Rooting an Arlo Q Plus Camera (SSH 🔙🚪?!)

Рет қаралды 15,230

2 жыл бұрын

Learn tricks and techniques like these, with us, in our amazing training courses!
flashback.sh/training
In this short video we show you how we discovered and used a backdoor in Arlo Q Plus to gain a root access to a device.
1. We identified the UART console
2. Dumped the NAND firmware
3. Found and cracked hardcoded SSH root account
4. Discovered a special operation mode to enable SSH
The vulnerability was disclosed to the vendor via ZDI (ZDI-21-683) and tracked under CVE-2021-31505.
Advisory: www.zerodayinitiative.com/adv...
Fixed version: VMC3040S: 1.9.0.8_199_3707910 (according to Arlo, we didn't test the fix)
Did you enjoy this video? Then follow us on Twitter, and subscribe to our channel for more awesome hacking videos.
~ Flashback Team
flashback.sh
/ flashbackpwn

Пікірлер: 31

@JK-pb3vj 2 жыл бұрын

Great insight into your workflow - loving the content and keen to see the process you followed to access the firmware via NAND!

@AndreasWienes 2 жыл бұрын

Thanks for sharing another amazing video. It's always impressing to see you guys at work!

@foo-bar6302 Жыл бұрын

Thank you for sharing!

@xsync3d 2 жыл бұрын

Amazing video!

@gilbertohernandez9223 2 жыл бұрын

Highly impressed!

@anindyasankarroy7123 2 жыл бұрын

Please make video on your approach to find vulnerabilities..

@YuriyKozin Жыл бұрын

Awesome!!

@fusca14tube 2 жыл бұрын

Hi.... Is the Arlo Q Plus firmware image encrypted when you download it from the site?

@Decrypt_Symbol Жыл бұрын

Firmware hack ❤🎉

@nzalog Жыл бұрын

I bought a broken one off of ebay and I got a console but it seems to be missing a file responsible for reverting to defaults. I wanted to poke around a bit, any chance you can share the login info?

@ryanscarver 2 жыл бұрын

My Arlo Q got bricked during a forced firmware upgrade while I was moving/reinstalling the camera. (Thanks Netgear!!!) Any chance I can reflash the firmware via USB using the firmware you extracted? Netgear's official response was, "Sorry, your device is past its warranty window." :|

@FlashbackTeam 2 жыл бұрын

Doubtful you can achieve it via USB. Probably your only option is to flash the chip directly.

@khneo 2 жыл бұрын

Hello, nice video ! Did you reported to their bug bounty program and got a bounty ?

@khneo 2 жыл бұрын

oh you reported it to ZDI ! How much do they paid for that ?

@FlashbackTeam 2 жыл бұрын

We reported via ZDI. We prefer to work with them rather than with a bugbounty programs as we are not always happy with Terms and Conditions of BB.

@khneo 2 жыл бұрын

@@FlashbackTeam Nice thank you for the answer ! I want to start IOT hacking too it is so fun

@woolfy02 2 жыл бұрын

Do you have a video on making a firmware image, after you pulled the chip?

@FlashbackTeam 2 жыл бұрын

What do you mean? The video shows the firmware after it’s dumped from the chip, Radek running the OOB removal script and then use binwalk to extract the file system.

@woolfy02 2 жыл бұрын

@@FlashbackTeam I guess just the process of dumping the firmware (software used, settings, chip reader or connected by wires, OS used). I was just curious on how you do it. Just an idea.

@FlashbackTeam 2 жыл бұрын

Yes sir, we have a few videos on that in our pipeline, please be patient as we deal with our day jobs, but it is promised and we shall deliver!

@abdulkaderjaghel9055 2 жыл бұрын

How i can get your pipeline? For this video's

@yeetyeet7070 2 жыл бұрын

@@FlashbackTeam very interested in this too

@yeetyeet7070 2 жыл бұрын

on top of having to desolder a nand chip and understanding the firmware, this entire thing is using little-endian, where do you even acquire the knowledge to work with something like this?

@FlashbackTeam 2 жыл бұрын

There’s a lot of steps involved that we skipped. You’d have to analyse the firmware image, extract the file system from it, analyse boot up scripts and binaries to find the back door mode and then do the steps in the video (crack the password, etc). How to acquire the knowledge? All of the above can be learnt by practicing each step (lots of free resources online), but it takes many years to develop a sense of what to look for and what to do in each specific situation. A really good in person or online training can give you condensed knowledge (and compress years of knowledge in one week) on this subject matter and many more. We are planning to offering such trainings next year for analysing and attacking embedded devices.

@yeetyeet7070 2 жыл бұрын

@@FlashbackTeam Now you're just bragging :)) Thank you very much tho, looking forward to your trainings

@0x80O0oOverfl0w 2 жыл бұрын

A lot of embedded systems are little-endian. I don't think I've ever seen an ARM-based system that was big endian. Some MIPS devices are little endian, although it's less common on MIPS.

@bibikski2270 2 жыл бұрын

urmom

@FlashbackTeam 2 жыл бұрын

No, urmom!

@sirrosh69 Жыл бұрын

This reminds me of How to draw an owl tutorial meme... Completely pointless with near to zero educational value :( (by some magic we discovered a special mode)