Hacking a Modern CCTV: ESCAM Pearl QF100 IP Camera

 

During college days, my group mates and I bought this IP camera for a final project before finishing our program. It was a pretty cheap deal from a Chinese site so we didn’t hesitate on buying it. After learning how to install and use it, we successfully integrated it in our system, passed the project, got our diplomas, and had this IP camera thrown back to its box.

Over the past few days, I decided to take it out again and did some installing at home but here came the problem, I forgot what the password was! Although even if I remembered the password for the web interface, I didn’t even know what port the service was running. Now the first thing that a person would probably do is press that ‘factory reset’ button so the default settings would go back but believe me, it wasn’t working in my case so I needed a solution.

First, I had to know the port where the web interface is running at. Simply typing <IP> in the browser didn’t work (This assumes that the port is 80). The address of the IP camera in my case was 192.168.1.108 (You can check this out through your router’s DHCP client list).

I was thinking, if I’d try all ports here, it’ll probably take me hours to find the web interface so I needed some help from some small tools in Kali Linux. By using the ‘ping’ command, I confirmed that Kali can communicate with the IP camera in the network.

Now, by using the popular ‘nmap’ tool with the ‘sV’ argument, open ports and the services running are presented.

The results are quite interesting here. Just by looking at the details, there’s a GoAhead WebServer running at port 81 which means we can access this through a browser by typing 192.168.1.108:81.

Now it’s asking for the login credentials which I unfortunately don’t remember so I tried testing a few combinations including the default credentials ‘admin:888888’ while crossing my fingers that it goes in. No luck so I guess this is a dead end for now.

Going back to the nmap scan report, we can see that there are many other ports that run services. Oh and there’s a telnet service running in the IP camera’s operating system too. A simple research suggests trying the username ‘root’ and the password ‘123456’. Guess what the result was?

An administrator access in the IP camera’s operating system! With this access, we could pretty much do anything with the IP camera. For example, typing in an ‘ls’ command will show the directories available.

Getting back to my original problem however, what was the previously set password for the web interface? First thing came to mind was doing a search in the console. By typing in the command ‘find / -name “pass*”‘, the IP camera’s operating system will try to show me files which contain the name ‘pass’ as the first four letters in all directories and sub directories of ‘/’ path. 

Well it didn’t seem to show things that would be interesting. I mean yes, the passwd file from ‘/etc/passwd’ is pretty neat but we already have the credentials ‘root:123456’ (If you want to check how many accounts are present, you can try ‘cat /etc/passwd’ and see the results). Next was try finding files that have ‘login’ as the filename. The command is ‘find / -name “login*”‘

Now there were two results that caught my eyes. First was ‘/system/www/login.htm’ and the next was ‘/system/param/login.cgi’. Since the first result had the extension of ‘.htm’, we know that it’s an html web page. The second one however, is a ‘.cgi’ file so by typing the command ‘cat /system/param/login.cgi’, we will be able to read the contents.

Surprise surprise! The login credentials are not even encrypted. The username is ‘admin’ and the password is ‘designproject’.

By entering the credentials, we can successfully enter the web interface of the IP camera.

This issue seems to be available in many models of IP cameras (not just this specific brand) because after some more researching, there were many other posts that showed this same vulnerability.

Come to think of it, adding a password in the web interface will just filter people that don’t have knowledge of the telnet backdoor and this is just one very basic method that shows how IP cameras can be insecure. I won’t be discussing more common vulnerabilities about IP cameras here because it seems that more vulnerabilities can be found in the internet. I’ll just leave that task to you and possibly update this post if I find something new. Thank you so much for reading!

Leave a Reply