IoT vendor avoids outcry before bug in security cams goes public

Security cams that come with a handy mobile app are all the rage these days, especially for smart-home aficionados – you get to keep a close eye on your property while on vacation, and maybe catch a live feed of the occasional stray cat knocking over your flower pots. It’s all fine and dandy until someone finds a way to hack into your connected cam and compromise your privacy.

Security cameras have more inherent flaws in them than we’d like to believe, as one experiment by Pen Test Partners reveals. After catching wind of a vulnerability reported by the BBC in Swann surveillance cameras, the firm put together a savvy-motivated team to peek into the product’s underpinnings and replicate the problem. Not only did they confirm the vulnerable nature of the Swann Smart Security Camera, but they found an altogether more disturbing flaw, and managed to access units hundreds of miles away with a simple swap of camera identifiers.

When cam owners log into the system through (ironically) the “Safe by Swann” service, the mobile app makes a request to the server – a request that returns the devices associated with the account. When researchers connected through a proxy and intercepted the serial numbers, they then used part guesswork part hackery to alter them with another camera’s identifier.

“We successfully switched video feeds from one camera to another through the cloud service, proving arbitrary access to anyone’s camera,” the team wrote.

The problem wasn’t so much with the hardware, as it was with the product’s cloud vendor, Ozvision.

“At this point the mobile app sees the details of someone else’s camera,” they said. “In the app, one simply presses ‘play’. This made a request to deviceWakeup using the modified serial, then the Ozvision tunnel to the device was established using the modified serial. We could then watch the camera live.”

The technicalities behind the hack are straightforwardly described in the PTP’s comprehensive post. The gist of it? In the team’s own words:

“Imagine if a malicious hacker had discovered this vulnerability and not gone through a disclosure process with the vendor? Your customer data and sensitive video feeds could have been splattered all over the internet. That could have been a PR and maybe GDPR disaster.”

PTP urges IoT vendors like Swann to not just take their partners’ word for it and check their offerings thoroughly, before allowing unwary customers to take their products online.

“Don’t confuse authentication with authorisation, it’s critical that the user can only see the content that’s intended for them. Ensure that your developers understand and practice a secure development lifecycle,” the team stresses.

Swann reportedly patched its security cams immediately after PTP notified them of the deterring flaw in a responsible manner – i.e. without going to the press first.

For consumers, ensure your IoT hardware is always on the latest firmware version, and consider securing your smart home with a dedicated solution.