Data privacy and network security are threatened by the rapid spread of Internet-connected devices. This includes IP cameras which can be found in both residential and commercial environments. This talk outlines step by step how we successfully hacked the Synology BC500 and the Ubiquiti AI Bullet IP cameras for Pwn2Own 2023 and 2024.

This talk will describe the following topics:

Intro:

• Who are we?
• Quick introduction to pwn2own

--- BC500 ---

Getting access:

• How we extracted the firmware
• Analysis of the extracted firmware
• Obtaining root access to the camera

Attack surface:

• Quick overview of all the services exposed by the camera

Bug discovery:

• Showing the unauthenticated APIs
• Showing some peculiarities of the software:
  • Discovery of the "almost" LFI using the language parameter
  • Discovery of JSON parsing issues

Exploitation of the Vulnerability:

• Analysis of the JSON parsing issue
• Code analysis showcasing the weakness
• Identifying constraints for exploiting the weakness:
  • Key stack variable
  • Tuning the payload to skip code
• Writing the exploit using UTF-8
• Bypassing ASLR
• RCE payload used
• Tuning the exploit for reliability
• Live demo of the working exploit against the physical BC500 device or quick video showing the working exploit

--- Ubiquiti AI Bullet ---

Attack surface:

• Quick overview of all the services exposed by the camera

Bug discovery:

• Showing non-obvious attack surface

Exploitation of the vulnerability:

• Analysis of the discovered vulnerability
• Dealing with obstacles for Pwn2Own
• RCE payload used
• Live demo of the working exploit against the physical Ubiquiti AI Bullet device or quick video showing the working exploit

Pwn2Own events:

• How we experienced the Pwn2Own events
• Key takeaways from the Pwn2Own events