A vulnerability in the Guardzilla home video surveillance system could be exploited by users to watch Guardzilla footage of other users.
The Guardzilla All-In-One Video Security System is an indoor video surveillance solution. The flaw was discovered by the researchers Nick McClendon, Andrew Mirghassemi, Charles Dardaman, INIT_6 and Chris, from 0DayAllDay, the issue was reported to the vendor by Rapid7.
“During the 0DAYALLDAY Research Event a vulnerability was discovered (CVE-2018-5560) in the Guardzilla Security Video System Model #: GZ521W. The vulnerability lies within the design and implementation of Amazon Simple Storage Service (S3) credentials inside the Guardzilla Security Camera firmware.” read a post published by 0dayallday.org.
“Accessing these S3 storage credentials is trivial for a moderately skilled attacker. “
The bad news is that the vendor hasn’t yet addressed the flaw.
discovered that the GZ501W camera model contains a shared, hard-coded credential for Amazon S3 backed used as a storage of footage.
“The Guardzilla IoT-enabled home video surveillance system contains a shared Amazon S3 credential used for storing saved video data. Because of this design, all users of the Guardzilla All-In-One Video Security System can access each other’s saved home video.” reads the analysis published by Rapid7.
“This issue is an instance of CWE-798: Use of Hard-coded Credentials. It has a CVSSv3 base score of 8.6, since once the password is known, any unauthenticated user can collect the data from any affected system over the internet.”
This means that any user of the Guardzilla All-In-One Video Security System could access other’s saved home video because the system uses the same password. Any unauthenticated user can collect the data from any of the systems exposed online if knowing the storage details.
“Embedded S3 credentials have unlimited access to all S3 buckets provisioned for that account,” continues the analysis. “This was determined through static analysis of the firmware shipping with the device. Once the firmware was extracted and the root password ‘GMANCIPC’ was cracked, the Amazon S3 access key was recovered.”
An attacker can connect to the Amazon S3 account and access the various buckets associated with the service by using the access keys recovered from the firmware.
Waiting for a patch, users should ensure that cloud-based data storage functions of the device are not enabled.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.