A question about security in webcams and java and http
From: Jan Panteltje (pNaonStpealmtje_at_yahoo.com)
Date: Sun, 31 Jul 2005 20:22:06 GMT
So this saturday and sunday it was raining and I did spend some hours
writing a Linux client for the D-Link dcs900 ethernet security camera.
In case you have such a thing, yo ucan find the current result GPL) here:
It is my intention to set up a web page, so if you read this posting much later,
you should check:
Anyways, that camera can be secured with username and paswasword, and knows
about admninistrators and other users.
I did not have any real docs so I used snort (packet sniffer) to figure some out
about how it works.
You can connect with the default with a browser on LAN with 220.127.116.11, then
set a new IP address.
So I assigned mine 10.0.0.151 and port 81
All very well, after setting a username and password for the administrator
the browsers asks me for this.
Then I tried wget with a wrong pasword:
wget 10.0.0.151:81/video.cgi --http-user= --http-passwd=
Connecting to 10.0.0.151:81... connected!
HTTP request sent, awaiting response... 401 Authorization Required
Fine, the little webserver in that camera wants a password, GOOD.
Then I used my own program:
./mcamip -a 10.0.0.151 -p 81 -u WRONG_USER -w WRONG_PASSWORD -x
mcamip-0.1 copyright Jan Panteltje 2005.
mcamip: getting host 10.0.0.151 by name
mcamip: connecting to 10.0.0.151 (10.0.0.151) port 81 timeout 30
mcamip: connected to camera.
So, no password, wrong user, makes no difference, I can have access from
anywhere to these cameras if I know IP address and port!
I have tested this some more, including cold start for the camera....
It seems now that the check is only done locally in wget or the browser!
Is this correct? Because if it is, then all 'secure' webcams of this type
are wide open.
BTW the soft I am writing is getting motion detection..... not today.
It is still buggy, stops sometimes on high network loads, set fps to 1.
A cool feature is that can output mjepg tools YUV directly to stdout,
so you can view with mplayer, or encode to divx with mencoder.
mcamip -a 10.0.0.151 -p 81 -y | mplayer -fs -
Or it can directly display in X itself.
So, maybe later I will grab the mnotion detection from mcam and put it
in this one too.
So much for Sunday weather ;-)
Usenet Zone Free Binaries Usenet Server
More than 120,000 groups
http://www.usenetzone.com to open account