“Gettin’ Digoo with it” pt2

Part 1, Part 2…, Part 3Pr1uaM5oSEm6._UX300_TTW_

PORT 23 TELNET OPEN WITH ROOT ACCESS.
If your setup was plug and play without having to port forward there is a big chance that the camera requested it’s ports to be opened up to the router. So automagically port 23 with root access, and 554 rtsp and 5000 would be open to the web. With all the random scans I get on an average day this camera wouldn’t go unnoticed very long.

So what about port 23 and telnet? Connecting to the root, would mean giving full control to anyone who can access the camera. This will require more research on my end maybe a part 3 is in order

This is an interesting read
https://jumpespjump.blogspot.jp/2015/09/how-i-hacked-my-ip-camera-and-found.html

img_5805.jpg
Login in the DIGOO BB-M1X with a TELNET ios app reveals, not a lot yet

So, I tried to enter a generic command to get this:
BusyBox v1.21.0 well this is interesting a quick search reveals https://www.busybox.net/
img_5806More commands at https://www.busybox.net/downloads/BusyBox.html


PROBLEM 2: Got control? Where is ONVIF? I can’t get PTZ controls in Hassio. Apps are a pain to set up with this camera.

This leads nicely into another problem I am having with this camera.

PROBLEM 3: A few days ago I noticed the Digoo BB-M1X ip camera kept resetting its clock. As I just bought it I was thinking that my network setup was the problem and or the camera was broken.

I was going to allow local NTP access on port 123 but when checking the pfsense logs I didn’t see any access attempt records to the NTP server. (even when while still blocking internet access, I gave it access to my DNS server)

A few days in a row this happened.

I had previously assumed it was due to overloading the minuscule breaker capacity of this old leaning house. But alas I saw the time reset usually about 24 hours after I set it last. I am under the assumption now that it’s due to my complete restriction to allow it to communicate to any outside servers.
If it wont access a local NTP server then it’s probably trying to connect to a pre-programmed one within the IP addresses it tries to reach out to.

More poking around is required.

51U9qzxSJpL._SL1000_

Where’s problem 3? Resolution to Problem 2? Closure? Not yet.
For the moment this camera is as secure as possible behind my firewall. One thing at a time.

Part 3…

4 thoughts on ““Gettin’ Digoo with it” pt2

  1. Some of my IP cameras get their time from what looks like a P2P signalling server as the last 4 bytes in a list of ips, ports, and flags returned by a server to which the camera first connects, which, amazingly, is not very accurate. These devices try to connect every couple of seconds. You can open your firewall periodically for a few seconds to allow the camera(s) to get the correct time, then close it down. I don’t want to do this, so I am considering implementing a rather complex scheme to simulate their P2P servers for the purpose of syncing the time.

    Like

    1. Interesting insight.
      Although I haven’t taken it that far I was considering getting a script in busy box to save the time and read upon reboot. It would still get out of sync eventually.
      I believe there was an NTP command in busybox that would have been a nice implementation but as this is geared towards the general population most things are automated with servers scattered all over.
      Allowing the camera to connect is not appealing even for a moment. I haven’t sniffed the packets.
      Let me know how your plan works.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s