3 min read

Device in New IoT Partnership Passes Cybersecurity Stress Test with Flying Colors

Silviu STAHIE

October 07, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Device in New IoT Partnership Passes Cybersecurity Stress Test with Flying Colors

For more than a decade, Bitdefender has extensively researched vulnerabilities that affect intelligent devices and released reports to help customers understand risks in the connected home and drive security awareness in the vendor space.

This article, part of a series developed in partnership with Tom's Guide, aims to shed light on the security of the world's best-sellers in IoT. Tom's Guide contacted the research team at Bitdefender and asked us to look at several popular devices, including the Maximus Answer DualCam Video Doorbell. More information is available in this article published on our partner's website.

Bitdefender's researchers scrutinized the Maximus Answer DualCam Video Doorbell and found that it's actually pretty secure. And that's something that we can rarely say about the devices we investigate.

Video doorbells capture a lot of valuable and sometimes private data, so it's easy to see why it would be a prime target for attackers. Bitdefender looked at other similar devices, including a version of Amazon's Ring doorbell, and the picture wasn't pretty.

One of the problems with modern IoT devices is that companies rush them out the factory door, security be damned. Manufacturers flood the market with poor-security IoT devices, and people are all too happy to buy them with little to no regard for their privacy.

Everything but the kitchen sink

The Maximus Answer DualCam Video Doorbell is a two-camera IoT device with night vision capabilities and a 180-degree view, letting users monitor both the people who come to the door and any packages they leave.

Assume you're a hacker aiming to compromise this camera. You will have a tough time. First of all, most of the communication takes place through OpenVPN, which is secure against tampering and eavesdropping.

But while you're tampering with the device, you notice that the server certificate is not verified. In theory, an attacker could impersonate the server, but that's not possible without the ta.key file (to authenticate TLS connections) and some way to convince the camera to connect to another server.

Since the camera doesn't verify the server certificate, an attacker could, technically, intercept the logs through a man-in-the-middle attack. But since the logs contain no sensitive information, it would be almost pointless.

Fine, you'll force the camera to check for a firmware update and serve a tainted firmware through a man-in-the-middle attack. Unfortunately, the firmware is signed, and the camera would discard the new firmware due to a signature mismatch.

The next move is to check for open ports, but that's also a no-go. The manufacturers took the time to implement iptables rules properly.

Maybe compromising the Bluetooth connection with the Kuna app is the way to go, but the communication is secure. It turns out that the Bluetooth connection can be established at any time to change the Wi-Fi network, but only the camera owner can initiate it.

That leaves direct hardware access as the last point of entry. You quickly notice that UART serial connection is exposed, and you can stop the boot process by shorting the TX and RX pins. The bootloader will ask for a password, which is unknown, putting a stop to your efforts.

Conclusion

This is just a small part of Bitdefender's investigation into this doorbell, in partnership with Tom's Guide, which aims to shed light on the security of the world's best-sellers in the IoT space. You can check out the full investigation to see the entire process.

We don't often encounter devices that can stand up to such scrutiny, but the investigation provides insight into what hackers would have to go through when they try to make our digital world less secure.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read
Slope Wallets Blamed for $6 Million Solana Hack Slope Wallets Blamed for $6 Million Solana Hack
Silviu STAHIE

August 04, 2022

1 min read