1、Turning Camera Surveillance on its AxisNoam Moshe Claroty Research,Claroty Team82$whoamiNoam MosheVulnerability researcher&Team Lead at Claroty Team82-mostly breaking IoT clouds.Master of Pwn Pwn2Own ICS 2023.I want to hack Big Company Inc.But how?Searched for exposed services Found an interesting s
2、ervice What is axis.remoting protocol?Axis Cameras IP Camera OS is Axis OS(Custom Linux)Download firmware from Axis website Managed via web interfaceConfiguration,camera feed.Most companies have more than 1 cameraAxis Camera Station/Device Manager Manages Axis cameras Discovery,config,firmwaresAxis
3、Camera StationAxis Camera Station/Device Manager Live feed view and video recording Axis Camera StationHow its used Axis Secure Remote Access(not Axis.Remoting)Pro:Does not require exposing services to the internetCon:pay-per-traffic-can be expensive On-Prem installation(uses Axis.Remoting)Pro:Free
4、to useCon:Need to expose services to the internetOn-Prem vs.Cloud versionsAxis Camera Station Tons of orgs choose on-premConnect to their servers remotely To stay secure-Axis implemented secure protocolFully encrypted and authenticated binary protocolWhat about remote access?Axis Camera StationOn-Pr
5、em ConnectionWANAxis Camera Station ClientsBig Company Inc.On-Prem ConnectionWANBig Company Inc.Axis Camera Station ClientsAttackerOn-Prem ConnectionWANBig Company Inc.Axis Camera Station ClientsAttackerServer controls cameras6,000+servers around the world!WANGov AgencyAttackerUniversityBig Company
6、Inc.Lets Deep Dive!Axis Camera Station/Device Manager Windows.NET applicationsClient and server Uses Axis.Remoting protocolWrapped in mTLS Requires authenticationWindows Host/Domain CredentialsLets Unwrap the protocol!MiTM the Connection with mTLSMiTMAxis Camera StationAxis Camera Station Clients Us