In research that should strike fear in the heart of any new parent—and those professionals concerned about the security implications of the Internet of Things—a security pro at Rapid7 found vulnerabilities in commonplace retail video baby monitors that not only offer prying eyes a look into a family's most intimate moments, but could also “provide a path to compromise of the larger, nominally external, organizational network.”
Mark Stanislav, senior security consultant, global services, at Rapid7, told SCMagazine.com that he put 10 video baby monitors through their paces and found vulnerabilities in all of them. There were two aspects to his research, he said, establishing a checklist that “this is the way I think should work cameras for security purposes” and discovering “what are the vulnerabilities” and how attackers could break in.
“All the cameras I looked at did not come to close to what I expected,” he said.
Among the most troubling was the iBaby M6 from iBaby Labs, Inc., (left) which featured a vulnerability that allowed “any authenticated user to the ibabycloud.com service to view camera details for any other user, including video recording details, due to a direct object reference vulnerability,” the Rapid7 research showed. A small object ID space lets hackers, through a brute force attack, gain the cameras' object IDs, which are then used to view account details. Through broken links, hackers can then surmise a filename “intended to show available ‘alert' videos that the camera recorded,” the results revealed.
Sniffing iOS app functionality allows the attackers to find a generic AWS Cloud-Front endpoint than can be used append the harvested filename and access data from an account. No other authentication is needed for anyone to view any of the videos recorded by the camera and stored on ibabycloud.com.
Another monitor, Philips In.Sight was discovered to have multiple vulnerabilities, among them one that concerns the web service on the backend of the company's cloud service used “to create remote streaming sessions” and which is “vulnerable to reflective and stored XSS.” Another, found in the method the monitor uses to enable remote viewing, allows insecure transport. Administrative privilege, once uncovered, “is available without authentication of any kind to the web scripts available on the device.”
What's more, a live video/audio stream accessible to the camera if it stays open for up to an hour on a established host/port combination. “There is no blacklist or whitelist restriction on which IP addresses can access these URLs, as revealed in testing,” the research showed.
The Summer Baby Zoom WiFi Monitor & Internet Viewing System features an authentication bypass that ultimately lets a new account be set up without authentication and since an email is sent only to the person (attacker) setting up the account, the administrator is none the wiser. “If I just write a little script, can have access to every single camera,” said Stanislav.
While video baby monitors may seem to be low-level devices and not a source of concern, they, like other Internet of Things (IoT) devices in homes, are increasingly connected to business resources because they share resources.
“Attackers may be able to leverage an exposure or vulnerability to gain and maintain persistent access to an IoT device,” the report said. “That device can then be used to pivot to other devices and traditional computers by taking advantage of the unsegmented, fully trusted nature of a typical home network.”
That threat underscores the need for device makers to take particular care with the products they're buying—ensuring that security is tight—and for consumers to take care to check the security of the devices that they purchase.
Rapid7 disclosed its findings “to the individual vendors, to CERT, and to the public, in accordance with Rapid7's Disclosure Policy1 . CVE-2015-2880 through CVE-2015- 2889 (inclusive) were assigned by CERT,” the report said. “Typically, these newly disclosed vulnerabilities are only effectively mitigated by disabling the device and applying a firmware update when one becomes available, or with updates to centralized vendor cloud services.”
In a statement emailed to SCMagazine.com, Philips, which Stanislav said been very responsive, noted that after becoming aware of the vulnerabilities in the In.Sight monitor, which has been discontinued since 2013, it alerted Gibson Innovations, the company that the product category is licensed to under the Philips moniker.
“As part of our Responsible Disclosure policy and processes, Philips has been in contact with both Gibson Innovations and the security research firm investigating this issue, to promptly and transparently address known and potential vulnerabilities in Philips products. Philips and Gibson Innovations are committed to ensuring the security and integrity of our products,” the company said, adding that “whilst the security vulnerabilities are a concern and are being addressed, at this time we are not aware of any consumers who have been directly affected by this issue.”
Gibson has been working on fixes for the discontinued device and an update should be available in early September.