Faradayβs researchers Javier Aguinaga and Octavio Gianatiempo have investigated on IP cameras and two high severity vulnerabilities.
This research project began when Aguinaga's wife, a former Research leader at Faraday Security, informed him that their IP camera had stopped working. Although Javier was initially asked to fix it, being a security researcher, opted for a more unconventional approach to tackle the problem. He brought the camera to their office and discussed the issue with Gianatiempo, another security researcher at Faraday. The situation quickly escalated from some light reverse engineering to a full-fledged vulnerability research project, which ended with two high-severity bugs and an exploitation strategy worthy of the big screen.
They uncovered two LAN remote code execution vulnerabilities in EZVIZβs implementation of Hikvisionβs Search Active Devices Protocol (SADP) and SDK server:
The affected code is present in several EZVIZ products, which include but are not limited to:
Product Model | Affected Versions |
---|---|
CS-C6N-B0-1G2WF | Versions below V5.3.0 build 230215 |
CS-C6N-R101-1G2WF | Versions below V5.3.0 build 230215 |
CS-CV310-A0-1B2WFR | Versions below V5.3.0 build 230221 |
CS-CV310-A0-1C2WFR-C | Versions below V5.3.2 build 230221 |
CS-C6N-A0-1C2WFR-MUL | Versions below V5.3.2 build 230218 |
CS-CV310-A0-3C2WFRL-1080p | Versions below V5.2.7 build 230302 |
CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p | Versions below V5.3.2 build 230214 |
CS-CV248-A0-32WMFR | Versions below V5.2.3 build 230217 |
EZVIZ LC1C | Versions below V5.3.4 build 230214 |
These vulnerabilities affect IP cameras and can be used to execute code remotely, so they drew inspiration from the movies and decided to recreate an attack often seen in heist films. The hacker in the group is responsible for hijacking the cameras and modifying the feed to avoid detection. Take, for example, this famous scene from Oceanβs Eleven:
Exploiting either of these vulnerabilities, Javier and Octavio served a victim an arbitrary video stream by tunneling their connection with the camera into an attacker-controlled server while leaving all other camera features operational. A deep detailed dive into the whole research process, can be found in these slides and code. It covers firmware analysis, vulnerability discovery, building a toolchain to compile a debugger for the target, developing an exploit capable of bypassing ASLR. Plus, all the details about the Hollywood-style post-exploitation, including tracing, in memory code patching and manipulating the execution of the binary that implements most of the camera features.
This research shows that memory corruption vulnerabilities still abound on embedded and IoT devices, even on products marketed for security applications like IP cameras. Memory corruption vulnerabilities can be detected by static analysis, and implementing secure development practices can reduce their occurrence. These approaches are standard in other industries, evidencing that security is not a priority for embedded and IoT device manufacturers, even when developing security-related products. By filling the gap between IoT hacking and the big screen, this research questions the integrity of video surveillance systems and hopes to raise awareness about the security risks posed by these kinds of devices.
Security has two difficult tasks: designing smart ways of getting new information, and keeping track of findings to improve remediation efforts. With Faraday, you may focus on discovering vulnerabilities while we help you with the rest. Just use it in your terminal and get your work organized on the run. Faraday was made to let you take advantage of the available tools in the community in a truly multiuser way.
Faraday aggregates and normalizes the data you load, allowing exploring it into different visualizations that are useful to managers and analysts alike.
To read about the latest features check out the release notes!
The easiest way to get faraday up and running is using our docker-compose
$ wget https://raw.githubusercontent.com/infobyte/faraday/master/docker-compose.yaml
$ docker-compose up
If you want to customize, you can find an example config over here Link
You need to have a Postgres running first.
$ docker run \
-v $HOME/.faraday:/home/faraday/.faraday \
-p 5985:5985 \
-e PGSQL_USER='postgres_user' \
-e PGSQL_HOST='postgres_ip' \
-e PGSQL_PASSWD='postgres_password' \
-e PGSQL_DBNAME='postgres_db_name' \
faradaysec/faraday:latest
$ pip3 install faradaysec
$ faraday-manage initdb
$ faraday-server
You can find the installers on our releases page
$ sudo apt install faraday-server_amd64.deb
# Add your user to the faraday group
$ faraday-manage initdb
$ sudo systemctl start faraday-server
Add your user to the faraday
group and then run
If you want to run directly from this repo, this is the recommended way:
$ pip3 install virtualenv
$ virtualenv faraday_venv
$ source faraday_venv/bin/activate
$ git clone git@github.com:infobyte/faraday.git
$ pip3 install .
$ faraday-manage initdb
$ faraday-server
Check out our documentation for detailed information on how to install Faraday in all of our supported platforms
For more information about the installation, check out our Installation Wiki.
In your browser now you can go to http://localhost:5985 and login with "faraday" as username, and the password given by the installation process
Learn about Faraday holistic approach and rethink vulnerability management.
Setup Bandit and OWASP ZAP in your pipeline
Setup Bandit, OWASP ZAP and SonarQube in your pipeline
Faraday-cli is our command line client, providing easy access to the console tools, work in faraday directly from the terminal!
This is a great way to automate scans, integrate it to CI/CD pipeline or just get metrics from a workspace
$ pip3 install faraday-cli
Check our faraday-cli repo
Check out the documentation here.
Faraday Agents Dispatcher is a tool that gives Faraday the ability to run scanners or tools remotely from the platform and get the results.
Connect you favorite tools through our plugins. Right now there are more than 80+ supported tools, among which you will find:
Missing your favorite one? Create a Pull Request!
There are two Plugin types:
Console plugins which interpret the output of the tools you execute.
$ faraday-cli tool run \"nmap www.exampledomain.com\"
Γ°ΕΈβΒ» Processing Nmap command
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-22 14:13 -03
Nmap scan report for www.exampledomain.com (10.196.205.130)
Host is up (0.17s latency).
rDNS record for 10.196.205.130: 10.196.205.130.bc.example.com
Not shown: 996 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
2222/tcp open EtherNetIP-1
3306/tcp closed mysql
Nmap done: 1 IP address (1 host up) scanned in 11.12 seconds
Γ’Β¬β Sending data to workspace: test
Γ’Εβ Done
Report plugins which allows you to import previously generated artifacts like XMLs, JSONs.
faraday-cli tool report burp.xml
Creating custom plugins is super easy, Read more about Plugins.
You can access directly to our API, check out the documentation here.
Faraday was built from within the security community, to make vulnerability management easier and enhance our work. What IDEs are to programming, Faraday is to pentesting.
Offensive security had two difficult tasks: designing smart ways of getting new information, and keeping track of findings to improve further work.
This new update brings: New scanning, reporting and UI experience
Get your work organized and focus on what you do best. With Faradaycommunity, you may focus on pentesting while we help you with the rest..
Check out the documentation here.
The easiest way to get faraday up and running is using our docker-compose
# Docker-compose
$ wget https://raw.githubusercontent.com/infobyte/faraday/master/docker-compose.yaml
$ docker-compose up
Manage, classify and triage your results through Faradayβs dashboard, designed with and for pentesters.
Get an overview of your vulnerabilities and ease your work.
By right clicking on any vulnerability, you may filter, tag and classify your results with ease. You may also add comments to vulnerabilities and add evidence with just a few clicks
In the asset tab, information on each asset is presented, for a detailed follow-up on every device in your network. This insight might be especially useful if you hold critical data on certain assets, so the impact of vulnerabilities may be assessed through this information. If responsibilities over each asset are clear, this view helps to organize and follow the work of asset owners too.
Here, you can obtain information about the OS, services, ports and vulnerabilities associated with each of your assets, which will give you a better understanding of your scope and help you to gain an overview of what you are assessing.
Integrate scanners with Faraday Agents Dispatcher. This feature will allow you to orchestrate the most common used security tools and have averything available from your Faraday instance. Once your scan is finished, you will be able to see all the results in the main dashboard.
Choose the scanners that best fit your needs.
Once youβre done, export your results in a CSV format.
Check out some of our features
With Faraday, you may oversee your cybersecurity efforts, prioritize actions and manage your resources from a single platform.
Make sense of todayβs overwhelming number of tools. Faradayβs technology aligns +80 key plugins with your current needs, normalizing and deduplicating vulnerabilities.
Save time by automating pivotal steps of Vulnerability Management. Scan, create reports, and schedule pipelines of custom actions, all following your requirements.
Faradayβs intuitive dashboard guides teams through vulnerability management with ease. Scan, analyze, automate, tag, and prioritize, each with just a few clicks.
Get full visibility of your security posture in real-time. Advanced filters, navigation, and analytics help you strategize and focus your work.
Coordinate efforts by sending tickets to Jira, Gitlab, and ServiceNow directly from Faraday.
Manage your security team with Faraday planner. Keep up by communicating with your peers and receiving notifications.
Get your work organized on the run when pentesting with Faraday CLI.
We believe in the power of teams, most of our integrations and core technologies are open source, allowing any team to build custom implementations and integrations.
For more information check out our website www.faradaysec.com