UPDATE: my camera account was pwned within 2 hours of the video going live. 😎Well done internetz

Helped a friend set up a 6 camera system. He bought 4 reputable cams and two cheapies. We configured all cams to shut off any and all cloud services. All were set with static IP, gateway, NTP server, and NO dns. The four reputable ones generate zero unexpected traffic. The two cheapies? Constant flow of connection attempts to cn owned IPs, as well as dns requests to google DNS IPs (apparently hard coded). Nothing goes anywhere since they're on a segregated VLAN with no outside access... but the firewall packet counters are in the millions.

TLS encryption, in this case, is probably more about obscuring what this device is doing versus protecting the user's data.

This is my favorite newly discovered KZbin channel. I watch every video as soon as they drop. Keep it up Matt!

What i'm interested in is when firmware detects that it has no internet connection (because I put it in a network jail), but that triggers routines in the device to escape the jail by automatically connecting to any nearby open WiFi without being told to. Or having firmware that can entering promiscuous mode to watch and analyze other devices for te purpose of masquerading as those devices after it sees it's silent for 30 minutes or so in order to find a way out of its jail. I'm concerned with so-called security cameras that provide no actual data security, or worse actively try to evade attempts to make them secure. It's not a matter of whether your cloud data is secure, but when it becomes insecure and whether you will ever know that it has happened. Cloud data means it's stored (potentially indefinitely) on someone else's computer and used for whatever purposes they want to use it for. And you have no recourse if they lied to you in the first place, or later abuse that trust whether it be willful or by neglect.

this is the content we need more of, keep it up matt this is legitimately great stuff

You are wonderful! A couple of months ago my work was throwing out old IP cams and I asked to have one because I was super interested in hooking it up and digging into everything that’s on it that the user doesn’t get to typically see. The camera is a Vstarcam. How lucky am I that an expert like yourself is doing exactly what I (an absolute amateur) was wanting to do on this brand of ip cam!

Thank you for letting us know. Having no certificate also means no certificate can expire. :-)

Point the camera at a Rick Astley video so that a hacker of your keys can see the success directly :D

You are a natural teacher as well. I hope you many, many subscribers!

This is some really cool content. I would highly recommend a brief intro with some bullets on what you are going to attempt and then as part of the outro, provide a summary of what you discovered. It would really help tie everything together.

I’m not a hacker and have zero Linux knowledge but this stuff and how you present it is fascinating to me regardless. Thanks for taking the time to setup these demonstrations and so clearly explain what is a very deep understanding of these devices.

For the typical end Luser, anc customer support people (if any), the potential for every device dying when the cloud server's certificate changes to one not in the chain of trust is a potentially significant issue. From the programmer's perspective... They possibly said to their manager, 'to do this properly we need to provide a way to update the trusted certs regularly' the account said oof, more infrastructure? and the CS people said 'what about users who had the device turned off for 2 years, and the manager replied, 'what if we just don't check the certs?' and went home with a bonus for saving the company money.....

Your videos are as good as sitting in sessions at DEF CON!

Man these videos are great, love how you explain your steps with enough detail to follow along. Great stuff.

Wonderful. Exactly answering some of the questions I had about some of my Chinesium security cameras. I really appreciate you going through this with live workflow. Keep up the good work.

Absolutely incredible channel. You keep the pacing super easy to follow and your topics are always interesting. Very educational and cool at the same time this is one of my favorite channels now ❤

loving the idea of letting peeps from the web fish around on the device and connect with you and others on discord ❤

This is one of the many reasons people need to be more aware of the risks of IOT devices. Especially when it comes to devices from other countries like China. Even thermostats, sensors, etc. It;s all sending data and to think and say things like "I don't care if China sees the temp in my house" is not seeing the bigger picture. As your video points out IoT devices are not very secure. I've even seen some people argue that they disable traffic to China. That "may" help but not all people have that skill and I guarantee you Chiuna has cloud based servers all over not just in China so you really don't know unless you have the skills to analyze traffic, look at all destinations and lookup who actually controls that endpoint and dig up what shell companies may be masking the true owner/country. Good video.

Good video, I can feel you raw passion and excitement about what you're doing coming through. I'll have to check out some of your others.

Nice video! Btw, find supports filtering for names and even executing other commands on its results find . -iname '*pam*' # same as the grep pipe find . -exec file {} \; # same as your xargs pipe

After all these years never knew or have seen all this techniques in action. Very excellent explanation and educational we need more of this stuff. Subscribed and liked thanks matt🎉🎉🎉🎉

That was an awesome run-down and explanation Matt, subscribed!

Yooooooo, You just got a new sub. Lovely vid. Love the work! ❤

Subcribed! Not only highly educational video, but reveals why it makes strategically sense that AliExpress and similar are so dirty cheap. Could you make more videos exposing products bought from China?

Awesome stuff mate. I am learning so much, and gives some scale as to how much I have to learn still. Keep it up!

Jesus! I just stumbled across this video and now I'm subscribed and know that I need to be much MORE more paranoid about stuff that I was previously just suspicious about.

Your content is awesome man,thanks for making it!

Great video. You did a great job explaining all the steps you did.

Great morning watch from Sweden, appreciate the video, Matt!

How have I never found your channel before? subscribed! This should be a DEFCON talk.

finally some channel for me :) high quality content!

Super instructive, and highly illustrative of the (in)security of many IoT devices. I just got into embedded and packet hacking at Def Con 32, and this is a fantastic continuation of what I learned there. Great to see these techniques employed in the wild, and you do a fantastic job of describing what's going on at each step.

Just discoverd your channel. This is sweet stuff. Great job

It seems, most of the current spies out of China are using 0s and 1s. Good stuff, Matt!

I hit the like button 10 seconds into the video as I know I am in for a treat! Great work!

Decrypting SSL!? Can’t wait for this one! Keep it up dude. Really enjoying the videos.

Way over my knowledge but found it very interesting to look at. Have for long time been thinking of a way to check what an app like TikTok and other app that should not be trusted, and different hardware, to see if they can be trusted. Wonder if such devices like you cheap camera should be on it's own network isolated from home server and other stuff. Looking forward to watch your future videos that educate us all.

Very cool. I look forward to part2.

What awesome content again thanks matt❤❤

Looking at some of the details decoded by certmitm it looks like the cloud infrastructure may be setup for multiple manufacturers to use (the reference to OEM look interesting). What are the chances that the work that Matt is doing applies not only to the make/model of camera being analysed, but also other brands and models ?

Great content, Matt. You earned a new subscriber.

This channel should go viral, love it.

So thankful to have found you!! Woot Woot!!

Nice work Matt

Would be cool if you could get that binary to run on your Linux machine and view the video feed without using the app

Great content, definitely subscribing!!

IoT means "Internet of Trouble". Also, don't get too comfortable if YOUR cam doesn't generate suspicious traffic. It is just waiting for the right time. ;)

Thanks!! Great video, ionly interesting stuff, no bullshit stories.

respect bro, keep up the great work!

Seriously. With what you are giving me as information and other hints. I am enjoying testing all the wifi device I have. Be it sensibo heat pump controler to my thermostats. And door bell camera. Amazing stuff!!!

Nice video's Matt, subbed! 👍

Now I have to reuse this tutorial in my lawnmower! I did not even try as I've seen it is ssl traffic, but I've never guessed the tls is not even verified! Thanks!

What is the most dangerous threat? A kind of obfuscated but auditable connection or a perfectly secure connection directly to an malicious service?

Thanks for posting. Super interesting 🙂

Yoooo my man usin polybar and i3wm, lets go

Such an awesome video! Thanks!

fascinating Matt, brilliant

I like this video. I'm technical (software experience but not security background) and would love more high level summary and explanation of what all this means. E.g. what are the consequences for users, what does this enable the Chinese to do etc etc

This is great content. Have you tried this on any major brand name cameras like Blink or Ring?

Great vid! Stay awsome, Jim.

Awesome matt!! subscribed!

Love these videos! Keep it up!

was the initial HTTP Request packet for that .jpg file just a "semaphore" or "signal" to the chinese server farm that the device was rebooted. and perhaps the "token" was really a way to get a message to those servers? This might have been a method of obscuration used by the manufacture. also, I noted that a HTTP 404 was returned by the server. hmmm

Nice Hacking Video, keep it up brother !!

Same shit with owning a VPS. I installed fail2ban and occasionally looked at the ban list, and it was just thousands of Chinese IPs trying to probe any open port.

very nIce, good man

A lot of wow but nothing out of the ordinary here

Now I can say Jason Bourne is teaching me hacking

A token was sent in clear text, havent watched the whole video but could be used to start a remote unauthorized stream with it, same was done with eufy cameras. The JPG is the thumbnail of the camera seen in the app. And when it comes to mobile applications not properly SSL pinning, this can be fairly easily circumvented with reverse engineering and the usage of software like frida, to override functions and or inject your own logic.

So.. to make sure I'm understanding - The flaw that allowed you to successfully run the MITM is that the camera didn't validate that the certificate was signed by a trusted root, so it trusted the cert dynamically generated by the utility? If this is the case, but it didn't work, is it common to be able to inject a new trusted root into the filesystem of the device under test, or if it did the root validation, that would be pretty secure?

I am fascinated by type of thing and really enjoy your videos.

I have mad mad respect for this guy.

Nice series! and the adres eye 4 China.............. 🤫

Now I would like to see some kind of custom firmware that we can install to make it localhost RTSP stream with audio. That would be TOP TIER! Cause I also have these China cameras and would love to localize these.

so freaking badass bro! next chapter lets goooooooo!!!

Do these cameras have built in chinese backdoors from software or hardware or both ? And have you created a list of security cameras that have been compromised ?

THANKS This is eye opening. Is there a clearing house for IOT devices that do not have these type of issues? Wired and Wireless?

Great video, would love to see what they send after getting the auth.

Youre a goldmine of great videos

The Wireshark capture was on a specific port on your desktop or a port on your router/modem? It''s the mitmrouter?

your polybar looks so much similar to my previous style

I also like to look for what other wifi/BT or RF traffic the device ( camera) has been scanning and packaging off the meta data for.

Hi Matt, Can you do a video on decrypting the wireshark tls packets after certmitm injecting a self signed certificate in the camera connection? I mean, that should be possible now, right? I tried loading the certmitm key file into Wireshark but I just cannot get it to decode the tls trafic.....

Another Amazing Video Matt! Are you going to DC 32 this year?

Could you make a video about your MITM-Router, hardware, making and software? Seach for a video and looked on your Github but can't find it.

I dont know how i ended up here, but im here to stay.

Great video

I’d love a video on eufy cameras!

Hi Matt, Thank you for the great content! I have a question: when running a tool like certmitm, is it necessary to make any modifications to my router? How does the traffic get routed through the host? Thanks a lot!

I like how they misspelled "signature" as "signatrue" in one of those intercepted requests idk why, but now i wonder what "signafalse" looks like

Great vid!

Hello Matt! Your content is absolutely fascinating, I love your videos! A question, any chance you would once look at an easier project, such as the tiny LCD screens they sell for Pc performance monitor screens. They have an onboard chip and the HW usually can only be used with the provided software.

I setup rules for hanasonic camera c210, it was trying to access dead panasonic cloud services in holland. Every ip camera register themselves somewhere to let users easily access camera from internet without messing firewall rules, port forqarding etc, buying rns name etc..

The IoT devices I"m familiar with use TLS in PSK mode. It is very lightweight as there are no certificates to verify, and cannot be MITM'd unless you know the PSK.

If a root cert expire. Those IoT devices stop working. Or when your server cert is too strong for the IoT device openssl version. Either way, there are many bad reasons why it wouldn't validate the server certificate 😅

I love this channel

I've got Zosi CCTV system and as soon as I set up a password on there, I stated getting hacking attempts on my network and even my email, so I just leave it offline and only access it locally. Also what's the point in SSL if it can be decrypted so easily?

How did you connect to the device? UART? etc?

Great video Mr Matt. So it's probably not good to buy a CAM from Temu? 😮