Short security overview of the Escam G02

Some months ago a purchased an Escam G02 from Banggood for approx. 18€.

Some days after that Pierre Kim released a paper which showed horrible security flaws in millions of Wifi Webcams, of course after reading this i asked myself if the Escam G02 is also affected.

After getting the cam i started digging. Please keep in mind that i am no pro security researcher, but i think i digged deep enought.

Web Interface Security

The Webinterface looks horrible and is „secured“ by the standard admin/admin combo but the rest looks okay. Also it does not feature TLS. Mostly everything is controlled by a cgi script called params.cgi. I was not able to find any problems with that but who knows. Nevertheless the WebIF uses Basic auth but the Password is only base64 encoded, so a MitM could easily retrieve the credentials. If you really want to expose the WebIF to the internet you should change all Passwords (yep there are more that one for the admin) and use the cam behind a SSL Proxy.

Open Ports

Now its time to see which ports are open on this device. Open Telnet would be the worst case. But don’t worry haven’t found that. There are 4 ports open: 80 (WebIF), 554 (rtsp), 1935 (rtmp), 8080 Onvif. No more open ports to find.

Serial Debug port

I thought maybe i could gather shell access by finding Serial debug port. There really is one labeled J3 on the PCB. Pin 1 is TX, Pin 2 is Ground, couldnt figure out where RX was. Port uses standard 115200 baud 8N1. Didnt matter what i have tried, i was not able to stop the automatic boot.

Here is a boot log if someone is interested:

Cloud Server

Bigger problem for my is the Cloud Service aka P2P Service so you can use Camera with the CamHi App. This protokol uses UDP hole punching to convert your firewall into swiss cheese. If deactived it does not contact any Servers, but than you also cant use the CamHi app. Fortunately this cam does not send all their config data to the server like the cams that Pierre Kim has watched over. The cam contacts these Server if you activate the P2P feature:

TCP:
47.91.149.233 (Alibaba use for FW Upgrades which do not use TLS 😉 )

UDP:
52.221.1.159 (Amazon Singapore)
123.56.143.156 (Alibaba)
52.8.0.180 (Amazon EC2)

I have not checked what the app transmits till now, if someone is interested i could do it in the future. Do youreself a favor and disable that feature, maybe also think of disabling DHCP and give the cam a false Gateway address so it cannot phone home.

Conclusion

For 18€ the cam is okay and not a complete security mess. Okay i cannot understand why it is not possible to use TLS for Software updates and the Webif but at least there is no open Telnet or vulnarable FTP Scripts.

If you only use the cam in your LAN through a VPN and disable the P2P feature  you are good to go. If you are more paranoid block the cam from the internet by your firewall.

2 thoughts to “Short security overview of the Escam G02”

  1. Dear Björn,

    I have purchased a similar cam, from 7Links (pearl.de). The pinout of the debug port seems to be the same, yet I was able to find RX on pin 3. You can log in using the account „default“, with no password. Then you can edit one of the scripts in the /mnt/mtd/ipc folder which is run by the camera binary with root privileges. Use it for example to re-write /etc/shadow to set a new root password (use echo „blabla“ > /etc/shadow) – et voila, the cam is yours.

    There is even a simpler way to gain access, though: Using the username and password for the web interface open the http:///cgi-bin/ht3510/printscreenrequest.cgi page. Telnet is now enabled for the current session. To permanenly enable telnet you can edit /mnt/mtd/ipc/conf/config_debug.ini and set the parameter to 1.

    Btw.. if you do not like vi as an editor you can use ftpput and ftpget to upload and download files from/to the camera. That way, you can use your favorite text editor.

    Best,
    Tobi

  2. Hi there!

    I have a couple of ESCAM G02 and this post is very useful for me. Thanks Björn and Tobias for this information.

    Also, I have a mistery to resolve which gives me a headache: I’ve been poking around the firmware and I just can’t find how does the camera play the sounds when you are configuring its wifi. I guess it’s some thing called „PlayNotificationSound“ but I can’t find where. Perhaps this thing is hidden inside a binary? I don’t know 🙁

    Here’s why: It would be so great to play any sample remotely, per example an alarm sound when motion is detected. My expectations were that there sould be a magic program called „play alarm.wav“ or somewhat similar hahahaha, I’m optimist! I’ve also tried with no luck to stream a wav file via the backchannel of the 2-way audio system, there is almost no information on the internet about this…

    Have you any experience with this or have any remote idea of how I can advance?

    Bests regards and thanks in advance 🙂

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden .