Hacking the Ennio Wifi Doorbell

ennio cameraI recently purchased a Ennio Wifi Doorbell in order to have a doorbell, and also have an outdoor front of house security camera. It seemed like pretty much the only option available.

The camera is fairly easy to set up in the way it was intended. Install an app from the app store, and pair it (with magic, or zeroconf/bonjour) with your phone.

When the button is pushed a push notification arrives on your phone, I’m not quite sure how this happens yet but I’ll dig further. The camera sends a photo with the push notification and also allows streaming of video from the camera.

As far as I can tell both of these things work over 3G as well as Wifi flawlessly with a horrifying app UI.

First things first, is it secure?

With this thing going on the front of my house I want to know if it’s possible to break into it or in some other way use it to break into my network.

The short answer, this device is about as secure as a wet paper bag with a block of gold in it. This, although a major downside from a consumer perspective, leaves many open opportunities for the hardware hacker.

The first thing I wanted to do was nmap the sucker, and find out what open ports it has. Simple answer 23 and 81… Yes, port 23, telnet… After turning on the device you can press the button (that’s your doorbell) for 10 seconds or so and it’ll open up a wifi access point. From that wifi access point you can now telnet into the camera if you knew the username and password…

To save you a bit of messing around with hydra (which is very unreliable at telnet brute force) and ncrack (which is far more reliable at telnet brute force) the username and password for the Ennio wifi doorbell are:

Username: root
Password: 123456

It took about a minute for ncrack to figure that out for me. Once inside it’s clear that you have tools like iptables to mess around with routing, it’s a fairly standard busybox build, much like the Foscam or similar IP Cameras.

If I was going to use this to hack someone’s network it would simply be a case of:

  • putting the device into setup mode but holding the button in
  • getting an assigned IP from the access point it creates…
  • logging in via telnet with the above username and password
  • dig around for the saved wifi password somewhere in /params or…
  • if it’s wired into the LAN configure ipv4 forwarding and masquerading with ip tables.

You can literally use this as a little insecure, on the front door wifi bridge into someone’s lan if they have it wired in, or as a nifty way to grab someone’s wifi network password directly from the device.

What I plan to do short term

This isn’t exactly a safe bit of kit to leave outside your house. Before it gets installed even there are going to be a few “changes” to the system to make it basically impossible to do what I’ve described to my doorbell. These will be very basic hacks which I’ll hopefully get a chance to write up here 🙂

  • Disable the wifi functionality, and the access point mode entirely.
  • Change the root password
  • Disable the press to setup functionality

Obviously it might not be possible to achieve all of these things, if I get the first point fixed then the others are just gravy as I intend to wire this thing in and secure the cable physically.

What I plan to do long term

It looks like this camera was built using the ip-cam-sdk that a whole bunch of white box cameras are built with. There’s obviously some minor customisation to make the push notifications work and handle the GPIO for the IR sensor, IR Lights and button. There’s also a fairly decent audio stream to the intercom which will need thorough investigation before I get to work on it.

From what I can tell the /system folder is updatable using a zip file of the intended binaries and web code, everything else is inside of a 3Mb system image which by the looks of things cannot really be tinkered with directly, this makes things annoying with security, but not entirely unfixable…

Knowing the build architecture, and being able to configure a cross compile toolkit I should be able to rewrite the web handler binaries to do something more useful, with a bit of tinker time I should be able to figure out how the GPIO for the button and other stuff works and what I’ll do is replace the HTML and system binaries with my own, which will be able to do exactly what I want 😉

It would be most helpful to find the source code behind these ip cams but that will require a bit of internet digging I think.

Available Commands

Some of these seem to work identically to the foscam 8918 whereas others seem to produce slightly different results. Some of these functions appear to be fairly unique to this type of camera. I guess there’s a bit more hacking involved before I can even make it useful.

/get_status.cgi
/get_params.cgi
/get_camera_params.cgi
/get_misc.cgi
/get_wifi_scan_result.cgi
/get_factory.cgi
/set_ir_gpio.cgi
/set_alarm.cgi
/set_log.cgi
/set_users.cgi
/set_alias.cgi
/set_mail.cgi
/set_wifi.cgi
/camera_control.cgi
/snapshot.cgi
/set_ddns.cgi
/set_misc.cgi
/decoder_control.cgi
/set_default.cgi
/set_devices.cgi
/set_dns.cgi
/wifi_scan.cgi
/restore_factory.cgi
/check_user.cgi
/set_ftp.cgi
/upgrade_htmls.cgi
/upgrade_firmware.cgi
/livestream.cgi Doesn’t seem to work
/audiostream.cgi Doesn’t seem to work
/get_record_file.cgi Obviously not available
/get_record.cgi Obviously not available
/set_recordsch.cgi Obviously not available
/set_formatsd.cgi Obviously not available
/del_file.cgi Obviously not available
/get_bell_config.cgi
/set_bell_config.cgi
/get_lock_config.cgi
/set_lock_config.cgi
/get_pin_config.cgi
/set_pin_config.cgi
/get_alarm_config.cgi
/set_alarm_config.cgi
/reset_alarm_config.cgi
/get_user_config.cgi
/set_user_config.cgi
/get_video_config.cgi
/set_video_config.cgi
/reset_video_config.cgi
/reset_user.cgi
/get_version_config.cgi
/get_bell_params.cgi
/get_bell_status.cgi
/get_datetime.cgi
/set_datetime.cgi
/get_doorbelllogs.cgi
/check_session_state.cgi