How to hack a DVR system or an IP-camera
* This article is for educational purposes only. It has been made to help IT experts and give them a greater understanding of how to protect the network from attacks.
Remote access to a web camera or DVR system is one of the easiest and most impressive hacks. It doesn’t require special software and can be executed via browser and some uncomplicated manipulations. Almost any DVR and IP camera system can be hacked if you can locate the IP address and learn how to exploit any vulnerabilities.
Often there is a bit of confusion about the difference between IP cameras and webcams, but they are indeed very different devices.
An Internet Protocol (IP) camera (or DVR) is an independent surveillance system that is usually controlled via a web browser with its own operating system – typically, an embedded PC with Linux-based OS and Ethernet interface or a WiFi connection.
A web-camera, or webcam, is a passive device that is controlled from a local computer via USB using OS driver. There are two types of drivers: a universal driver that is already installed with the OS and will work with many webcam brands, and a specific driver that is provided and installed with the webcam.
Hacking Techniques
Hacking techniques differ from IP cameras to webcams.
Hacking Webcams
The objective here is not to connect to the webcam but to intercept the video stream that is translated via the OS driver. I will talk about this in my next article.
Hacking IP Cameras
Hacking an IP Camera won’t set off alarms on a corporate server or PC, or alert anyone that you are watching the video stream on your screen. In fact, you would likely not be the only one streaming video from the IP camera.
By design, IP cameras are protected by two secrets: 1.) a camera IP address, and 2.) username and password authentication.
In reality, an IP address can’t be called a secret; IP cameras can easily be identified using an NMAP scanner, and IP cameras replay to search engine robots. For example, in the screenshot below, the owner disabled anonymous accesses and added CAPTCHA for pre-authorisation attacks. However, with direct link /index.htm, we can change it with no authorisation.
Some IP camera vulnerabilities can be found via advanced Google search.
For example:
inurl:«wvhttp‐01»
inurl:«viewerframe?mode=»
inurl:«videostream.cgi»
inurl:«webcapture»
inurl:«snap.jpg»
inurl:«snapshot.jpg»
Inurl:«video.mjpg»
Now, let’s try something more advanced – it is a lot easier to find the IP camera using www.shodan.io. For starters, we can filter the search to simple netcam, and later switch to more advanced – netcam city: Melbourne, netcam country: AU, webcamxp geo: 67.222, linux upnp avtech
Another great IOT search engine is Censys. The advanced search is a bit more complicated, but figuring out basic filters is not hard. For example, 80.http.get.body:“DVR Web Client” will search for IP cameras connected via IP, whereas metadata.manufacturer:“axis” will find IP cameras that were manufactured by Axis.
Another great search engine for IOT is ZoomEye, which operates on the same idea – using device:webcam will search for IP cameras.
There are also older methods. It’s quite easy to find the victim IP range, scan the range with local NMAP or a remote “https://4it.me/portscan” scanner. For default IP camera ports, use 8000,8080,8888.
After finding the right port and connecting via browser, 99% of IP cameras will display the name and model. With the help of a quick Google search, we can even find the default username, password, and admin portal URL and try our luck. Another good resource for default usernames and passwords for IP cameras is IPVM.com.
Many manufacturers also leave in the firmware and a special tech user/password for password recovery and remote support, but you won’t find this password in the user manual. However, it can be found in many tech forums.
Getting more technical
The biggest problem with modern IP cameras is that most manufacturers are using the same web server, GoAhead, which has multiple well known vulnerabilities.
GoAhead is vulnerable to buffer overflow, and camera vendors have added more holes by modifying GoAhead in their firmware.
Today, millions of IP cameras and DVR systems are exposing the remote configuration without any authentication. Python Script, which automates this attack, can be found on GitHub. A large problem is that many IP camera and DVR vendors use the same base firmware image, only modifying it slightly to suit custom needs.
In some types of firmware, you’ll find errors like bad redirections that will allow you to bypass the login screen by clicking multiple times on the ‘Cancel’ button.
Although this goes a bit off topic, it is very important to outline the risks. As I mentioned before, IP cameras or DVR systems are small embedded PCs and typically connect to a corporate network. With a successful attack, a hacker can access the embedded OS and start using it as an entry point to the host network or as a DDOS device to attack others. And this is just the tip of the iceberg in terms of possibilities.
How do I protect my DVR or IP camera system?
- Check that there are no default user/passwords.
- Install firmware updates, if available.
- Separate the cameras and DVR from your production systems (VLAN, NAC, Access policies).
- Implement network monitoring and analytics with alerts to have full visibility.
- Lock down external IP addresses (don’t do a 1:1 NAT to your DVR system or IP camera)