2 min read

Severe Vulnerability in iBaby Monitor M6S Camera Leads to Remote Access to Video Storage Bucket

Bitdefender

February 26, 2020

Severe Vulnerability in iBaby Monitor M6S Camera Leads to Remote Access to Video Storage Bucket

Baby monitors have become increasingly common in modern homes. To many parents, the ability to keep an eye on children while away is worth the risk of having video feeds or pictures leaked to unauthorized parties.

This article – part of a series developed in partnership with PCMag – aims to shed light on the security of the world’s best-sellers in the IoT space. PCMag contacted the research team at Bitdefender and asked us to look at several popular devices, including the Belkin WeMo Switch. More information is available in this article published on PCMag.

Note:

In the spirit of responsible disclosure, this whitepaper has been published despite our best efforts to contact the vendor and get in touch, in order to patch or mitigate the described issues.

Update (March 12, 2020):

We’re happy to report that the iBaby team reached out to us after this paper became public. They delivered a fix for the reported issues within 24 hours. The vulnerabilities reported in the paper have been fixed as of February 29th. We would like to thank iBaby for properly handling this issue.

Vulnerabilities at a glance

While investigating the iBaby Monitor M6S camera, Bitdefender researchers have identified vulnerabilities that can allow an attacker to access files in the AWS bucket, leak information through the MQTT service which leads to remote access of the camera (CVE-2019-12268), and leak personal information of users through an Indirect Object Reference (IDOR) vulnerability.

What’s troubling the most about the first vulnerability is that the camera uses a secret key and an access key ID to upload am alert to the cloud, these keys can be used for directory listing and downloading of any alert (video or picture) uploaded by any camera with alerts enabled (motion and/or sound).

If an attacker monitors the MQTT server when a user configures a camera, critical information will be leaked to the attacker. They could then stream video, take screenshots, record video, or play music using the obtained credentials.

If an attacker monitors the MQTT server when a user configures a camera, critical information will be leaked to the attacker. They could then stream video, take screenshots, record video, or play music using the obtained credentials.

Through the Indirect Object Reference (IDOR) vulnerability, an attacker can craft requests to obtain the email address, name, location and profile picture of the camera owner, as well as the timestamps showing when that user accessed their camera.

Impact

Determined attackers are currently able to leverage these vulnerabilities to gain access to a user’s system and/or personal information within seconds.

More information is available in the technical whitepaper below:

Download the whitepaper

tags


Author



Right now

Top posts

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign

How We Tracked a Threat Group Running an Active Cryptojacking Campaign

July 14, 2021

10 min read
A Note from the Bitdefender Labs Team on Ransomware and Decryptors

A Note from the Bitdefender Labs Team on Ransomware and Decryptors

May 26, 2021

2 min read
New Nebulae Backdoor Linked with the NAIKON Group

New Nebulae Backdoor Linked with the NAIKON Group

April 28, 2021

1 min read
Good riddance, GandCrab! We’re still fixing the mess you left behind.

Good riddance, GandCrab! We’re still fixing the mess you left behind.

June 17, 2019

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
Bogdan BOTEZATUVictor VRABIE
9 min read
Debugging MosaicLoader, One Step at a Time Debugging MosaicLoader, One Step at a Time
Janos Gergo SZELESBogdan BOTEZATU
1 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign How We Tracked a Threat Group Running an Active Cryptojacking Campaign
Bitdefender

July 14, 2021

10 min read