Florida Tech Students Reveal Security Flaws in 16 Popular Internet-Based Security and Doorbell Cameras

A team of computer science students from Florida Tech has discovered privacy flaws in popular IoT devices, including Internet-enabled doorbells and security cameras.

In their paper, “Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices”, the researchers evaluated the “challenges of credential revocation and access control list modifications in a shared IoT ecosystem,” revealing vulnerabilities in 16 popular security cameras and doorbells that allow unauthorized access even after a shared account suffers credential modification or revocation.

During their tests, the team observed that the mechanism for removing user accounts on shared devices does not remove active user accounts. This security flaw would allow an attacker to preserve access to a system, secretly recording audio and video.

In their example of a straightforward attack method, researchers hypothesized that a couple separates after initially sharing a residence. During their time together, subjects A and B set up two separate accounts for their security camera system. After the split, the device owner (A) revokes the access of B. While subject A will receive a message that the API has successfully removed access for B who can no longer connect to the API to get new tokens, B remains connected to the camera’s live feed.

The ability to retain device access after a password change was reproduced on 16 out of 19 popular IoT cameras and doorbells, including: Blink Camera, Canary Camera, D-Link Camera, Geeni Mini Camera, Doorbell and Pan/Tilt Camera, Merkury Camera, Momentum Axel Camera, Nest Camera Current and Doorbell Current, NightOwl Doorbell, Ring Pro Doorbell Current and Standard Doorbell Current, SimpliSafe Camera and Doorbell and TP-Link Kasa Camera.

Additionally “4 of the 19 devices permitted access to IoT API servers after a password change,” researchers said. “When a device owner explicitly revokes access, they falsely assume that revocation propagates to both the API and the low-latency content servers.”

However, in 10 devices, “the device owner only revokes access to the API,” the paper reads. Revocation to low-latency content servers does not occur for the hours or days until the content-server authentication token expires.”

The high demand and rapid expansion of IoT has its drawbacks. Widely known for poor authentication and access control designs, many IoT developers are struggling to patch and mitigate any security risks that sneak past initial testing. Vendors were also informed about the vulnerabilities, and strategies to mitigate the flaws have been provided.