Emanuele Barbeno of Compass Security demonstrates how DHCP response fields enable JSON injection into IPC channels, how missing input validation creates unauthenticated RCE paths, and exploit challenges including timing constraints and ARP spoofing.
Internet Protocol cameras increasingly rely on network protocols with minimal input validation, creating exploitable pathways when configuration scripts blindly trust Dynamic Host Configuration Protocol (DHCP) responses. Ubiquiti AI Bullet cameras demonstrate how design shortcuts in inter-process communication enable JSON injection through DHCP option fields, transforming routine network handshakes into privilege escalation vectors.
Exploiting missing escaping and validation in DHCP response handlers allows attackers to inject arbitrary JSON keys into IPC messages that trigger privileged functions, including factory resets that restore default credentials. This attack chain operates entirely through network traffic without requiring physical access, authentication or user interaction.
In this session, Emanuele Barbeno, IT security analyst at Compass Security, will discuss:
- How DHCP response fields enable JSON injection into IPC channels that bypass security boundaries;
- Why missing input validation in network scripts creates unauthenticated remote code execution paths;
- Exploit reliability challenges including timing constraints, ARP spoofing and firmware update adaptation.
Here is the course outline:
Exploiting Ubiquiti IP Cameras: From DHCP Vulnerabilities to Unauthenticated RCE |
Completion
The following certificates are awarded when the course is completed:
 |
CPE Credit Certificate |
