IP Cameras are the mainstream solution today for home surveillance. In a couple of decades, what was seen as a sophisticated technology for the security-critical environments has now become a commodity for those who want to add an extra layer of protection to their nest.
These cameras have the most thrilling features such as AI-powered human recognition, light flooding up to tens of meters and remote monitoring. In addition, the Wi-Fi Alliance has gone a long way to harden the security of the wireless communicating devices inside your home.
Strangely though, virtually no one is concerning about a rarely known and incredibly underestimated risk:the WPA2 DEAUTH attack. As we’ll see in this post, a deauth attack gives the possibility to any stranger out there to literally “block” the video stream and potentially take advantage of it.
Are New Cameras Secure?
Before becoming mainstream, IP cameras have gone through multiple architectures.
- In the late nineties, cameras were uncapable of streaming videos but were limited to taking snapshots. Thus, they were not suitable for surveillance
- Second generation IP cameras relied on a client-server architecture. The camera was acting as a server, while the final user would use a client, such as a surveillance monitor software on a PC to communicate with the camera.
This IP camera generation failed to gain momentum for not being Plug and Play. Configuration required some tweaking, specifically on home routers to enable port forwarding. By making a “small hole” in the firewall, client software could query the IPcam server from remote, thus enabling remote monitoring.
- Today Wi-Fi IPcams instead use a cloud-based architecture. By a quick configuration of the wireless settings, the IPcam connects to the internet and can stream the video to an outside server. Remote monitoring is again possible, but this time is the cloud storing your cam footage.
The leap from 2nd to the 3rd generation was perceived as a good improvement in terms of IoT security. In particular 2nd gen Client Server was making IPcams particularly vulnerable to remote attacks. A sophisticated cyberintruder could tamper with your IPcamera server to exploit an internal vulnerability a gain control of home hardware. Some very popular DDOS attacks in the last years was made possible
So, are we now safe? Not really..
Meet Deauth: the nasty guy preventing you to “talk”
As a security consultant, I’ve experienced many times how a Wi-Fi can be considered insecure, if you have ever heard of WPS Pixie Dust and KRACK you know how a WLAN can be insecure. Though I often ignored the Deauth attack.
The way it works is simple: once a wireless device connects to the Wi-Fi Access Point (often embedded in your router), communication is devised to be authenticated and confidential. Thus, not only you can be relatively confident that your data cannot be sniffed from the outside, but you can also be quite no external intruder is impersonating your WiFi home setup, thus gaining or manipulating your data.
Though, the Wi-Fi standard didn’t mandate anything in particular to prevent an external agent to disconnect your device, thus getting to effectively block your browser navigation.
This can already be deemed as a big nuisance, but if the device communicating to the cloud is the IPcam, the problem gets worse, as now all the real time video streaming is blocked. No video, no detection, no actual opportunity to intervene on a potential intruder. Security is breached.
Steps for the Deauth attack
Two tools will be used by an attacker to deliver an attack:
– Wireless adapter in Monitor Mode
– Aircrack-ng, an open source software used by Wi-Fi security analysts
First: monitor the lan
First step requires some setup on the Wi-Fi adapter. In particular, the board has to be set in monitor mode. This allows our PC to audit a wireless network without even needing to authenticate to it. Hence, it doesn’t take any password to “hear” someone else network.
Setup is done by this command below:
sudo airmon-ng start wlan0
Next, the attacker will need to know the access points. Again, aircrack-ng provides a way to view all the access points (e.g. wi-fi routers) around. One of them will be the one to which the ip camera connects to.
Second: airdump-ng wlan0mon
Once the access point is known, we still have to look for the MAC address of the Wi-Fi camera. Type the command look and have a look at the connected devices:
sudo airdump-ng wlan0mon -bssid mac –channel n_ch
Between them the attacker sees a name of a security camera manufacturer: enough to figure out this is the target he needs.
Third: Deauth flood
Now that the MAC addresses of home router and Wi-Fi camera are known, the intruder can start the Deauth flood attack.
sudo aireplay-ng –deauth 0 -c netatmo_mac -a ap_mac wlan0mon
A flood of deauth packets is sent to the access point to disconnect the Wi-Fi camera. As the security camera relies on Wi-Fi connection, video streaming gets blocked for an arbitrarily long amount of time.
There’s no special knowledge, no special equipment involved. A Deauth attack can make your surveillance camera useless.
What can be done against Deauth?
Security researchers are aware of this possible threat, that’s why they have come up with a few technical solutions. Bad news is, more often than not your home equipment won’t support them.
Management Frame Protection
The standard 802.11w have come up with a way to protect against deauth through management frames. These are conceived to provide authenticity to those packets that can be easilty spoofed. This standard is not widely adopted and will be probably supplanted by WPA3.
WPA3, the standard of IoT
Wi-Fi has come up with the 3rd generation of its standard. This has been done to become the mainstream solution for IoT devices, defending against all those security holes left by WPA2.
Early support for WPA3 has begun in December 2018, but it will take a few years before it will be mainstream. First implementations are indeed proving to be problematic and PC wi-fi adapters are still not ready for it.
Ethernet Canary, an open source Deauth solution by me
I’m currently working on a plug and play solution that relies on a wired connection that detects a Deauth attack on your Wi-Fi camera and notifies you through a custom channel.
Ethernet Canary is in testing phase, if you want to know more you can write to my email firstname.lastname@example.org or in the comments below. Keep your Wi-Fi camera safe guys!