A lot of IP cams are not installed correctly, leaking data or just not covering the area as they should. BUT here in Europe it DO give a lot of people a feeling of safety that is sometimes worth a lot.

But things changed recently with the embedded system evolution and IP based service expansion. The family system starts to take in-bound connection to handle requests. Typical application for such in-bound connection can be found in P2P games, VIOP and IP video surveillance.

Take IP video surveillance as example, a web server running in an embedded device and server the in-coming request for real time video, snapshot, recorded images or administration tasks. Service is supposed to be more vulnerable than non service application because it will open more ports and take in information from outside, which can be malicious.

An embedded device running open service such as ftp, web deployed in family environment can impose great security threat on regular family users. The reasons can be briefly summed as following:

1. Family system is the least protected end point in the WWWW world. No professional system admin, no commercial grade firewall, no password and security policy.
2. Family users are regulars users without much knowledge how to protect their network, and how to detect the attack.
3. Most services running in embedded system are implemented loosely without security in the first place
4. For an embedded system, the end to end connection channel protection is impossible. The standard SSL just does not work for embedded system, the reason for that is no one won’t pay and update certificate after the device is shipped.

No matter how an IP camera brag its security feature, it can be very easily to be tampered if somebody really want to, because if there is no protection in the whole transportation channel, the device is regarded no protection. Same for other embedded device with open services running.

However, the security flaw for embedded is not really this significant as it sounds. The reason is the limited ability for an embedded system, because a tampered embedded system won’t be harmful as a desktop system.

This system is often used to switch lights, open the garage door and control the alarm system.

The interesting part is that there are transmitters available, that can be used via serial port (including setting both codes). Nice for a simple brute-force attack like this (even if you don’t have a reciever):
As this isn’t a 24 bit “code” but rather two codes that can be set independent, a user will most likely set the house code to some random number and start the device numbers with 0 or 1. So all you have to try is really a 16 bit code and very few variations of the device number at first (which could amount to a 19 bit code). This effectively means you can use a laptop to brute-force the house code and THEN iterate over all devices.

Now, let’s assume that there are very few FS20 systems in the vicinity of the target (or none at all). It is therefore reasonable to assume that - given the non-existence of neighborhood interference - the owner will leave the house code on its (documented) default and only iterate over the device numbers. This amounts to only 256 possibilities.

Now, given the goal to disable the alarm and enter through the garage, an attacker would have to transmit a few thousand sequences at most, if the exact type of the used systems (and therefore the command required) isn’r known and the commands are not standardized inbetween devices of different manufacturers.

There is even the problem of a possible master key (may be manufacturer dependend), to bypass normal “security” in case the original remote controll is lost or broken. In this case, only very few commands need to be sent.

All in all, circumventing this systems could be done with a simple (original) transmitter module, a microcontroller and a case to make all parts into a small handheld device, that could possible open the garage door and disable the alarm in a matter of seconds.