The Curious Case of Weird Phone Calls in the Middle of the Night

Not so long ago a good friend of mine complained about a strange phenomenon - since the installation of his newly advanced intercom, he started to receive some weird phone calls in the middle of night. On top of this, when he answers these strange calls, the associated intercom mobile application in his smartphone is opened and he sees the interior of random offices around the world. Intrigued, I started to investigate further in order to find out what is going on..

In this talk, I will take you through my adventure to understand what happened that night and how I completed the research with a PWN of the entire intercom system. I will explain how modern intercoms are working, what kind of new features they hold, and how I was able to PWN a popular intercom brand (V-TEC) and bypass their security features to get remote access to the video feed (camera) and door control (lock) of ALL the cloud connected V-TEC intercoms worldwide.

Through the talk I will also elaborate on all the involved technologies and protocols related to VOIP - the delivery of voice communications and multimedia sessions over the internet. This includes SIP, SDP, STUN, and RTP to name a few.

I will start my presentation with a brief introduction to intercoms including the technology behind them and the history of their development from the early 1900’s up to the current version with modern features such as cloud connectivity, video stream, PPT, and more. Next I will discuss how I started this research using OSINT such as online research and RTFM. After that I will explain how I obtained the firmware and reverse engineering it to discover serious security flaws in the cloud connectivity features.

The vulnerabilities I discovered allowed me to write an exploit that bypasses the authentication mechanism of all cloud-connected V-TEC intercoms. This enabled me to take remote control on the intercoms including opening the door, watching the intercom’s live video stream, playing audio (PPT) and more.

Finally, I will introduce an automation I built using all the information I gathered through my research. The automation remotely connects to random V-TEC intercoms around the world, obtains a video feed of 20-25 seconds and stores it as a .mp4 file on my hard drive with the associated IP address and country of where the device is located.