Security researchers have uncovered major security flaws in yet another brand of IoT cameras, meaning hackers could remotely spy on users or even turn them into a Mirai-style botnet to launch DDoS attacks.
Bitdefender claimed in a new report that the unnamed smart camera network, which can be used for home surveillance or as a baby monitor, creates a wireless hotspot during set-up which the related app then connects to automatically.
However, the hotspot is open, with no password required.
On set up, the app also asks the user to introduce the credentials of their home network, which it transmits to the device. However, the network credentials are sent in plain text from mobile app to device – another security oversight.
Finally, data sent between application, device and server is simply encoded, not encrypted, according to the report.
Attackers can gain control to the cameras through the app because device authentication is based exclusively on the MAC address.
“Every time it starts and at regular intervals, the device sends an UDP message to the authentication server, containing device data, an ID number represented by the MAC address and a 36-character code. However, the cloud server does not verify the code, it trusts the device’s MAC address to perform the authentication,” the report explained.
“Consequently, an attacker can register a different device, with the same MAC address, to impersonate the genuine one. The server will communicate with the device that registered last, even if it’s rogue. So will the mobile app. This way, attackers can capture the webcam’s new password, if the user changes the default one.”
Another way to grab the password is by taking advantage of the camera’s push notifications.
Users can choose to get video alerts on their smartphone when the camera detects suspicious sound or movement. But when the user opens the app to view the alert, the app authenticates on the device using the highly insecure Basic Access Authentication mechanism.
Thus, the new password is sent unencrypted to the hacker-controlled webcam.
By stealing the authentication credentials in this way hackers can use the app just as the user would, meaning they can turn on audio and cameras and spy in real-time on the user’s home.
The camera network also allows for injection attacks.
“An attacker can perform an HTTP request to set up another NTP server address. Because the new value isn’t verified, any malicious command can be inserted and automatically executed, causing the device to crash, for instance,” Bitdefender claimed.
This means a hacker could remotely control the devices in a similar way to the Mirai malware which caused so much damage to DNS provider Dyn last month.
Bitdefender claims the vendor in question is working on a firmware fix, hence the omission of its name.