The camera is designed to be part of a home surveillance system. It can operate as a remote-controllable security camera or be used as a baby monitor. However, security firm Bitdefender found the device itself is severely lacking in security. It poses immediate privacy and data protection risks to users and the other devices on their home networks.
When started up, the camera creates a private Wi-Fi network which the companion smartphone app connects to. Once the network link has been established, the phone sends across the credentials for the user’s home Wi-Fi network, giving the camera direct access to the Internet.
It’s at this point, during the initial setup procedure, that the problems begin. The camera’s firmware places no protection around the data it is sent. The private Wi-Fi network is unsecured and the username and password for the home network are transmitted in plain text. An attacker could hijack the camera’s hotspot and steal the Wi-Fi password.
A similarly lacking approach to security is taken to the remote control features. The user can connect to the camera over the Internet to monitor their home. Again, the account credentials aren’t protected though. The username and password are sent in plain text, exposing the information needed to access the device.
Attackers don’t even need to go this far, however. Every camera has the same default username and password. Although it can be changed by the user, most customers are unlikely to create their own credentials. Hackers could find the pre-set account details online and use them to access the camera. This kind of vulnerability recently allowed cybercriminals to link hundreds of thousands of IoT devices together and knock much of the U.S. Internet offline.
There’s even worse to come for the manufacturer of the device. The authentication used when the camera tries to contact its paired phone is so weak that hackers could gain complete control of the product.
The way in which devices are registered allows attackers to identify their own camera as that of a stranger. By stealing the username and password, full access is then obtained in the mobile app. The hacker could use all of the device’s features to spy on users and record conversations.
“Anyone can use the app, just as the user would,” said George Cabau, an antimalware researcher at Bitdefender. “This means turning on audio, mic and speakers to communicate with children while parents aren’t around or having undisturbed access to real-time footage from your kids’ bedroom. Clearly, this is an extremely invasive device, and its compromise leads to scary consequences.”
Bitdefender has followed its usual disclosure policies throughout the course of its investigation. As such, it has published its findings 30 days after it reported them to the well-known manufacturer. The company has not yet released an update though, most likely due to the wide-ranging nature of the flaws. Bitdefender will not reveal the vendor’s identity until a patch is available for customers, protecting users from hackers.
Bitdefender advised customers to thoroughly research the manufacturer’s privacy record before buying a new IoT device. It suggested the use of specially-designed IoT sandbox software that can isolate potentially vulnerable devices and mitigate some common risks. However, it joined the growing calls for IoT products to do more to defend themselves, noting that awareness needs to be raised “on the serious consequences of security-neglected IoT devices.”
