Joren/blog-howest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
blog-howest/content/blog/post-8.md
Joren a03f2dba78
hi
2025-05-31 00:27:58 +02:00

3.5 KiB
Raw Blame History

title, image, date, description, categories, draft
title image date description categories draft
Cheap Camera, Expensive Risk: Hacking an IoT PTZ Camera images/blog/blog-8.jpg 2025-05-30 00:00:00 +0000 UTC What happens when you mix a €22.95 PTZ camera, physical access, and bad defaults? A practical look at hardware abuse in consumer IoT.
iot
hardware
reverse engineering
false

When you pay €22.95 for a pan-tilt-zoom security camera, youre not buying enterprise-grade security. But what if youre also buying root access through an SD card?

This post documents a hands-on assessment of the LSC SMART PTZ Camera (Model IPC167), a low-cost, Tuya-based IoT device sold at Action. While it ticks many boxes on paper, TLS, OTA updates, encrypted storage, physical access opens a completely different chapter.

Triggering Debug Mode with a MicroSD Card

Under normal operation, the camera exposes a single LAN control port and requires authentication. But the real surprise lies in how it reacts to external media.

Insert a specially crafted SD card containing certain files, and the device silently enables Telnet and FTP services at boot, with root access using credentials from the card. No prompt. No warning. The system trusts the card implicitly.

This is intended for factory debugging, but it still exists in the retail device, and there are no warnings in the user manual. Once active, Telnet gives full shell access with UID 0. All processes run as root. Its not just insecure, its reckless.

UART Interface: Disabled Login, But Still There

A quick teardown revealed a UART interface on the PCB. While login is currently disabled, its presence adds another attack vector. UART could enable firmware dumping, memory access, or even re-enabling local shells in earlier firmware revisions.

Combined with the SD card behavior, it paints a clear picture: if you can touch the device, you own it.

What Could Go Wrong?

Plenty. With root access via SD card:

  • You can replace binaries or inject backdoors.
  • Extract credentials, keys, or tokens stored in the SQLite database.
  • Modify the video stream, disable motion detection, or proxy footage.
  • Use the device as a pivot point in a local network attack.

All of this without triggering any alarms, logs, or user notifications.

But It Encrypts Traffic?

Yes. TLS over MQTT for telemetry. Encrypted UDP for video. Encrypted SQLite storage. From a remote attackers perspective, it looks secure.

But physical access breaks the whole model. And physical attacks are not just theoretical, especially for devices placed outdoors or in public environments.

What Can Be Done?

Fixing this requires more than software updates. Its about rethinking assumptions.

  • Factory debug hooks should be disabled or removed before shipment.
  • Bootloaders should verify signatures, not blindly trust SD cards.
  • Telnet should never be enabled automatically, ever.
  • Sensitive functions should not run as root unless absolutely required.

Until then, buyers are getting more than they bargained for.

Final Thoughts

This was a cheap camera. It delivered on video quality and mobile app UX. But under the surface, its a wide-open platform for attackers with a screwdriver and a microSD card.

If youre building IoT gear: assume physical access and plan for it. If youre buying IoT gear: assume nothing until youve torn it apart.

Security is more than encryption and TLS. Its what happens when someone walks up, pops the back cover, and flips the whole threat model on its head.