2 min read

Severe Vulnerability in iBaby Monitor M6S Camera Leads to Remote Access to Video Storage Bucket

Bitdefender

February 26, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Severe Vulnerability in iBaby Monitor M6S Camera Leads to Remote Access to Video Storage Bucket

Baby monitors have become increasingly common in modern homes. To many parents, the ability to keep an eye on children while away is worth the risk of having video feeds or pictures leaked to unauthorized parties.

This article – part of a series developed in partnership with PCMag – aims to shed light on the security of the world’s best-sellers in the IoT space. PCMag contacted the research team at Bitdefender and asked us to look at several popular devices, including the Belkin WeMo Switch. More information is available in this article published on PCMag.

Note:

In the spirit of responsible disclosure, this whitepaper has been published despite our best efforts to contact the vendor and get in touch, in order to patch or mitigate the described issues.

Update (March 12, 2020):

We’re happy to report that the iBaby team reached out to us after this paper became public. They delivered a fix for the reported issues within 24 hours. The vulnerabilities reported in the paper have been fixed as of February 29th. We would like to thank iBaby for properly handling this issue.

Vulnerabilities at a glance

While investigating the iBaby Monitor M6S camera, Bitdefender researchers have identified vulnerabilities that can allow an attacker to access files in the AWS bucket, leak information through the MQTT service which leads to remote access of the camera (CVE-2019-12268), and leak personal information of users through an Indirect Object Reference (IDOR) vulnerability.

What’s troubling the most about the first vulnerability is that the camera uses a secret key and an access key ID to upload am alert to the cloud, these keys can be used for directory listing and downloading of any alert (video or picture) uploaded by any camera with alerts enabled (motion and/or sound).

If an attacker monitors the MQTT server when a user configures a camera, critical information will be leaked to the attacker. They could then stream video, take screenshots, record video, or play music using the obtained credentials.

If an attacker monitors the MQTT server when a user configures a camera, critical information will be leaked to the attacker. They could then stream video, take screenshots, record video, or play music using the obtained credentials.

Through the Indirect Object Reference (IDOR) vulnerability, an attacker can craft requests to obtain the email address, name, location and profile picture of the camera owner, as well as the timestamps showing when that user accessed their camera.

Impact

Determined attackers are currently able to leverage these vulnerabilities to gain access to a user’s system and/or personal information within seconds.

More information is available in the technical whitepaper below:

Download the whitepaper

tags


Author



Right now

Top posts

A Red Team Perspective on the Device42 Asset Management Appliance

A Red Team Perspective on the Device42 Asset Management Appliance

August 10, 2022

1 min read
Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

November 08, 2021

2 min read
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

September 16, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Android SharkBot Droppers on Google Play Underline Platform's Security Needs Android SharkBot Droppers on Google Play Underline Platform's Security Needs
Elena FLONDORAlbert ENDRE-LASZLOVlad Sebastian CREȚUAdina MATEESCUAlexandra BOCEREGSilviu STAHIE
5 min read
Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild
Balint SZABOJanos Gergo SZELES
1 min read
Under Siege for Months: the Anatomy of an Industrial Espionage Operation Under Siege for Months: the Anatomy of an Industrial Espionage Operation
Alexandru MAXIMCIUCVictor VRABIE
1 min read