2025-06-26 –, Track 3
Data privacy and network security are threatened by the rapid spread of Internet-connected devices. This includes IP cameras which can be found in both residential and commercial environments. This talk outlines step by step how we successfully hacked the Synology BC500 and the Ubiquiti AI Bullet IP cameras for Pwn2Own 2023 and 2024.
This talk will describe the following topics:
Intro:
- Who are we?
- Quick introduction to pwn2own
--- BC500 ---
Getting access:
- How we extracted the firmware
- Analysis of the extracted firmware
- Obtaining root access to the camera
Attack surface:
- Quick overview of all the services exposed by the camera
Bug discovery:
- Showing the unauthenticated APIs
- Showing some peculiarities of the software:
- Discovery of the "almost" LFI using the language parameter
- Discovery of JSON parsing issues
Exploitation of the Vulnerability:
- Analysis of the JSON parsing issue
- Code analysis showcasing the weakness
- Identifying constraints for exploiting the weakness:
- Key stack variable
- Tuning the payload to skip code
- Writing the exploit using UTF-8
- Bypassing ASLR
- RCE payload used
- Tuning the exploit for reliability
- Live demo of the working exploit against the physical BC500 device or quick video showing the working exploit
--- Ubiquiti AI Bullet ---
Attack surface:
- Quick overview of all the services exposed by the camera
Bug discovery:
- Showing non-obvious attack surface
Exploitation of the vulnerability:
- Analysis of the discovered vulnerability
- Dealing with obstacles for Pwn2Own
- RCE payload used
- Live demo of the working exploit against the physical Ubiquiti AI Bullet device or quick video showing the working exploit
Pwn2Own events:
- How we experienced the Pwn2Own events
- Key takeaways from the Pwn2Own events
We participated in the Pwn2Own 2023 and 2024 events, focusing on the Surveillance Systems category. In this talk, we will take you on a deep dive into how we successfully exploited vulnerabilities in the Synology BC500 and Ubiquiti AI Bullet IP cameras.
We'll show how we performed firmware extraction, subsequent analysis to identify attack surfaces, and how we obtained a root shell for debugging. In the next section, we'll explain the vulnerabilities we discovered during our investigation, and we'll talk about the exploitation to obtain an unauthenticated RCE, highlighting the unique challenges presented by the Pwn2Own competition, such as time constraints and exploit reliability.
Finally, we will describe the development process we used to write the proof-of-concept exploits. We'll talk about various challenges we encountered and design choices we made to ensure the creation of robust and reliable exploits.
Emanuele has 10 years of experience working in the area of IT security and he is an IT Security Analyst at Compass Security since 2019. As part of Compass Security's offensive security team, Emanuele conducts security analysis of web applications, external and internal networks, cloud infrastructures, as well as Android applications. Emanuele has responsibly disclosed vulnerabilities in different open source libraries and products, among others in products from Microsoft, Alibaba and others and is also responsible for giving various security-related trainings at Compass Security such as web application security and internal network with focus on the Active Directory security.
Yves has studied Computer Science at the ETH Zurich and holds a Master in Information Security. He has been working as an IT Security Analyst at Compass Security since 2019. In his job, he performs security analysis of web applications, external networks, cloud infrastructures, as well as iOS applications. Additionally, he is a teacher for web application and Active Directory security trainings and has frequently been presenting talks at security conferences. In his spare time, Yves plays CTFs focusing on binary exploitation. He has won the Defcon CTF as part of team MMM multiple times and is a Defcon black badge holder.