Get/set/delete username/password of local users (/cgi-bin/setup_user)

- Get/set DVR/Camera general configuration

- Get info about the device/storage

- Get/set the NTP server

- Get/set many other settings
It turns out that the major Samsung home surveillance DVR have this security flaw. Essentially all the username and passwords are unhashed and can be retrieved by using an arbitary cookie.   The source code that retrieves this info is included here:

http://www.andreafabrizi.it/download.php?file=samsung_dvr.py

If you want to verify whether your device is vulnerable, check out :

http://ismysamsungdvrhacked.appspot.com/ (GitHub code here)

Hoping to find that Samsung fixed the issue, I went to http://www.samsungsv.com/Support/DVRFirmwareUpdate and discovered that the firmware versions have yet to be updated.

Why does this issue matter? For one, Samsung provides a Dynamic DNS service at samsungipolis.com (i.e. http://samsungipolis.com/home1) that enables customers to have their systems devices report the IP location.  This IP address is stored by Samsung and provides a redirect to the owner's hosted cameras.

$ curl http://www.samsungipolis.com/testing
<body>

    <meta http-equiv="refresh" content="0;url=http://98.17.152.5:80"/>


</body>

In other words, all you have to do is find a name that's using Samsung's Dynamic DNS service, point the Python script at this IP, and assuming the owner has enabled remote web interface access for the user account, you can login to their service (and possibly gain admin access to make any changes).  You obviously have to use Internet Explorer to test, since the plug-ins were built in Silverlight.  (If you get a blank white screen, you're probably using a non-IE browser.)

I've sent a note to their customer support and tweeted to them about this unpatched security flaw (now going on 3 months)  If you are running one of these systems, you're best option is to disable the web interface until this flaw is patched.

Update (12/1/2013): Samsung's web site at samsungsv.com does not have the updated firmware images, but you can sign up for a free account at http://developer.samsungtechwin.com and get access to newer versions of the firmware.

For the SDE-5001 DVR device, for instance, the latest version is v1.05.  However, this last update was made on 01/2013, about a year ago, which suggests that the patch has yet to be applied.  Also, by mounting the flash image, we can also see that the binary for the cgi_login program which has this security hole does not appear to have changed since the v1.02 version.   I also checked the lighttpd configuration and did not see any differences in the files. In other words, the security flaw still seems to exist.

54 comments:

  1. Any status updates on this fix? Updated firmware? Units are out of compliance at this point, and the web server (lighttpd) must be shut down until this is fixed. Please Samsung, get this update out ASAP!

    ReplyDelete
  2. I guess there are no updates yet. I too need to know about that.
    Surveillance cameras

    ReplyDelete
  3. I only see v1.02h for the SDE-5001N, where do you see v1.05? Also, I signed up on the techwin site, but there's no firmware for any device. Do I need to request for access?

    ReplyDelete
  4. This is insane... as of 2:00PM EST 31JUL2014, the support team at Samsung TechWin told me "The developer has decided NOT to resolve this issue." Not via FW update or any other fix... they have simply said... Oh Well!!! OH HELL... This is a massive breach for any system... but it's even more egregious when you consider that it's your SECURITY system that is being breached!!! At this stage you are basically giving any novice hacker a birds eye view of your premises!!! AND the ability to LOCK YOU OUT of your own monitoring system or ERASE evidence of their criminal activity!!!

    I'm looking for a number for Samsung Corporate to demand they fix the issue, issue a refund or at least exchange the affected systems with more updated and SECURE systems from within their line.

    In the meantime... does anyone know of any other systems that can be used to work with this hardware? Maybe a non Samsung DDNS option or different remote access software? Thanks in advance

    ReplyDelete
  5. How fine of you!!!! Really awesome efforts you have shown. weatherproof security camera

    ReplyDelete
  6. Nice post information is good about DVR surveillance camera it is good for home and office and for security and range is good in DVR surveillance camera

    ReplyDelete
  7. Samsung's home surveillance IP cameras (including the SDE and SDR ... survalliancecameras.blogspot.com

    ReplyDelete
  8. I was searching about this issue as you have discussed very clearly and lovely manner that I don’t have to go now any other webpage. home security companies

    ReplyDelete
  9. I generally don’t comment in the Blogs but your blog is the only one that forced me to, amazing work... best home security

    ReplyDelete
  10. It turns out that the major Samsung home surveillance DVR have this ... samsungtvkamera.blogspot.de

    ReplyDelete
  11. Samsung's home surveillance IP cameras (including the SDE and SDR ... ssecuritycameras.blogspot.com

    ReplyDelete
  12. I am glad to see such amazing things at one place, how did you do this? I am still surprised.
    best home security camera system consumer reports

    ReplyDelete
  13. Hi everybody, you have done the superb job guys. I am much impressed to you!

    Thanks
    Security Cameras

    ReplyDelete
  14. surveillance cameras for-Blueline is composed of four divisions: Uniformed Division (armed or unarmed), Executive Protection Division, Security Guard Training and Education Division, and Commercial Services. Depending on the needs of our clients, personnel from any one of these divisions can be utilized to address their security needs.

    ReplyDelete
  15. So my girlfriends parents are going on vacation and they are super strict and paranoid so they are installing cameras in the house, which is weird since she is 21..... So how can we get around it, in the movies they always "loop" it but i dont know if that is possible, or what else we can do
    snooping

    ReplyDelete
  16. I truly get pleasure from while I read your blogs and its content. securiy cameras

    ReplyDelete
  17. Have you tried to get the source code? As per the back of the manual there is an "Open Source License Report" that states:
    You may
    obtain the complete Corresponding Source code from us for a period of three years after our last shipment of this
    product by sending email to help.cctv@samsung.com

    ReplyDelete
  18. Thanks for all your efforts that you have put in this.Very interesting information.I would like to do all the information
    Shiv Shakti Technoligies

    ReplyDelete
  19. Thank you so much for this great share,.It's really good,.
    CCTV Installation Brisbanee

    ReplyDelete
  20. This is surely a very good blog, thanks a lot for sharing such nice information here.
    iSpyyou

    ReplyDelete
  21. Endeavour Africa provides organizations and firms with finest quality CCTV Cameras to assist them with high end security and prevent security breaches.

    ReplyDelete
  22. I really feel good that i checkout your post and found actual info that i needed.
    ______________________________
    http://www.dynapost.com/

    ReplyDelete
  23. Thanks for this really useful article,.
    structured wiring

    ReplyDelete
  24. I want to say that this article is amazing, great written and come with approximately all vital informations. I'd like to peer more posts like this. So nice to discover someone with genuine thoughts on this issue. Wireless Camera in Lahore

    ReplyDelete
  25. Good post....thanks for sharing.. very useful for me i will bookmark this for my future needs. Thanks.
    New Branded Laptops and Desktops In Delhi

    ReplyDelete
  26. Hi guys,
    Thank you so much for this wonderful article really!
    If someone want to know more about this security cameras long island I think this is the right place for you!

    ReplyDelete
  27. It is important to install Security Cameras and keep the total workstation premise under CCTV Surveillance. You can even initiate the Video Surveillance Systems in the office, which will keep a watch on the workflow of your office staffs even.

    ReplyDelete
  28. Nice article as for me. It would be great to read something more concerning this theme. The only thing it would also be great to see on this blog is some pics of some gadgets.

    RFID Access Control System

    ReplyDelete
  29. You have done superb job friends. thanks you so much for this excellent post. Security Camera Installation Orlando

    ReplyDelete
  30. I am undeniably thankful to you for providing us with this invaluable related information about the security cameras.
    Handle set door locks

    ReplyDelete
  31. Great Post.. awesome.. thanks for sharing about cctv camera keep posting..

    ReplyDelete
  32. Samsung's home surveillance IP cameras (including the SDE and SDR models) must be controlled with Silverlight Internet Explorer plugins, so I decided over the Thanksgiving holiday to see whether I could study the network traffic and understand how these devices worked. While studying some of the endpoints, I came upon this security bulletin published 3 months ago.

    Oxford Security

    ReplyDelete
  33. This blog is gonna useful for ordinary people to get understand about home security systems & security products. security camera

    ReplyDelete
  34. Rewiresecurity is the most experienced body worn camera evidence solutions company in the world. Choose from our easy to use body worn spy cameras. Wearable bodyworn cameras can be a valuable tool for Law enforcement agencies - https://www.rewiresecurity.co.uk/body-worn-video-cctv-cameras-headcam



    ReplyDelete
  35. Definitely agree with what you stated. Your explanation was certainly the easiest to understand. I tell you, I usually get irked when folks discuss issues that they plainly do not know about. You managed to hit the nail right on the head and explained out everything without complication. Maybe, people can take a signal. Will likely be back to get more.

    Video Surveillance System

    ReplyDelete
  36. Really such nice article. Very interesting information sharing. Never found any where this type of article about Samsung's surveillance IP cameras and Audio and Video Integration.

    ReplyDelete
  37. This iris will open completely to allow more light and increase the depth of field to give you the most precision with your adjustments. Sydney CCTV

    ReplyDelete
  38. it is imperative that the guards always be attentive and aware of their surroundings. Smarter alarm systems

    ReplyDelete
  39. The best thing about DVR is they now have a wireless technology system, now you can monitor activity from anywhere. There are 2 major areas you need to monitor, one is office and other one is home sweet home. Automated Security Service College Station Tx 77485. is the perfect invent you need to monitor indoor or outdoor activity.

    ReplyDelete
  40. I really appreciate the efforts you put into reviewing these useful resources.

    And safety is not a privilege, it's a right, and here at SSP Australia (a leading security guards company in Melbourne Australia)
    provide professional and well experienced security services.

    ReplyDelete
  41. Nice post ! Thanks for sharing such useful stuff. Find the best DVR camera from trusted resource: china dvr manufacturer

    ReplyDelete
  42. Spot on with this article, I really think this website needs more attention. I'll probably be back to read more, thanks for the info.
    hd security cameras

    ReplyDelete
  43. I really appreciate your work especially the research part of it which made the whole point very easy to understand. The issue that you have raised through this blog "Home automation Auckland" is actually the one to think on.tandem jogging stroller

    ReplyDelete
  44. Security is must to save your lives and very important things which are connected with you. We are dealing in various instruments which help to save casualties in daily life. Lets take a look for the Cctv full kit, Cctv suppliers Manchester , Cctv camera system, 8ch cctv DVR , 8 channel cctv security system , HD cctv camera or Hikvision ptz , Hikvision DVR, Hikvision NVR and Cctv for sale.

    ReplyDelete
  45. I am expecting more interesting topics from you. And this was nice content and definitely it will be useful for many people. CCTV Melbourne

    ReplyDelete
  46. Security is necessary for saving your lives.Thanks for sharing great valuable article. Its really helpful. You may also find best cctv camera Suppliers : cctv camera Suppliers

    ReplyDelete
  47. I must say this is the best post. Thankyou and have a great service related to CCTV Installation and this Advice for all affordable price.

    ReplyDelete
  48. Your blog is providing lot of information thanks
    http://www.wschyderabad.com/samsung-service-center-in-hyderabad/

    ReplyDelete