The research team developed a proof-of-concept attack exploiting security flaws in the cloud service used by the IoT camera, Safe by Swann, in this way they were able to access the cameras via their mobile devices.
The experts started investigating the issue after reading a BBC article outlining how a BBC employee had accidentally seen someone else’s footage on the mobile app for their home security camera.
The affected camera model it a battery-powered HD camera that implements video streaming feature either directly over the local network or via a cloud service.
Experts noticed that the cloud service is provided by Ozvision, when a user logs into the system through Safe by Swann, a request is made (userListAssets) to the server.
The server, in turn, provides a list containing the devices associated with the account.
The researchers analyzed the requests and attempted to manipulate the serial number parameter.
The experts explained that it is easy to find a serial number associated with the targeted device via the API endpoint and APK.
“After reviewing the API endpoint and APK, I quickly realised that the serial number (swnxxxxxxxxx) is the primary identifier of the camera on the platform. This is both for the Swann-specific web API and the OzVision peer-to-peer tunnel. The serial is easily found in the mobile app:” states the analysis published by the experts.
“We replace the serial number (deviceid) in the response from the server. At this point the mobile app sees the details of someone else’s camera. We are using Charles here, but Burp or MITMproxy will do it too”
The experts demonstrated that it is possible to access the camera stream for another serial number.
“In the app, one simply presses ‘play’. This made a request to deviceWakeup using the modified serial, then the Ozvision tunnel to the device was established using the modified serial. We could then watch the camera live.” continues the experts.
The experts explained that Swann quickly fixed the issue, but they speculated that the Ozvision was already aware of the issue.
“Ozvision already knew about the vulnerability, as Swann had informed them. The Swann customer camera cloud environment had quickly been fixed. Swann took swift action to fix the flaw and had a constructive dialogue with us.” continues the post.
“We suspect they knew about this issue for about nine months, and only fixed it when pressured by Swann; and we are confident the vulnerability was present in at least one other major camera brand to which they provide a cloud service. Further, they initially deflected direct questions about the issue back to Swann.”