- Table of Contents
- Overview
- Web Application Security
- Operating System Security
- Network Security
- Hardening Your System
- Wireless Security
- Mobile Security
- Windows Mobile Autorun
- Does Windows Mobile Code Signing Help or Hurt Microsoft Security? (Part 1)
- Does Windows Mobile code signing help or hurt Microsoft security? (Part 2)
- Cracking the Encryption of a Windows Mobile Application
- Prodding PocketMoney
- Top Ten Cell Phone Security Problems
- Wireless Gadget Vulnerabilities: The Nikon Coolpix P1
- Abusing the Nikon Coolpix P1 Picture Transfer Service/Protocol
- Caller ID Security: Hacking like Paris Hilton
- Stealing Your Family Vacation: Memories of a Media Card
- Pimp My N800
- Designing an Enterprise Handheld Security Policy, Part I
- Designing an Enterprise Handheld Security Policy, Part II
- Designing an Enterprise Handheld Security Policy, Part III
- Designing an Enterprise Handheld Security Policy, Part IV
- BlackBerry Firewall
- Virtual Lock Picking of Windows Mobile Password Managers
- Bypassing the CodeWallet 6.14 Password Validation Routine
- Building a Password Cracker
- Exploiting Systems through ActiveSync
- Mobile Platform Malware Threat Overview
- A Case for Mobile Security Software
- Data Forensics
- Legal and Ethical Issues of Security
- Home User Security
- Additional Resources
- Job Security for the IT Security Industry
- A Biased Book Review: Chained Exploits: Advanced Hacking Attacks from Start to Finish
- Security of Mechanical Locks
- Information Security in Academics
- Holiday Security: Hackers Don’t Take Holidays
- Gary McGraw on Building Secure Software
- Gary McGraw on Exploiting Online Games
- A Student-Hacker Showdown at the Collegiate Cyber Defense Competition
- The Collegiate Cyber Defense Competition Year 3: Revenge of the Red Cell
- Questions from RSA 2007
- How to Steal 80,000 Identities in One Day
Wireless Gadget Vulnerabilities: The Nikon Coolpix P1
Last updated Jul 21, 2006.
The Nikon Coolpix P1 digital camera represents a new breed of gadget. In addition to including a clear eight megapixel shot, it also sports an internal wireless network card that allows it to transfer the digital picture wirelessly to a host PC. In the article titled, Nikon Coolpix P1: Exposed and Abused, we took one of these devices apart to examine its internals. As expected, the camera is a marvel of design and complexity. Contained within its rather small encasement are enough electronics and peripherals to allow a user to take a very clear digital picture that can blow up to a 20" x 30" portrait. However, it wasn't the camera’s picture capturing ability that caught our attention. Instead, it was the integrated hardware/software that allows the camera’s user to transfer pictures to a PC over a wireless network.
Questions such as, "How does this work?" "Are the pictures passed as plaintext?" "Can we interrupt the transfer process?" "Is there an authentication mechanism?" And "Can we inject our own pictures into the host PC?" all passed through our minds as we played with this "feature." So, like all curious researchers, we took a look and were quite surprised at what we found. This section outlines the transfer process, its flaws, and provides a clear example of how it could be abused to attack its user.
The "Normal Transfer Process
Before using the wireless transfer function, the user must setup a "profile" on the host PC. This profile must then be uploaded to the camera before it can transfer pictures wirelessly. To do this, the user must plug their camera into the host PC via a USB cable and run the "Wireless Camera Setup Utility." This program connects to the camera, and starts a setup process that will define the wireless settings the camera will need to know to connect to the PC. Items such as a designated printer, SSID of the wireless network, DHCP/static IP, and the shared key (WEP or WPA) are all specified under this "Profile." All this is necessary because there is no direct interface to these settings on the camera.
After the user takes a picture, they can connect their camera to the wireless network by rotating the knob on the camera to the wireless icon. This will cause a screen to appear that lists the available profiles. In general, there are two icons for each wireless network the camera has been configured to connect with. The first is to pass pictures to the host PC and the second is to pass pictures to a local printer via the host PC. We focused on the camera to PC option because it offered the most promising return on investment.
Once the profile is selected, the camera probes for the wireless network, connects (if all settings are correct), establishes an IP address via DHCP (or uses preconfigured IP if needed), queries/finds the network for a listening client PC, and starts the upload process. We will look into this in some detail, but the general process is as follows.
Camera: Opens port to which host PC can connect and download pictures.
Camera: Sends out broadcast mDNS (multicase dynamic name service) packets to the network with a port value included.
Host PC: Detects broadcast packets containing camera IP address and port number.
Host PC: Connects to the camera IP:port and sends profile information to initiate the transfer process.
Camera: Sends back camera MAC address, firmware version number, and other tidbits of information.
Host PC: Host acknowledges receipt of information.
Camera: Sends picture name listing.
Host PC: Acknowledges the list and request only the picture not previously downloaded.
Camera: Sends the image(s)
Host PC: Acknowledges the image was sent (with size information)
Camera: Good bye.
From this short dialogue you can see that there is a fair amount of communication between the camera and the host PC. We initially thought these packets included some kind of authorization mechanism that would keep out attackers (e.g. hash of picture, secret key, etc.), but as we learned, the only protection was based solely on the MAC address of the "camera," which is easily spoofable. Before getting into the specifics of the attacks, we will first take a look at the mDNS protocol because few people are familiar with how it works and what it is used for.
MDNS
The Multicast Dynamic Naming Service protocol is a semi-popular method for gadgets and programs to communicate with each other. The reason for this is two fold. First, because the packet is based on the DNS protocol, it is easy to work with and standardized. Second, the Multicast component of this protocol means that a packet will go anywhere on a local subnet. Specifically, the protocol was designed for small networks that do not contain a DNS server (http://www.multicastdns.org).
There are some problems with mDNS that should be addressed before it is ever used. The first is that everything in the packet is plaintext. This is not too serious, but it does help an attacker figure out what is happening on a network. The second issue is that, like the standard DNS protocol, there are no authentication measures built into the communication process. For example, it is a simple matter to create a spoofed mDNS packet, inject it into a network, and be fairly certain that all mDNS clients will process that packet. It is possible to include hashes and such within the mDNS information, but this is an application level protection, not protocol level.
We personally are aware of two other popular programs that use this protocol; both of which can be abused. The first is the ever popular iTunes program that uses the mDNS protocol to establish and create the "Shared Lists" entries that allow a user to connect to and listen to music shared out by another iTunes user on a network. Using spoofed mDNS packets, it is possible to create spoofed lists or delete existing shares from the network. The second is the media sharing component of the Xbox 360 that also uses the mDNS protocol to locate and connect to hosts systems that are running the Windows Media Connect service, through which an Xbox 360 can play music and more. Like iTunes, it is possible to convince the Xbox into believing there are multiple hosts on the network, which would show up on the Xbox's host list.
In the case of the Nikon Coolpix P1, the mDNS protocol is used to locate the host PC and establish/teardown a communication session. Unfortunately, if someone can capture the mDNS packets they will have all they need to launch an attack against the host PC.
Next week we will be looking at how an attacker can abuse the Nikon Coolpix P1 picture transfer service/protocol. As you will see, we can use a Linux machine to emulate a camera and trick the host PC into believing the camera is requesting a picture download — but what else can we download?
Digg
Del.icio.us
Your Account
Account Sign In
View your cart