IOT Hack – Litmor Capsule

Litmor Capsule is a project started on Kickstarter started back in June of 2018 when the concept was first introduced. There were 199 backers of the project bringing in around $49,000 in cash.
You must be on the local network of the camera in order to communicate with it. This is not a hack where somebody can blindly take over the camera without having access to your network either by a cable, or by hacking the wireless password first.
Fix Update 12/2018:
Hi, this is Vicco from Litmor team. We have read your article and strengthen our security system in Dec 2018. Most bugs have been fixed also. Now we keep developing our security system to make it safer. People cannot use the way in this article to hack our system.
Specifications:
Litmor Capsule: A.I. 180° Security Camera and Floodlight
・180-degree field of view
・24/7 video recording with 2K HDR
・2400-Lumen brightness
・Full-color night vision
・110dB Siren/Alarm
・Human Recognition (A.I.)
Review:
Bugs, Bugs, and more Bugs.
Camera overall is OK when it’s working. The siren is very low and not very scary. There’s a background noise in the audio that sounds like a persistent chattering of crickets. It’s fuzzy and that may be due to latency on my 2.5ghz network from its location. I don’t know why though because my phone get’s 50mb down and 5mbps up with minimal jitter at around 20ms back to the gateway. The camera seems to have big delays over 100ms at times, then promptly retreats to back down low. I’m using a $250 ASUS CM-35 (AC2600) modem that’s a hundred or so feet away inside of the house.

Hacking the Camera:
As far as hacking the camera it didn’t take very long at all. I’m somewhat embarrassed to show these ‘tactics’ as they’re reminiscent of hacking for script kiddies. My intuition led me to try the FTP vector with admin/blank and I was immediately granted access to various parts of the file system. No brainer, really… Anyhow, I’ll reconstruct how I pulled that off.
Nmap scan shows the device is running tcp/21 (FTP), and tcp/23 (Telnet) on a Linux system called BusyBox 1.22.1 (Dec-2016).
Accessing the FTP server shows ‘admin‘ does not have a password on the first try. This is pathetic and almost unheard of in this day and age. A blank password?

This user has read permissions to many of the directories in the file-system. Let’s grab the /etc/passwd file to see what happens.

After grabbing the

We load up the user ‘


The root password cracked in 5 hours, 57 minutes, and 12 seconds. I had a request in with crack.sh just in-case I couldn’t come up with the password using an incremental brute force mode.


A bit more fun is exploring all of the various code, modules and inner workings of the camera. As of today I’m still developing this story…


