This is the third post in a series covering the Samsung NX300 "Smart" Camera. In the first post, we have analyzed how the camera is interacting with the outside world using NFC and WiFi. The second one showed a method to gain a remote root shell, and it spawned a number of interesting projects. This post is a reference collection of these projects, and a call for collaboration.
First, I want to thank Samsung for fixing the most serious security problems in the NX300 firmware. As of firmware version 1.41, the X server is closed down and there is an option to encrypt the WiFi network spawned by the camera with WPA2:
1.Add Wi-Fi Privacy Lock function 2.Revision Open Source Licenses
Unfortunately, the provided 8-digit PIN can be cracked in less than one hour using pyrit on a middle-class GPU. While this is far from good security, it requires at least some dedication from the attacker.
Even more unfortunately, Samsung removed
autoexec.sh execution from the
NX300M firmware starting with (or after) 1.11. Dear Samsung engineers, if you
are reading this: please add it back! Executing code from the SD card (without
modifying the firmware image) is a great opportunity, not a security problem!
Most of the mods discussed in this post are leveraging that functionality in a
Markus A. Kuppe has written a
tutorial for auto-backups of the NX300
using an ftp client on the camera and a Raspberry Pi ftp server. One
interesting bit of information is how to make the camera auto-connect to WiFi
whenever it is turned on, using a custom
wpa_supplicant.conf and DBus:
cp /mnt/mmc/wpa_supplicant.conf /tmp/ /usr/bin/wlan.sh start NL 0x8210 /usr/sbin/connmand -W nl80211 -r /usr/sbin/net-config sleep 2 dbus-send --system --type=method_call --print-reply --dest=net.connman \ /net/connman/service/wifi_a0219572b25b_7777772e6c656d6d737465722e6465_managed_psk \ net.connman.Service.Connect
Markus also provided a short write-up on compiling additional kernel modules, which should allow us to extend the camera's functionality without re-flashing the firmware.
The most interesting idea, however, was envisioned by Doug Hickok. He modified the firmware to auto-encrypt photographs using public key cryptography. This allows for very interesting use cases like letting a professional photographer take pictures without allowing him to keep a copy, or for investigative journalists to hide their data tracks.
In the current implementation the pictures are first stored to the SD card and then encrypted and deleted, allowing for undelete attacks. Do not use it in production yet. With some more tweaking, however, it should be possible to make this firmware actually deliver the security promise.
Seeing how there is a (yet small) community of tinkerers around the NX300 camera, and with the knowledge that a whole range of Samsung NX cameras comes with Tizen-based firmware (NX1, NX200, NX2000, NX300M, ...?), the author has created a repository and a Wiki on GitHub.
Feel free to contribute to the wiki or the project - every input is welcome, starting from transferring information from the blog posts linked above into a more structured form in the wiki, and up to creating firmware modifications to allow for exciting new features.