Update: CVE-2016-10115 and CVE-2016-10116 have been enlisted by MITRE. Refer to the following CVE entries:
Base Station to Camera Communication Basics
As we shared in a previous blog article, the Netgear ARLO security camera system consists of a base station and multiple camera units that operate on batteries. The ARLO base station and camera communicate through a private Wi-Fi network. The camera joins the network using WPS mode; by pressing the sync button on the base station and on the camera unit, they exchange Wi-Fi credentials. Hypothetically, during this brief moment, it actually opens a hole for attackers, but by the same token, it is not reasonable for the attacker to wait for this specific scenario without knowing when the user will install or synchronize the camera system.
Figure 1 – Basic network diagram of the Netgear ARLO security camera system
Netgear ARLO WPA2 Password Scheme
Using the same technique described in another blog, we gained console access to the ARLO system. After you acquiring console access, now you can explore the system to collect information and analyze the attack surface. You can use the nvram command to retrieve configuration data used in ARLO. We discovered that the WPA/WPA2 passphrase used for pairing with ARLO cameras is saved in nvram (see Figure 2).
Figure 2 – NVRAM command used to retrieve system settings
In this case, the WPA password is “mistylake940” (factory-set). If we reset the ARLO system by pressing the factory reset button, the WPA password will be always reset to “12345678” (as we disclosed with our previous blog).
We suspected the factory default password of “mistylake940” might be same for each ARLO device. We purchased multiple devices to determine if this was the case, and what we found was interesting. All cameras actually did not share the same passphrase for WPA/WPA2, however, they did share the same “pattern”! For example, one passphrase we acquired was “unevensparrow969“. Did you spot the pattern yet? Okay, one more example – the next system we opened had a password of “luckysky878“. We discovered the pattern as:
“adjective” + “noun” + “a 3 digit number”
And as we can see, the segments used were always basic English words (space added for legibility):
misty lake 940
uneven sparrow 969
lucky sky 878
We suspect that these passwords are autogenerated at the Netgear facility through the use of automation which has an easy words list, as we couldn’t find any embedded dictionaries or algorithms in the code for generating passwords. So the system that generates these passwords has one condition here. The generated password could be easily memorized by humans. But interestingly, with ARLO systems, the only human involvement about camera authentication is through WPS (by using the sync buttons). The user will never see or memorize these passwords. The result is a weakness of the Netgear ARLO password system.
Network Packet Analysis
To demonstrate that this is a real threat, we wanted to show that these passwords can be cracked within a reasonable time. We performed our experiment from an attacker’s viewpoint. Today, you can use any modern Linux machines with a decent wireless network card to collect raw Wi-Fi packets. When the ARLO camera authenticates itself to the base station, it uses Extensible Authentication Protocol over LAN (EAPoL). You can monitor and collect EAPoL packets as they are essential for our experiment.
Figure 3 – Collected EAPoL Packets
Cracking the Code
For our cracking purposes, we used a machine with an Intel Core i5-5200U CPU @ 2.20GHz. We first tried a tool Aircrack-ng to crack the passphrase of this captured session. As you can see from below, it brute-forced about 1670 keys per second, which is not that impressive.
Figure 4 – Aircrack-ng results
The total combinations of password entries totally depend on what word list you are using. The advantage we have is that we already know it is always a combo of “adjective+noun+3 digits“. With this information, we can minimize our time for cracking the passwords.
The other knowledge we have is that it tends to use rudimentary English words – something you can remember easily. The nouns we observed were always something you can actually see, not something conceptual. But, we didn’t have any resources to categorize English words to this detail. So we just used a list of the most common adjectives and frequently used nouns in English. We started from 370 adjectives and 4308 nouns; the list of 370 adjectives is not really extensive, but we thought it was a reasonable starting point.
With a list of 370 adjectives, 4308 nouns, and 1,000 3-digit combinations, the computation is 370 x 4308 x 1000, or 1,593,960,000 possible combinations. As our cracking speed is 1661 keys/s, the maximum time for sweeping the whole passphrase space is 959,638 seconds, which is 266 hours, or 11 days and 2 hours. Beyond this, the WPA/WPA2 password for the ARLO system will never change and there is no way the user can change it anyway.
For our experiment, we just custom generated a dictionary file using a Python script that combined adjectives, nouns, and numbers. The generated word file became 25GB in size.
Harnessing the Power of GPU
With the understanding that certain processes and computations can be assisted with the use of a Graphics Processor Unit, or GPU, we reasoned that using a GPU would help with password cracking. The question remained, how much? After some basic research, we chose a moderate GPU, the AMD Radeon R9 390, from a nearby electronics store.
Figure 5 – AMD Radeon R9 390
The price tag was $349.99 USD; in retrospect, if we could wait a few days, we could have only paid $309.99 from an online store. It didn’t take long at all to install, and soon we were ready to go.
Brute Force Vulnerability Using Hashcat and oclHashcat
Another password cracking utility is Hashcat and it supports the cracking of 90+ algorithms. One of the algorithms it can crack is WPA/WPA2. The other utility named oclHashcat is a specialized version of Hashcat that supports the use of a GPU for expedited password cracking.
To run Hashcat or oclHashcat, you need to convert the pcap file to a Hashcat capture file, or hccap. To do this, you can just use Aircrack-ng with the “-J” option. For more details, see this link. The only issue we had was in creating a cleaned-up pcap file. Many tools including a “wpaclean” tool from Aircrack-ng couldn’t process our pcap file because it contained a slightly different packet layout. In that case, you can just select and export 4 EAPoL packets that were used for the authentication.
After this boring packet conversion, we ran oclHashcat. With our word list and hccap file we supplied, our throughput was 145.6 kH/s, or 876 times of what we achieved using our system without the GPU! This was very impressive. From the benchmark data we could find, if we had purchased the Radeon R9 390X model, we could have achieved 200 kH/s. But, we were still very happy with our (speed) results.
Figure 6 – Hashcat results of 145.6 keys per second
After two and a half hours, the olcHashcat actually found the password “mistylake940”. The approximated discovery time was initially set as 3 hours. Still, pretty impressive.
Figure 7 – Password recovered after 2 hours and 31 minutes
The Feasibility of Cracking
To increase the chance of cracking WPA/WPA2 passphrases, you would increase the size of the dictionary. To expedite the cracking speed, the attacker could simply build more cracking machines by just purchasing additional hardware, or he could just use cloud-based processing power for cracking. With an estimation of spending $1,000 for one GPU cracking machine, and he builds 4 machines, he will spend $4000 total. It will decrease processing time by a fourth (e.g., from 90 hours to 22 hours). We estimate that within a day or so and with reasonable resources, a determined attacker could crack into a neighbors’ security systems easily. They could also just monitor the victim’s activity, or they could feed a false video stream into it. This can lead to additional criminal activities.
As this security system is used to guard families and individuals, the possibility of hacking the security is a serious problem. The problem is heightened as the two components of the system (base station and camera) communicate through a Wi-Fi network. As it turns out, the same device used to safeguard your belongings could potentially be used as a backdoor for the attackers and criminals.
Update: Netgear addresses this vulnerability with a firmware update. For more information, see this link:
The v1.7.7_7171 update addresses two vulnerabilities:
- Fixes passphrase vulnerability (1-8 passphrase)
- Fixes brute force vulnerability of adj/noun/number passphrase seed by using random seed