💾 Archived View for gthudson.xyz › logs › webcamsteg.gmi captured on 2022-07-16 at 13:34:25. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
An annoymising proxy through your webcam
ExploitDB is a great resource for finding sneaky search queries for Google which lets you find public things on the web which probably shouldn't be public.
One search query which really stuck out to me was "intitle:webcam 7 inurl:8080 -intext:8080" which shows you simple pages for public webcams. Many of these are cameras in office buildings clearly not meant to be publicly viewable.
┌─────────────────────────────────┐ │ Webcam 7 │ │═════════════════════════════════│ │ Home | Multiview | Smartphone...│ │═════════════════════════════════│ │ Live View PTZ │ │ ┌────────────────────┐ ┌───────┐│ │ │▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓│ │ ▲ ││ │ │▓▓▓▒▒▒▓▓▓▓▓▓▒▒▒▓▓▓▓▓│ │ ◄ ► ││ │ │▓▓▓▒▒▒▓▓▓▓▓▓▒▒▒▓▓▓▓▓│ │ ▼ ││ │ │▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓│ └───────┘│ │ │▒▒▒▒▒▓▓▓▓▓▓▓▓▓▓▒▒▒▒▒│ │ │ │▒▒▒▒▒▓▓▓▓▓▓▓▓▓▓▒▒▒▒▒│ │ │ │▓▓▓▓▓▒▒▒▒▒▒▒▒▒▒▓▓▓▓▓│ │ │ └────────────────────┘ │ └─────────────────────────────────┘
The ubiquity of such sites seems like a perfect side channel to pass information!
Steganography is the art of hiding secret data inside some carrier file without changing its appearance to the casual observer. The carrier file is typically an image as pixel values can be permuted slightly and still appear identical to the casual observer.
A very simple way of doing this relies on modifying the least significant bit of each pixel to be that of your data. Changing this bit modifies the pixel value by at most 1, so is imperceptible to the human eye on a full colour image.
SECRET MESSAGE:
┌───────────────────┐ 0110 1000 0110 1001 ┌───────────────────┐
| ███ ███ │ | | ▓▓▓ ███ │
| │ v |░░░ ░░░ ░░░ ░░░ │
|███ ▒▒▒ ▒▒▒ ███│ ┌────────────┐ |▓▓▓ ▒▒▒ ▒▒▒ ███│
|▒▒▒ ███ ███ ███ ▒▒▒│ │ │ |▒▒▒ ███ ███ ███ ▒▒▒│
╞═══════════════════╡ ───> │ Steg │ ───> ╞═══════════════════╡
|111 000 111 000 111│ │ │ |110 001 111 000 111│
|111 111 111 111 111│ └────────────┘ |110 110 110 110 111│
|000 010 111 010 000│ |001 010 111 010 000│
|010 000 000 000 010│ |010 000 000 000 010│
└───────────────────┘ └───────────────────┘
There are loads of algorithms which extend this idea in more complicated ways - JSTEG, F5, OUTGUESS to name just a few. They all have varying features such as the amount of information you can encode, how detectable is it, what image files it works on and how it can survive compression, but all operate on similar principles.
Many of these can be detected using statistical analysis, but the key with steg is to avoid raising suspicion in the first place!
So how does this relate to webcams? Well the webcam7 websites transmit video in a very simplistic way using mJPEG - each frame is simply a jpeg image. In each of these images we can sneak some information using steganography!
Steg Client Steg Server
┌─────────┐ ┌─────────┐
│ │ │ │
┌────────┐ secret ├─────────┤ Steg(secret) ├─────────┤ secret ┌────────┐
│ SECRET │ <------ | Decoder | <----------- | Encoder | <-------│ SECRET │
│ DATA │ ├─────────┤ ├─────────┤ │ DATA │
└────────┘ │ │ │ │ └────────┘
└─────────┘ └─────────┘
The system has 2 components:
A key question remains - how does the server know the client is listening? A simple solution is to use the camera control buttons. When a client is ready it sends a specific set of key combinations (UP,DOWN,LEFT,RIGHT,ZOOM etc.), which the server recieves and knows a client is listening.
We now have a method of sending information from one place (the server) to another (the client). Wouldn't it be fun if this was bidirectional? Wouldn't it be even more fun if you could browse the internet entirely through webcam streams!
When you navigate to your favourite website over the internet, a series of messages are passed. First your internet browser forms a **request** detailing the page you want, any form data, the method etc. This is sent to the server which hosts the side which forms a **response** containing the page you want and is sent back to you to be displayed. This request/response idea is key to the World Wide Web:
Browser Web Server █ █ █ request █ █ ───────────────> █ █ █ █ response █ █ <────────────── █ █ █
Using out webcam steganography idea, we can hide both the request and response in webcam streams. Both the client and the server can host a webcam page. When the client wants to visit a webpage, they encode their request in their own webcam stream and 'poke' the server to let it know there is a request waiting. The server grabs the images, decodes them to get the request and processes it. The server can then go and request the webpage on the client's behalf, before encoding the response in their own webcam stream to reverse the process.
Browser Steg Client Proxy Web Server ┌───────────────────┐ ┌───────────────────┐ │ ┌┐ ┌─────────┐│ │ ┌─────────┐ ┌┐│ │ ││ req │ |│ Steg(req) │ │ | req │││ │ ││---->│ Encoder |│-------------------->│ │ Decoder |---->│││ │ ││ │ ││ │ │ │ │││ | || ├─────────┤│ | ├─────────┤ │││ │ ││ res │ ││ Steg(res) │ │ │ res │││ │ ││---->│ Decoder ││<------------------- │ │ Encoder │<----│││ │ ││ │ ││ │ │ │ │││ │ └┘ └─────────┘│ │ └─────────┘ └┘│ └───────────────────┘ └───────────────────┘
All that will be visible to an outside onlooker is people looking at webcam streams of random office buildings. This system allows the request from the client to be hidden in a way which is trickier to detect than a traditional VPN, for situations when simply the act of using a VPN is suspicious.
The code for this project can be found at on Github: