2 min read

IoT vendor avoids outcry before bug in security cams goes public

Filip TRUȚĂ

July 31, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
IoT vendor avoids outcry before bug in security cams goes public

Security cams that come with a handy mobile app are all the rage these days, especially for smart-home aficionados – you get to keep a close eye on your property while on vacation, and maybe catch a live feed of the occasional stray cat knocking over your flower pots. It’s all fine and dandy until someone finds a way to hack into your connected cam and compromise your privacy.

Security cameras have more inherent flaws in them than we’d like to believe, as one experiment by Pen Test Partners reveals. After catching wind of a vulnerability reported by the BBC in Swann surveillance cameras, the firm put together a savvy-motivated team to peek into the product’s underpinnings and replicate the problem. Not only did they confirm the vulnerable nature of the Swann Smart Security Camera, but they found an altogether more disturbing flaw, and managed to access units hundreds of miles away with a simple swap of camera identifiers.

When cam owners log into the system through (ironically) the “Safe by Swann” service, the mobile app makes a request to the server – a request that returns the devices associated with the account. When researchers connected through a proxy and intercepted the serial numbers, they then used part guesswork part hackery to alter them with another camera’s identifier.

“We successfully switched video feeds from one camera to another through the cloud service, proving arbitrary access to anyone’s camera,” the team wrote.

The problem wasn’t so much with the hardware, as it was with the product’s cloud vendor, Ozvision.

“At this point the mobile app sees the details of someone else’s camera,” they said. “In the app, one simply presses ‘play’. This made a request to deviceWakeup using the modified serial, then the Ozvision tunnel to the device was established using the modified serial. We could then watch the camera live.”

The technicalities behind the hack are straightforwardly described in the PTP’s comprehensive post. The gist of it? In the team’s own words:

“Imagine if a malicious hacker had discovered this vulnerability and not gone through a disclosure process with the vendor? Your customer data and sensitive video feeds could have been splattered all over the internet. That could have been a PR and maybe GDPR disaster.”

PTP urges IoT vendors like Swann to not just take their partners’ word for it and check their offerings thoroughly, before allowing unwary customers to take their products online.

“Don’t confuse authentication with authorisation, it’s critical that the user can only see the content that’s intended for them. Ensure that your developers understand and practice a secure development lifecycle,” the team stresses.

Swann reportedly patched its security cams immediately after PTP notified them of the deterring flaw in a responsible manner – i.e. without going to the press first.

For consumers, ensure your IoT hardware is always on the latest firmware version, and consider securing your smart home with a dedicated solution.

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online
Silviu STAHIE

May 13, 2022

2 min read
Mozilla Says Many Health and Prayer Apps Are Pose Security Risks Mozilla Says Many Health and Prayer Apps Are Pose Security Risks
Silviu STAHIE

May 09, 2022

2 min read
$5 Million Worth of Bored Ape NFTs Stolen by Scammers Pretending to Return Gas Fees $5 Million Worth of Bored Ape NFTs Stolen by Scammers Pretending to Return Gas Fees
Silviu STAHIE

May 05, 2022

1 min read