A new study made by researchers from NowSecure shows that IoT vendors have yet a lot to learn in terms of security, often doing many mistakes in that area.
In the new research NowSecure explains that Security Cameras accessible through mobile apps are becoming a must for homeowners. Unfortunately, these mobile apps are lacking security, leaving in the open dangerous possibilities.
“Every camera-and-app combination I tested included at least one security flaw that concerned me. Camera vendors sell numerous models, and it wasn’t feasible for me to test them all. ” wrote the researcher Jake Van Dyke.
One of the most common mistakes made by these apps is the fact that sending/storing sensitive data like credentials is done is plaintext.
“I was shocked and disappointed at the same time to see how easy some of the systems made it for somebody else to access the account,” he continues.
In their tests, experts from NowSecure have chosen four different vendors, but all four of them highly popular choices. The price range for a security camera ranges from $100 to thousands, below the products evaluated by the experts:
Which of these products it’s the worst?
Van Dyke thinks it’s a dispute between the Zmodo and Vimtag systems.
Referring to the ZSight app used by ZModo Van Dyke said:
“the app will send your username in plaintext and MD5-hashed password to http://openapi.meshare.com. The Zsight app for iOS sent the username and password as GET parameters meaning the credentials are recoverable from server access logs. Upon successful log in, MeShare’s back-end server returns a token for app authentication on subsequent requests. As far as an attacker is concerned, the password, it’s MD5 hash, or the token all grant access to the victim’s account (i.e., any of these items are equal to a valid login).” Wrote Van Dyke.
Not only the username, also unencrypted passwords, email addresses and valid tokens have been left in XML files. For the Vimtag app the main problem was that it communicates with the back-end server mostly through unencrypted channels, exposing users to man-in-the middle attacks.
An attacker could exploit the vulnerabilities to execute a number of activities on the camera, such as recording of audio/video, adjusting settings, accessing stored audio or video, registering a camera to an account and also formatting an SD card,
But there is much more, when checking the app network setting Van Dyke noticed that the Vimtag back end server was sending over the WPA2 key to all wireless networks to which it was connected exposing them to the attackers.
This means that not only is the key visible to any attacker, but it is archived on the server and easily recoverable.
“This means an attacker could use SSID to locate a house using the security camera, sit on the curb in front, and connect to the network.”
“A team of researchers found that using only SSID, they could locate a device within 13-to-40 meters. The server also sent the WPA2 key for the network to which it was connected meaning that not only is the key visible to any attacker, it’s stored on the server and easily recoverable. This means an attacker could use SSID to locate a house using the camera, sit on the curb in front, and connect to the network.” States the blog post published by Nowsecure.
The problems found by the experts confirm the last of security by design of security camers, vendors are not sufficiently considering the risks for their customers.
It is a serious problem, considering that IoT devices are a privileged target for hackers.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – IoT, Security Camera)