Reflecting the growing number of internet of things (IoT) devices hitting the market without adequate protection, researchers have succeeded in hacking a Motorola Focus 73 outdoor security camera.
The crew at Context Information Security were able to gain access to a home network’s Wi-Fi password, obtaining full control of the pan-tilt-zoom controls and redirecting the video feed and movement alerts.
“This is one more example of an IoT product getting to market with little attention being paid to security,” said Neil Biggs, head of research at Context, in a blog. “The benefits of these security cameras are clear but it rather defeats the object if they are also open to compromise. The message is clear; companies wanting to get on the IoT bandwagon need to design in security from the outset.”
The Motorola IP camera, manufactured by Binatone, offers cloud connectivity via the Hubble service, hosted by Amazon Elastic Compute Cloud. This allows customers to watch and control their cameras remotely as well as receive movement alerts through a free mobile app.
Context researchers found that during set up, the private Wi-Fi security key is transmitted unencrypted over an open network, using only basic HTTP Authentication with username “camera” and password “000000,” while a number of legacy webpages on the camera revealed that the device is based on the same hardware as a legacy baby monitor product.
With detailed investigation, the researchers obtained root access to the camera—the root password was “123456.” Further digging provided access to the home network Wi-Fi password in plaintext as well as factory wireless credentials for secure test networks.
Even more surprisingly, they were able to access credentials for the developers’ Gmail, Dropbox and FTP accounts. The device's logs, accessible via the open web interface, also contained the AES encryption key for the remote control messages and FTP credentials for video clip storage. Furthermore, the researchers were able to install their own malicious firmware as it wasn’t secured or checked for validity.
The camera uses the STUN (Session Traversal Utilities for NAT) protocol to maintain communications with the Hubble server and control the camera. Armed with the AES key, Context was able to access encrypted commands sent from the cloud to the camera and re-create them to initiate instructions such as start recording, change video server, move left and reboot.
Once the researchers had established control of the camera they were also able to subvert and redirect the Hubble DNS configuration to receive a feed of movement alert JPEG images and video clips, normally only available to paying customers of the Hubble service. As the media is sent unencrypted, it was possible to store uploads for review at a later time.
To fix the issue, new firmware has been released to camera users by Hubble via an automatic update.
“Hubble Connected has fully patched the vulnerability to ensure that the reported bug is addressed,” said Brendan Gibb, CISO at Hubble. “This firmware will be released on 2 February 2016 to all affected cameras.”
He added, “It is my understanding that this addresses the most serious concern to public safety and reduces risk that our cameras are used by a third-party. The Hubble brand remains committed to ensuring our products and customers are safe from compromise and we remain ready to address problems that are found and reported by security researchers. Thanks to Context Information Security for raising the concern to our attention and providing us with sufficient time to address the vulnerability.”
Photo © Mrs_ya