IOT Hack – Litmor Capsule

Litmor Capsule is a project started on Kickstarter started back in June of 2017 when the concept was first introduced. There were 199 backers of the project bringing in around $49,000 in cash. As is common with many of today’s IOT devices the capsule comes directly from Hong Kong – the capital of the Internet Of Trash (or buggy devices) for that matter.

**Note: You must be on the local network of the camera in order to communicate with it. This is not a hack where somebody can blindly take over the camera without having access to your network either by a cable, or by hacking the wireless password first. Another possibility is if they had remote access via a trojan to a machine on the network. This blog is still under development.

Specifications:

Litmor Capsule: A.I. 180° Security Camera and Floodlight

・180-degree field of view 
・24/7 video recording with 2K HDR 
・2400-Lumen brightness 
・Full-color night vision
・110dB Siren/Alarm
・Human Recognition (A.I.)

Review: 

Bugs, Bugs, and more Bugs. App is very unstable on Android v8, v9, and iPAD on IOS. There are too many issues to list at this point. Releases are frequent but some of the major crashing issues persist. In many windows, there are Chinese characters and some of the settings won’t apply properly. Despite marketing itself as having 99% A.I. detection it’s had many false positives in my testing.

Camera overall is OK when it’s working. The siren is very low and not very scary. There’s a background noise in the audio that sounds like a persistent chattering of crickets. It’s fuzzy and that may be due to latency on my 2.5ghz network from its location. I don’t know why though because my phone get’s 50mb down and 5mbps up with minimal jitter at around 20ms back to the gateway. The camera seems to have big delays over 100ms at times, then promptly retreats to back down low. I’m using a $250 ASUS CM-35 (AC2600) modem that’s a hundred or so feet away inside of the house.

Hacking the Camera:

As far as hacking the camera it didn’t take very long at all. I’m somewhat embarrassed to show these ‘tactics’ as they’re reminiscent of hacking for script kiddies. My intuition led me to try the FTP vector with admin/blank and I was immediately granted access to various parts of the file system. No brainer, really… Anyhow, I’ll reconstruct how I pulled that off.

Nmap scan shows the device is running tcp/21 (FTP), and tcp/23 (Telnet) on a Linux system called BusyBox 1.22.1 (Dec-2016). Kernel is predicted to be 3.2 – 3.16 by nmap. At this point, there’s no web interface and I don’t quite know if the app on the phone talks to the device – but it doesn’t appear that it does. No ports are open to facilitate the client/server communication with a mobile device. If I block the camera from the internet it seems to break the app right away – giving me no access into controlling it. Fair to say the device is being controlled by the cloud or at least interfaces with Litmor to get access to the device over a WAN.

Accessing the FTP server shows ‘admin‘ does not have a password on the first try. This is pathetic and almost unheard of in this day and age. A blank password?

This user has read permissions to many of the directories in the file-system. Let’s grab the /etc/passwd file to see what happens.

After grabbing the passwd file we find that it contains DES 128 hashed passwords. There’s no shadow file on this embedded Linux and it looks like we can pull it right off with FTP. I downloaded anything else I could read that was interesting as well. One of the files has my wireless password in cleartext.

We load up the user ‘vatics‘ in John the Ripper and break the password 1 hour and 51 minutes later on a core i7-8700K CPU running at 18-20k keys/sec. Password for this user was ‘mpeg4soc’ and if it had not been trivial (randomized) it could’ve taken up to the year 2031 to crack on this machine. 

The root password cracked in 5 hours, 57 minutes, and 12 seconds. I had a request in with crack.sh just in-case I couldn’t come up with the password using an incremental brute force mode.

A bit more fun is exploring all of the various code, modules and inner workings of the camera. As of today I’m still developing this story…