Clik here to view.
Your worst nightmare must be your webcam or security camera going rogue and spying on you. Hey, it is an IoT (Internet of Things) device and attacks happen all the time.
Bitdefender has discovered that a popular Taiwanese brand of smart network camera (name/model withheld as the manufacturer has not yet patched the firmware) commonly used as a home surveillance system as well as a baby monitor and communication medium between parents and children, is wide open to IoT attacks.
The camera is a feature-rich device for homes and small businesses with motion and sound detection system, two-way audio, built-in microphone and speaker, built-in selectable lullabies to put children to sleep, temperature and humidity sensors, IR LEDS, motorised pan/tilt and a microSD/SDHC card slot.
The device follows the standard setup routine, creating a hotspot during configuration via a wireless network. Once installed, the corresponding mobile application tries to establish a connection with the device’s hotspot, and after it detects it, the app connects to it automatically. Next, the app asks the user to introduce the credentials of their home network, which it transmits to the device. The smart plug connects to the local network, and the setup process is complete.
{loadposition ray}
Bitdefender found that the hotspot remains open even after connecting to the Wi-Fi network and the host Wi-Fi network credentials are transmitted in plain text from the mobile app to the device. Similarly, all data (video) sent between the app and the device is simply encoded – not encrypted.
Radu Basaraba, a malware researcher at Bitdefender, listed his concerns with the device.
- When the mobile app connects remotely to the device, from outside the local network, it authenticates through a security mechanism known as a Basic Access Authentication. This is an insecure method of authentication unless used in conjunction with an external secure system such as SSL. Usernames and passwords are passed over the wire in an unencrypted format, encoded with a Base64 scheme in transit. It is reversible and virtually useless for providing data security
- The device’s communication with the push servers is HTTPS secured, however, authentication of the device is based exclusively on the MAC address. An attacker can register a different device, with the same MAC address, to impersonate the genuine one. The server and app will communicate with the device that registered last, even if it’s rogue. This way, attackers can capture the webcam’s new password, if the user changes the default one.
- To speed up the process and grab the password faster, an attacker can take advantage of the camera’s push notification feature. Users can opt to receive notifications on their smartphone, specifically video alerts, whenever the camera detects any suspicious sound or movement in their homes. When the user opens the app to view the alert, the app will authenticate on the device using Basic Access Authentication and, thus, send the new password unencrypted to the hacker-controlled webcam.
- Attackers can enter the username, password and ID to get full control of the user’s webcam, through the mobile app.
- It can also be used for DDoS attacks as part of a botnet
George Cabau, Bitdefender antimalware researcher, says. “Once under a criminals control, this means they can turning on audio, mic, and speakers to communicate with children while parents aren’t around or having undisturbed access to real-time footage from your kids’ bedroom. Clearly, this is an extremely invasive device, and its compromise leads to scary consequences. Criminals can also crash the device for break-in anonymity.”
What can be done?
The brand/model is well-known and has high volume sales in Australia. Bitdefender has disclosed this to the maker, but issues persist despite a recent firmware update.
Bitdefender says that until IoT devices can be inherently secure the best cure is a “connection box” that acts like a firewall and home network analysis device that only lets approved traffic in and out of the network.
Its “BOX” is a subscription product and after purchase is annually renewable to provide access to updates. It sits before the Wi-Fi router/cable model so it can protect all networked devices and is compatible with any router that allows its DHCP function to be disabled.
As it protects IoT devices, it has my vote.