Skip to content
  • Home
  • About
  • Contact
INFOSTRUCTION
Posted on December 5, 2018April 1, 2019

IOT Hack – Litmor Capsule

IOT Hack – Litmor Capsule

Posted on December 5, 2018April 1, 2019 by Infostruction
No Comments

Litmor Capsule is a project started on Kickstarter started back in June of 2018 when the concept was first introduced. There were 199 backers of the project bringing in around $49,000 in cash.

You must be on the local network of the camera in order to communicate with it. This is not a hack where somebody can blindly take over the camera without having access to your network either by a cable, or by hacking the wireless password first.


Fix Update 12/2018:
Hi, this is Vicco from Litmor team. We have read your article and strengthen our security system in Dec 2018. Most bugs have been fixed also. Now we keep developing our security system to make it safer. People cannot use the way in this article to hack our system.

Specifications:

Litmor Capsule: A.I. 180° Security Camera and Floodlight

・180-degree field of view 
・24/7 video recording with 2K HDR 
・2400-Lumen brightness 
・Full-color night vision
・110dB Siren/Alarm
・Human Recognition (A.I.)

Review: 

Bugs, Bugs, and more Bugs. App is very unstable on Android v8, v9, and iPAD on IOS. There are too many issues to list at this point. Releases are frequent but some of the major crashing issues persist. In many windows, there are Chinese characters and some of the settings won’t apply properly. Despite marketing itself as having 99% A.I. detection it’s had many false positives in my testing.

Camera overall is OK when it’s working. The siren is very low and not very scary. There’s a background noise in the audio that sounds like a persistent chattering of crickets. It’s fuzzy and that may be due to latency on my 2.5ghz network from its location. I don’t know why though because my phone get’s 50mb down and 5mbps up with minimal jitter at around 20ms back to the gateway. The camera seems to have big delays over 100ms at times, then promptly retreats to back down low. I’m using a $250 ASUS CM-35 (AC2600) modem that’s a hundred or so feet away inside of the house.

Hacking the Camera:

As far as hacking the camera it didn’t take very long at all. I’m somewhat embarrassed to show these ‘tactics’ as they’re reminiscent of hacking for script kiddies. My intuition led me to try the FTP vector with admin/blank and I was immediately granted access to various parts of the file system. No brainer, really… Anyhow, I’ll reconstruct how I pulled that off.

Nmap scan shows the device is running tcp/21 (FTP), and tcp/23 (Telnet) on a Linux system called BusyBox 1.22.1 (Dec-2016). Kernel is predicted to be 3.2 – 3.16 by nmap. At this point, there’s no web interface and I don’t quite know if the app on the phone talks to the device – but it doesn’t appear that it does. No ports are open to facilitate the client/server communication with a mobile device. If I block the camera from the internet it seems to break the app right away – giving me no access into controlling it. Fair to say the device is being controlled by the cloud or at least interfaces with Litmor to get access to the device over a WAN.

Accessing the FTP server shows ‘admin‘ does not have a password on the first try. This is pathetic and almost unheard of in this day and age. A blank password?


This user has read permissions to many of the directories in the file-system. Let’s grab the /etc/passwd file to see what happens.

After grabbing the passwd file we find that it contains DES 128 hashed passwords. There’s no shadow file on this embedded Linux and it looks like we can pull it right off with FTP. I downloaded anything else I could read that was interesting as well. One of the files has my wireless password in cleartext.

We load up the user ‘vatics‘ in John the Ripper and break the password 1 hour and 51 minutes later on a core i7-8700K CPU running at 18-20k keys/sec. Password for this user was ‘mpeg4soc’ and if it had not been trivial (randomized) it could’ve taken up to the year 2031 to crack on this machine. 

The root password cracked in 5 hours, 57 minutes, and 12 seconds. I had a request in with crack.sh just in-case I couldn’t come up with the password using an incremental brute force mode.

Who’s your daddy? 

A bit more fun is exploring all of the various code, modules and inner workings of the camera. As of today I’m still developing this story…

A view of a file that contains my test wireless password in a clear text file on the computer.
Device has an M388C CPU

Search

Twitter

Infostruction BlogFollow4,3511,702

👩‍💻☢️📬📩🗡️🛡️📣🏴‍☠️💸🕵️‍♂️🦠💊🧱💰🧱

Infostruction Blog
infostruction avatarInfostruction Blog@infostruction·
7h 1557595914872639488

Automotive supplier breached by 3 ransomware gangs in 2 weeks

Automotive supplier breached by 3 ransomware gangs in 2 weeks

An automotive supplier had its systems breached and files encrypted by three different ransomware gangs over a two-week span in May, two of the attac...

www.bleepingcomputer.com

Reply on Twitter 1557595914872639488Retweet on Twitter 1557595914872639488Like on Twitter 1557595914872639488Twitter 1557595914872639488
infostruction avatarInfostruction Blog@infostruction·
16h 1557463226945744896

Man who built ISP instead of paying Comcast $50K expands to hundreds of homes

Jared Mauch gets $2.6 million from gov't to expand fiber ISP in rural Michigan.

arstechnica.com

Reply on Twitter 1557463226945744896Retweet on Twitter 15574632269457448961Like on Twitter 15574632269457448962Twitter 1557463226945744896
infostruction avatarInfostruction Blog@infostruction·
8 Aug 1556865771396968448

Windows devices with newest CPUs are susceptible to data damage

Windows devices with newest CPUs are susceptible to data damage

Microsoft has warned today that Windows devices with the newest supported processors are susceptible to "data damage" on Windows 11 and Windows Server...

www.bleepingcomputer.com

Reply on Twitter 1556865771396968448Retweet on Twitter 15568657713969684481Like on Twitter 15568657713969684481Twitter 1556865771396968448
infostruction avatarInfostruction Blog@infostruction·
8 Aug 1556692536332148736

$32.5m Pirate IPTV Lawsuit Must Be Dismissed Due to 'Encrypted Traffic' * TorrentFreak

DataCamp says a $32.5m lawsuit holding the company liable for pirate IPTV services must be dismissed since it can't monitor encrypted servers.

torrentfreak.com

Reply on Twitter 1556692536332148736Retweet on Twitter 1556692536332148736Like on Twitter 1556692536332148736Twitter 1556692536332148736
infostruction avatarInfostruction Blog@infostruction·
8 Aug 1556691173598564354

Twilio discloses data breach after SMS phishing attack on employees

Twilio discloses data breach after SMS phishing attack on employees

Cloud communications company Twilio says some of its customers' data was accessed by attackers who breached internal systems after stealing employee c...

www.bleepingcomputer.com

Reply on Twitter 1556691173598564354Retweet on Twitter 1556691173598564354Like on Twitter 1556691173598564354Twitter 1556691173598564354
infostruction avatarInfostruction Blog@infostruction·
7 Aug 1556519748531150848

Jacksonville Sheriff's Office attacked by ransomeware | http://firstcoastnews.com https://www.firstcoastnews.com/article/news/crime/jacksonville-sheriffs-office-ransomware-attack-virus-internet-out-arrest-report/77-98d2ab72-d8dd-48fb-a5c0-33212a6e9db3

Reply on Twitter 1556519748531150848Retweet on Twitter 15565197485311508482Like on Twitter 15565197485311508481Twitter 1556519748531150848
infostruction avatarInfostruction Blog@infostruction·
5 Aug 1555736229999562752

Twitter breach exposes anonymous accounts to nation state hackers

Exposed users could be in the millions.

www.cyberscoop.com

Reply on Twitter 1555736229999562752Retweet on Twitter 1555736229999562752Like on Twitter 1555736229999562752Twitter 1555736229999562752
infostruction avatarInfostruction Blog@infostruction·
4 Aug 1555396389999300609

German Chambers of Industry and Commerce hit by 'massive' cyberattack

German Chambers of Industry and Commerce hit by 'massive' cyberattack

The Association of German Chambers of Industry and Commerce (DIHK) was forced to shut down all of its IT systems and switch off digital services, tele...

www.bleepingcomputer.com

Reply on Twitter 1555396389999300609Retweet on Twitter 15553963899993006091Like on Twitter 15553963899993006091Twitter 1555396389999300609
Load More...

Security Links

  • Annoying Blog
  • Any.Run
  • Avanan
  • Bark
  • Children Of The Night
  • Compassion
  • DeepSentinel
  • DNSFilter
  • DShield
  • FixFinder
  • [email protected]
  • Hybrid Analysis
  • Internet Storm Center
  • JoeSandBox
  • KrebsOnSecurity
  • Project Safe Childhood
  • SANS Reading Room
  • Secureworks Research
  • SentinelOne
  • SourceFire Blog
  • Sqreen
  • Thorn
  • VirusTotal

Web Abuse Reports

  • Amazon AWS Abuse
  • Chrome – Malware URL
  • Chrome – Report Phishing
  • Cloudflare Abuse
  • Dreamhost Abuse
  • Gmail Abuse
  • GoDaddy Abuse
  • Google Cloud Abuse
  • HostGator Abuse
  • Microsoft (Report Malware)
  • Microsoft (Report URL)
  • Microsoft CERT
  • OVH Abuse
  • SendGrid Abuse
  • Weebly Abuse

Who’s Online

0407128
Visit Today : 102
Visit Yesterday : 178
This Month : 1831
Total Visit : 407128
Who's Online : 1
Your IP Address: 44.200.171.74
© 2018 INFOSTRUCTION. All Rights Reserved.