Careful Who You Trust: Compromising P2P Cameras at Scale
Year after year, the number of smart devices on home networks continues to grow, causing IoT companies to use existing frameworks for easier and more rapid development. But what happens when the framework used by nearly 100 million smart IoT devices is vulnerable? In this presentation, we will first share original research into the Kalay Platform, a peer-to-peer (P2P) protocol and network used to connect smart camera models from all over the world. We will discuss the process used to understand the P2P protocol and how we built a test library for decoding and manipulating network traffic. We will demonstrate vulnerabilities in the P2P protocol itself that left tens of millions of smart devices vulnerable to further attacks. Taking it a step further, we will share novel research performed into several different smart camera models. In these case studies, we will combine the above P2P vulnerabilities with device-specific vulnerabilities to achieve remote code execution. We will showcase a variety of scenarios from remotely accessing camera data to full device takeover. Topics covered will include hardware and physical attacks, mobile app and smart device analysis, and analysis of the Kalay Platform.
Erik, Jake and Dillon have a combined total of twenty years of practical security experience and specialize in breaking mobile apps, embedded devices, and web services at Mandiant. Together, they’ve developed a hands-on mobile application training course and have responsibly disclosed vulnerabilities to dozens of vendors including Telsa, Google, Motorola, Pulse Secure, and Qualcomm. All three are based in San Francisco, CA, and collaborated on smart camera research in 2020 and 2021. The team enjoys solving complex problems and sharing the outcome with the community to both increase awareness and inspire people around them to express their creativity through hacking.