3 min read

Device in New IoT Partnership Passes Cybersecurity Stress Test with Flying Colors

Silviu STAHIE

October 07, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Device in New IoT Partnership Passes Cybersecurity Stress Test with Flying Colors

For more than a decade, Bitdefender has extensively researched vulnerabilities that affect intelligent devices and released reports to help customers understand risks in the connected home and drive security awareness in the vendor space.

This article, part of a series developed in partnership with Tom's Guide, aims to shed light on the security of the world's best-sellers in IoT. Tom's Guide contacted the research team at Bitdefender and asked us to look at several popular devices, including the Maximus Answer DualCam Video Doorbell. More information is available in this article published on our partner's website.

Bitdefender's researchers scrutinized the Maximus Answer DualCam Video Doorbell and found that it's actually pretty secure. And that's something that we can rarely say about the devices we investigate.

Video doorbells capture a lot of valuable and sometimes private data, so it's easy to see why it would be a prime target for attackers. Bitdefender looked at other similar devices, including a version of Amazon's Ring doorbell, and the picture wasn't pretty.

One of the problems with modern IoT devices is that companies rush them out the factory door, security be damned. Manufacturers flood the market with poor-security IoT devices, and people are all too happy to buy them with little to no regard for their privacy.

Everything but the kitchen sink

The Maximus Answer DualCam Video Doorbell is a two-camera IoT device with night vision capabilities and a 180-degree view, letting users monitor both the people who come to the door and any packages they leave.

Assume you're a hacker aiming to compromise this camera. You will have a tough time. First of all, most of the communication takes place through OpenVPN, which is secure against tampering and eavesdropping.

But while you're tampering with the device, you notice that the server certificate is not verified. In theory, an attacker could impersonate the server, but that's not possible without the ta.key file (to authenticate TLS connections) and some way to convince the camera to connect to another server.

Since the camera doesn't verify the server certificate, an attacker could, technically, intercept the logs through a man-in-the-middle attack. But since the logs contain no sensitive information, it would be almost pointless.

Fine, you'll force the camera to check for a firmware update and serve a tainted firmware through a man-in-the-middle attack. Unfortunately, the firmware is signed, and the camera would discard the new firmware due to a signature mismatch.

The next move is to check for open ports, but that's also a no-go. The manufacturers took the time to implement iptables rules properly.

Maybe compromising the Bluetooth connection with the Kuna app is the way to go, but the communication is secure. It turns out that the Bluetooth connection can be established at any time to change the Wi-Fi network, but only the camera owner can initiate it.

That leaves direct hardware access as the last point of entry. You quickly notice that UART serial connection is exposed, and you can stop the boot process by shorting the TX and RX pins. The bootloader will ask for a password, which is unknown, putting a stop to your efforts.

Conclusion

This is just a small part of Bitdefender's investigation into this doorbell, in partnership with Tom's Guide, which aims to shed light on the security of the world's best-sellers in the IoT space. You can check out the full investigation to see the entire process.

We don't often encounter devices that can stand up to such scrutiny, but the investigation provides insight into what hackers would have to go through when they try to make our digital world less secure.

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Data of 500,000 already vulnerable people stolen from Red Cross Data of 500,000 already vulnerable people stolen from Red Cross
Radu CRAHMALIUC

January 20, 2022

1 min read
Printing Giant RR Donnelley Forced into Talks with Conti Ransomware Group to Stave Off Corporate Data Leak Printing Giant RR Donnelley Forced into Talks with Conti Ransomware Group to Stave Off Corporate Data Leak
Filip TRUȚĂ

January 20, 2022

1 min read
Top Five Security Tips for Mac Users in 2022 Top Five Security Tips for Mac Users in 2022
Filip TRUȚĂ

January 19, 2022

4 min read