Recently I bought a Panasonic DMC-GF6, it isn't an reflex machine, but it take good photos for the price that I have paid for it (260€).
Of course that I will not provide this script code.
One of the things that I like in this machine is the support for remote control using an Android application called Panasonic Image APP. The first questions that I am doing are:
- it is safe use this feature?
- Anyone can easily use this remote control feature to control my machine and get my photos?
So, to answer to this questions we will install the Android application (Panasonic Image APP) and let see how it's works.
Android APP Experience
After install the Android application, we need to connect the camera to an WiFi access point or use the feature available on the camera (Direct Connect), to connect the Android application with the camera.
So we will start by using the Direct Connect option. Let see how Direct Connect feature works.
- By clicking in Direct Connect option (Settings -> WiFi -> New Connect) the camera show the SSID (WiFi network name) and the password to connect the Android Phone to the camera.
- In the Android Phone we will turn on the WiFi and connect to SSID network (that was shown on camera).
- Returning to the Panasonic application, we will click in "Connect to camera" and the application will automatically connect to the camera (that will change to remote control state).
- Now we are able to control the machine with Android phone. We could take photos, change photo specs, etc. So a full camera controls are available on Panasonic Android application.
As computer science guy, I know that the camera needs to provide some API that the Android application will use to control the camera features, and I know that the Android application connects with the camera by WiFi, so probably the camera create an HTTP service or an socket connection.
So, let's find out how the camera connects with the Android application. At this point we have two ways to check it:
- Inspect the connection and see the messages that Android application sends to the camera.
- Decompile Android application to see how Panasonic implements the API.
Normally, I would have started with first option, but today I will start for the second option because I want to see the Panasonic code.
Decompile Panasonic Android application
To decompile the Android application, we will need two applications:
The first one (dex2jar) is used to convert the dex files to jar files. And the second one (jd-gui) is used to decompile the class files to Java source code.
As we know Android applications are compiled into dex files, so we will need to do the following steps to get the application Java source code:
- Change the application extension from apk to zip (com.panasonic.avc.cng.imageapp.apk to com.panasonic.avc.cng.imageapp.zip).
- Open the zip file and copy the dex file to dex2jar folder.
- Extract the jar file from the dex file (using the command d2j-dex2jar.sh file.dex)
- Open the jar file with jd-gui to decompile and get the java source code.
After we have finished the four previous steps, we will see the application source code. Now we could see that something in the code are wrong. The methods, variables and classes are named with letters. This is normal when the code are compile with code obfuscation.
The Code Obfuscator is used to obfuscator or confuse the code to prevent that someone decompiled and read the code. It's bad news for us. However, before start trying the first option (inspect the wifi traffic), we will try to find some url on code. If the application uses HTTP requests to control the camera, we will find some urls in the code.
Using the save option we will save the java source files in zip folder. After save source files, we will unzip the zip folder and by using the notepad++ (for example) we will search for “.cgi” to try find some HTTP endpoint. With this search we found a lot of endpoints.
So if we couldn't find the exchanged messages between Android application and the camera by capturing the packages, we could read this endpoints and the obfuscated code to try understand the communication.
Capture the messages exchanged between Android Application and Camera
To capture the messages exchanged between Android application and camera, we will:
- Connect the camera to WiFi Access point
- Connect the computer to the same WiFi access point
- Install and run the Fiddler application on the computer
- Connect the Android phone to the same WiFi access point and change the Wifi connection settings by changing the Proxy IP and port to the IP and port that the Fiddler is configured to inspect or work as proxy.
With this configuration we will force all Android connections/traffic to pass over the Fiddler application. Now using the Panasonic application to control the camera, we can watch the messages exchanged between Android application and the camera. Ignoring the http://192.168.1.104/cam.cgi?mode=getstate request and checking all others requests, we found two essential messages:
The first request is used to change the camera work mode, so we could set the camera in remote control mode or in capture mode. The Second request is used to take a photo.
Additionally, we can access to the captured photos using two commands:
NOTE: DT1000646.JPG is an stored imagem on camera, we could access to any other photos stored in the camera. The 192.168.1.104 is the camera ip.
Conclusion
The Panasonic DMC-GF6 camera isn't safe when connected to a public WiFi network. With camera connected to a public WiFi, anyone can access to the camera, take photos and get all the photos stored on the camera memory card.
How do that?
Simply, for example, by creating an script that try request the /cam.cgi?mode=setstate message for all local network ips. When it receive and HTTP 200 response, this IP belong to an Panasonic DMC-GF6. After identify the IP, we can control the camera by sending the messages that we stated before.
Of course that I will not provide this script code.
Sem comentários:
Enviar um comentário