2 min read

Hackers could live-stream your home through your LifeShield security camera

Graham CLULEY

January 29, 2021

Hackers could live-stream your home through your LifeShield security camera

* IoT camera’s admin passwords were easy for local attackers to determine
* Once vulnerabilities had been exploited, unauthorised users could easily watch a live feed from compromised devices

Anyone buying a home security camera is probably buying it with the intention of increasing their security, not decreasing it.

And yet once again an internet-enabled CCTV camera has proven itself to be vulnerable to attack, allowing Peeping Toms to spy on unsuspecting users who believe they are safe in the privacy of their home.

Experts at Bitdefender publicly announced this month that they had found serious vulnerabilities in LifeShield home security cameras that could have allowed hackers to live-stream your home without your permission.

Upon closely examining the LifeShield home security camera (now known as Blue by ADT), Bitdefender’s researchers found that security weaknesses made it possible for a local attacker to:

  • Obtain the security camera’s administrator password, simply by knowing a camera’s MAC address.
  • Inject commands to gain root access to the device.
  • Gain unrestricted access to the camera’s audio and video feed.

In a technical white paper produced by Bitdefender, researchers explained how they were able to trick Lifeshield cameras into spilling their administrator passwords:

“The doorbell periodically sends heartbeat messages to cms.lifeshield.com containing information such as the MAC address, SSID, local IP address and the wireless signal strength. After receiving such a message, the server tries to authenticate to the camera using the basic authentication scheme. This means the password for the administrator can be obtained by decoding the base64 authorization header received in this request.”

“The server seems to ignore the token and checks only the MAC address when sending a response, which allows an attacker to craft a fake request and obtain the credentials for any device.”

Once credentials have been stolen it is trivial for an unauthorised attacker to access the camera’s web interface and access its functionality.

The researchers noted that attacks would be particularly effective in situations where hackers would be within close range to the same wireless network, such as multi-tenant environments, and shared homes.

Bitdefender’s experts first attempted to resolve the issue by contacting the vendor at the beginning of February 2020. Unfortunately no response was received to this, and subsequent attempts to reach out, until the end of June 2020 – almost five full months later.

ADT pushed out an automatic update for vulnerable devices in mid-August 2020, and technical details of the security holes are only being published now because it is felt enough time has passed for most users to have benefited from the protection.

As ever, consumers would be wise to do their research before buying internet-enabled products, determining which vendors have a track record of reliably pushing out security updates to their products when vulnerabilities are found. In addition, it’s always a good idea to change default passwords and put different IoT devices on separate subnetworks.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

New Malware Campaign Targets Linux and Web Apps to Install Crypto-Mining Software New Malware Campaign Targets Linux and Web Apps to Install Crypto-Mining Software
Silviu STAHIE

September 23, 2021

1 min read
What Is a VPN, How Does It Protect Me, and What Cool Perks Does it Offer? What Is a VPN, How Does It Protect Me, and What Cool Perks Does it Offer?
Filip TRUȚĂ

September 23, 2021

2 min read
Security Researcher Publishes Lock Screen Bypass for iOS 15 on Launch Day Security Researcher Publishes Lock Screen Bypass for iOS 15 on Launch Day
Silviu STAHIE

September 22, 2021

1 min read