Decrypting SSL to Chinese Cloud Servers - Hacking the VStarcam CB73 Security Camera

UPDATE: my camera account was pwned within 2 hours of the video going live. 😎Well done internetz

Helped a friend set up a 6 camera system. He bought 4 reputable cams and two cheapies. We configured all cams to shut off any and all cloud services. All were set with static IP, gateway, NTP server, and NO dns. The four reputable ones generate zero unexpected traffic. The two cheapies? Constant flow of connection attempts to cn owned IPs, as well as dns requests to google DNS IPs (apparently hard coded). Nothing goes anywhere since they're on a segregated VLAN with no outside access... but the firewall packet counters are in the millions.

This is my favorite newly discovered Youtube channel. I watch every video as soon as they drop. Keep it up Matt!

What i'm interested in is when firmware detects that it has no internet connection (because I put it in a network jail), but that triggers routines in the device to escape the jail by automatically connecting to any nearby open WiFi without being told to. Or having firmware that can entering promiscuous mode to watch and analyze other devices for te purpose of masquerading as those devices after it sees it's silent for 30 minutes or so in order to find a way out of its jail. I'm concerned with so-called security cameras that provide no actual data security, or worse actively try to evade attempts to make them secure. It's not a matter of whether your cloud data is secure, but when it becomes insecure and whether you will ever know that it has happened. Cloud data means it's stored (potentially indefinitely) on someone else's computer and used for whatever purposes they want to use it for. And you have no recourse if they lied to you in the first place, or later abuse that trust whether it be willful or by neglect.

TLS encryption, in this case, is probably more about obscuring what this device is doing versus protecting the user's data.

this is the content we need more of, keep it up matt this is legitimately great stuff

You are wonderful! A couple of months ago my work was throwing out old IP cams and I asked to have one because I was super interested in hooking it up and digging into everything that’s on it that the user doesn’t get to typically see. The camera is a Vstarcam. How lucky am I that an expert like yourself is doing exactly what I (an absolute amateur) was wanting to do on this brand of ip cam!

This is some really cool content. I would highly recommend a brief intro with some bullets on what you are going to attempt and then as part of the outro, provide a summary of what you discovered. It would really help tie everything together.

I’m not a hacker and have zero Linux knowledge but this stuff and how you present it is fascinating to me regardless. Thanks for taking the time to setup these demonstrations and so clearly explain what is a very deep understanding of these devices.

You are a natural teacher as well. I hope you many, many subscribers!

How have I never found your channel before? subscribed! This should be a DEFCON talk.

loving the idea of letting peeps from the web fish around on the device and connect with you and others on discord ❤

This is one of the many reasons people need to be more aware of the risks of IOT devices. Especially when it comes to devices from other countries like China. Even thermostats, sensors, etc. It;s all sending data and to think and say things like "I don't care if China sees the temp in my house" is not seeing the bigger picture. As your video points out IoT devices are not very secure. I've even seen some people argue that they disable traffic to China. That "may" help but not all people have that skill and I guarantee you Chiuna has cloud based servers all over not just in China so you really don't know unless you have the skills to analyze traffic, look at all destinations and lookup who actually controls that endpoint and dig up what shell companies may be masking the true owner/country. Good video.

Thank you for letting us know. Having no certificate also means no certificate can expire. :-)

Would be cool if you could get that binary to run on your Linux machine and view the video feed without using the app

Looking at some of the details decoded by certmitm it looks like the cloud infrastructure may be setup for multiple manufacturers to use (the reference to OEM look interesting). What are the chances that the work that Matt is doing applies not only to the make/model of camera being analysed, but also other brands and models ?

Subcribed! Not only highly educational video, but reveals why it makes strategically sense that AliExpress and similar are so dirty cheap. Could you make more videos exposing products bought from China?

Point the camera at a Rick Astley video so that a hacker of your keys can see the success directly :D

For the typical end Luser, anc customer support people (if any), the potential for every device dying when the cloud server's certificate changes to one not in the chain of trust is a potentially significant issue. From the programmer's perspective... They possibly said to their manager, 'to do this properly we need to provide a way to update the trusted certs regularly' the account said oof, more infrastructure? and the CS people said 'what about users who had the device turned off for 2 years, and the manager replied, 'what if we just don't check the certs?' and went home with a bonus for saving the company money.....

Yooooooo, You just got a new sub. Lovely vid. Love the work! ❤