Continued Efforts Against the Kasa Cam
Our failed intrusion attempts on the TP-Link Kasa Cam last month did not discourage us. We chose to continue working with the same device, but from a different angle. Instead of trying to access the camera directly, we decided to try to intercept the packets that the camera is sharing with the router and execute a Man in the Middle attack.
Intrusion Plan B
A Man in the Middle attack is an attack that utilizes Address Resolution Protocol (ARP) spoofing to intercept packets between two hosts. The attacker sends out fake ARP packets to the target machine. This tricks it into thinking an attacker is a different machine on the victim’s network. Once the attacker establishes the connection, they can run a wide number of malicious attacks to ruin a network.
When establishing a plan of attack for the Kasa Cam, Zeek—or as it was formerly known, Bro—was our first choice. We tried to install it on our virtual machine but failed. We did, however, get an offer to use the Leahy Center’s “IoT Machine,” a computer running CentOS that has Bro installed. While working with Bro, we realized that the program’s complexity would take time to learn. The time it would take to understand its utility was more time than we had to work with, so we had to find a simpler alternative.
In our search for that simple alternative, one name that kept coming up was TCPDump. TCPDump is about as simple a packet viewer as one can get. It captures, displays, and analyzes packets all from the command line. It seemed to be the perfect packet sniffing tool, the right balance of complexity and depth, but there was one more option that was right under our noses.
Back to Wireshark
Wireshark, the tool that we used last month, showed its usefulness once again this month. It captured the same amount of information as TCPDump, but organized it far better. It made it easier to understand the parameters and purposes of individual packets.
Cracking the Camera: Intrusion Part 2
We implemented a Man in the Middle Attack by using the linux “$arpspoof” command found in the dsniff packet. This tricked the Kasa Cam into thinking our router was our laptop. We then intercepted the packets sent from the camera to the router. Our intrusion was a success. From here, we should have been able to analyze these packets and craft fake ones, but we could not find decrypted packets. Because they’re encrypted, we had no way of understanding the data that the packets represented.
None of our attempts to intrude upon it were successful. While this is frustrating for our team who have researched and attempted strategies to extract data from these devices and their network traffic, it means that the product’s customer base can rest assured that their camera data is hard to get for malicious users. Next, we will move on to other IoT devices to see if they are secure like the Kasa Cam. Check back next month for a new endeavor from the IoT Intrusion Team.
TP-Link Kasa Cam: Secure
Stay up to date with Twitter, Instagram, and Facebook by following @ChampForensics so you always know what we’re up to!