2 min read

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Silviu STAHIE

December 21, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Bitdefender's security researchers have identified several vulnerabilities in the Abode IOTA Smart Camera that would permit attackers to inject their own media into the timeline, obtain the devices' geographical location, and more.

It's difficult to argue against the usefulness of security cameras, but customers have to be aware they also introduce a bullseye into their smart home. The IoT ecosystem is chock full of vulnerable devices, and criminals have slowly shifted their interests towards this ever-growing industry. More and more people buy IoT devices but don't always protect them, keep them up to date or even bother to check if the manufacturer still provides support.

Smart security cameras are all the more dangerous because they offer unique insight into people's lives when compromised. They're also prime targets for attackers looking for vulnerable IoT devices.

Hardcoding credentials is a no-no

The Abode IOTA Smart Camera uses the XMPP protocol with authentication to communicate with the cloud, which in itself is unusual. XMPP is rarely used for this, and the reason the manufacturer chose this protocol is unclear.

"To configure them from a blank state, the devices connect to the setup.goabode.com XMPP service to receive the configuration parameters," say the Bitdefender researchers. "Those parameters include the XMPP credentials to use after configuration."

"The XMPP credentials are the MAC address of the device (that forms the username) and a random password. However, because the device does not know this password before it's configured, to connect to the setup server it uses a hardcoded one."

Furthermore, while the XMPP connection uses TLS (encryption), the device doesn't check the validity of the certificates, which only means that man-in-the-middle attacks are possible, allowing attackers to inject arbitrary commands and take control of the device. The firmware upgrades share the same vulnerability.

Making matters worse, while the image upload process uses HTTPS, the file is uploaded without authentication.

"The reporting ID is then used by the API to identify the account the media belongs to. If an attacker knows the reporting ID, together with the MAC address associated with it, they can upload any media to this API, and it will appear in the timeline of the device," the researchers add. Obtaining the ID is also a trivial matter.

Finally, it turns out that the device sends other information besides the ID, including the device's geographical coordinates.

Bitdefender initially contacted the vendor on May 19, 2020, but the manufacturer pushed the update for the affected devices to customers on Dec. 7, 2021.

You can check out the "Vulnerabilities Identified in the Abode IOTA Smart Camera: Fake Image Injection into Timeline" whitepaper for a full breakdown of the device and its security issues:

Download the research whitepaper

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds
Silviu STAHIE

December 21, 2021

2 min read
Amazon Doesn’t Want to Say How Many Police Requests for Ring Footage Were Granted Amazon Doesn’t Want to Say How Many Police Requests for Ring Footage Were Granted
Silviu STAHIE

June 15, 2021

1 min read
TikTok Tells Users It Will Collect Biometric Data TikTok Tells Users It Will Collect Biometric Data
Silviu STAHIE

June 06, 2021

1 min read