IOT Hack – Litmor Capsule
Litmor Capsule is a project started on Kickstarter started back in June of 2017 when the concept was first introduced. There were 199 backers of the project bringing in around $49,000 in cash. As is common with many of today’s IOT devices the capsule comes directly from Hong Kong – the capital of the Internet Of Trash (or buggy devices) for that matter.
**Note: You must be on the local network of the camera in order to communicate with it. This is not a hack where somebody can blindly take over the camera without having access to your network either by a
Litmor Capsule: A.I. 180° Security Camera and Floodlight
・180-degree field of view
・24/7 video recording with 2K HDR
・Full-color night vision
・Human Recognition (A.I.)
Bugs, Bugs, and more Bugs.
Camera overall is OK when it’s working. The siren is very low and not very scary. There’s a background noise in the audio that sounds like a persistent chattering of crickets. It’s fuzzy and that may be due to latency on my 2.5ghz network from its location. I don’t know why though because my phone get’s 50mb down and 5mbps up with minimal jitter at around 20ms back to the gateway. The camera seems to have big delays over 100ms at times, then promptly retreats to back down low. I’m using a $250 ASUS CM-35 (AC2600) modem that’s a hundred or so feet away inside of the house.
Hacking the Camera:
As far as hacking the camera it didn’t take very long at all. I’m somewhat embarrassed to show these ‘tactics’ as they’re reminiscent of hacking for script kiddies. My intuition led me to try the FTP vector with admin/blank and I was immediately granted access to various parts of the file system. No brainer, really… Anyhow, I’ll reconstruct how I pulled that off.
Nmap scan shows the device is running tcp/21 (FTP), and tcp/23 (Telnet) on a Linux system called BusyBox 1.22.1 (Dec-2016).
Accessing the FTP server shows ‘admin‘ does not have a password on the first try. This is pathetic and almost unheard of in this day and age. A blank password?
This user has read permissions to many of the directories in the file-system. Let’s grab the /etc/passwd file to see what happens.
After grabbing the
We load up the user ‘
The root password cracked in 5 hours, 57 minutes, and 12 seconds. I had a request in with crack.sh just in-case I couldn’t come up with the password using an incremental brute force mode.
A bit more fun is exploring all of the various code, modules and inner workings of the camera. As of today I’m still developing this story…