Owning the Wireless Camera (and Its User)
In Part One of this series, we examined the issues related to using a wireless camera for surveillance. In short, we found that you can knock the camera offline several ways, sniff the images being passed over the airwaves if the network is unencrypted, and spoof the web interface of the camera using a man-in-the-middle attack.
While these issues are all serious, it was during this research that we started to examine the web interface of our AXIS 207W network camera to see what, if any, vulnerabilities might be lurking within the camera itself. The following details the results of our security review of this camera.
The AXIS 207W
AXIS has long been in the IP camera field and has numerous offerings. One of these is the AXIS 207W, a wireless IP camera you can set up anywhere there is a wireless network. The website states the following about the camera:
This entry-level network camera is ideal for securing small businesses, home offices and residences over a local area network or the Internet. The built-in microphone enables remote users to not only view, but also listen in on an area and increase the monitoring options.
One of the key features of the camera is that it is built on BusyBox, a popular flavor of Linux found in embedded devices. As a result, the camera contains a Bourne shell-compatible script interpreter program, which means the 207W can be programmed to do many things that are normally outside the scope of an IP camera. For example, people have set up the camera to upload pictures to remote servers if an alarm event is triggered. However, giving the user such power also means a successful attacker can have such power and then leverage the camera against the network, as you will see later in this article.