Exploiting the P2P Protocol: How Cheap IoT Cameras Expose Your Private Data

TLDR: Researchers at DEF CON 2024 demonstrated how a common peer-to-peer (P2P) protocol used by millions of low-cost IoT cameras allows for unauthenticated remote access and device hijacking. By reverse-engineering the firmware and exploiting the P2P communication flow, they bypassed cloud authentication and gained full control over cameras from multiple vendors. This research highlights the critical danger of relying on proprietary, insecure P2P implementations for remote device management.

Security researchers often treat low-cost IoT hardware as a black box, assuming that if the device is cheap, the security is nonexistent. That assumption is usually correct, but the scale of the failure is what matters. The recent research presented at DEF CON 2024 on baby monitors and Wi-Fi cameras proves that the problem isn't just poor coding; it is a systemic failure in the P2P protocols that these devices use to punch through NAT and firewalls. When you buy a ten-dollar camera on Amazon, you aren't just buying a lens and a sensor. You are buying a device that is hardcoded to connect to a cloud platform, often using a P2P protocol that prioritizes connectivity over every other security consideration.

The Anatomy of a P2P Hijack

The core of this research focuses on the P2P protocol used by devices running on the AJCloud management infrastructure. These cameras are marketed as "plug and play," which means they must be able to connect to a mobile app from anywhere in the world without the user configuring port forwarding. To achieve this, the devices use a P2P protocol that handles NAT traversal and relaying.

The researchers found that the P2P protocol is fundamentally broken. It does not require robust authentication to establish a connection. By capturing the P2P traffic, they identified a clear messaging sequence. A client sends a MSG_HELLO packet, the camera acknowledges it, and then the client can request access to a specific device ID. Because the protocol lacks proper verification, an attacker can simply spoof the device ID or manipulate the P2P relay server to gain access to a camera that does not belong to them.

The demo shown during the talk was particularly jarring. The researchers used a Python script to interact with the P2P protocol directly, effectively bypassing the official mobile app. By sending the correct sequence of P2P packets, they were able to view the live video feed of a camera without ever needing the owner's credentials. This is a classic case of Broken Access Control, where the protocol assumes that knowing the device ID is equivalent to having authorization to view the stream.

From UART to Root Access

Gaining access to the camera's P2P traffic is only the first step. To understand how the device handles these requests, the researchers performed a full hardware teardown. They identified the UART headers on the PCB, which provided a direct serial console. Once connected, they found that the device was running a Linux-based OS with a very permissive bootloader.

By modifying the boot arguments, they were able to drop into a root shell. This is where the research gets interesting for anyone doing hardware pentesting. They discovered that the device's primary application, which they called initApp, was responsible for handling the P2P connections and communicating with the AJCloud backend. The application was not only vulnerable to P2P hijacking but also leaked sensitive information through verbose debug logs.

The researchers found that the initApp binary was writing cleartext user account credentials to a log file on the device. If you have physical access to the device, or if you can exploit a remote vulnerability to read the filesystem, you have the keys to the user's entire account.

To facilitate further research, the team released their proof-of-concept tools on GitHub. These tools include scripts to interact with the P2P protocol and utilities to help with firmware analysis.

The Defensive Reality

If you are a security professional, the advice here is simple: do not put these devices on your primary network. If you must use them, isolate them in a separate VLAN with no access to your internal resources. Even better, block all outbound traffic from these devices to the internet.

The researchers also pointed to OpenIPC as a potential mitigation. By flashing these devices with open-source firmware, you can strip away the insecure vendor-provided P2P code and gain full control over the device's configuration. This is not a trivial task for the average consumer, but for a researcher, it is the only way to make these devices remotely usable without exposing your home network to the internet.

What Comes Next

This research is a reminder that the "IoT" label is often a synonym for "unpatchable security debt." The P2P protocol discussed here is used by at least seven different vendors, and likely many more that haven't been identified yet. The vulnerability isn't just in the camera; it's in the entire ecosystem of relay servers and management platforms that these devices rely on.

As a pentester, the next time you see a cheap Wi-Fi camera on an engagement, don't just look for open ports. Look for the P2P traffic. If you see UDP traffic on port 60722, you are likely looking at the P2P protocol described in this research. The tools provided by the researchers are a perfect starting point for your own investigation. The question isn't whether these devices are vulnerable; the question is how much of your network you are willing to sacrifice for the convenience of a cheap camera.