Researchers at Context Information Security have succeeded in hacking a Motorola Focus 73 outdoor security camera, gaining access to the home network’s Wi-Fi password, obtaining full control of the pan-tilt-zoom controls and redirecting the video feed and movement alerts to effectively watch the watchers. This latest exploit, published today reinforces security concerns around the Internet of Things and the growing number of IoT devices hitting the market without adequate protection.
The Motorola IP camera, manufactured by Binatone, boasts a wide range of features and offers cloud connectivity via the Hubble service, hosted by Amazon Elastic Compute Cloud. This allows customers to watch and control their cameras remotely as well as receive movement alerts through a free mobile app.
[su_note note_color=”#ffffcc” text_color=”#00000″]Researchers at Context:
Context researchers found that during set up, the private Wi-Fi security key is transmitted unencrypted over an open network, using only basic HTTP Authentication with username ‘camera’ and password ‘000000’, while a number of legacy webpages on the camera revealed that the device is based on the same hardware as a legacy baby monitor product.
With detailed investigation, the researchers obtained root access to the camera and cracking the root password proved trivial as it was ‘123456’. Further digging provided access to the home network Wi-Fi password in plaintext as well as factory wireless credentials for secure test networks and even more surprisingly, credentials for the developers’ Gmail, Dropbox and FTP accounts. The device’s logs, accessible via the open web interface, also contained the AES encryption key for the remote control messages and FTP credentials for video clip storage. Furthermore, the researchers were able to install their own malicious firmware as it wasn’t secured or checked for validity.
The camera uses the STUN (Session Traversal Utilities for NAT) protocol to maintain communications with the Hubble server and control the camera. Armed with the AES key, Context was able to access encrypted commands sent from the cloud to the camera and re-create them to initiate instructions such as start recording, change video server, move left and reboot.
Once the researchers had established control of the camera they were also able to subvert and redirect the Hubble DNS configuration to receive a feed of movement alert JPEG images and video clips, normally only available to paying customers of the Hubble service. As the media is sent unencrypted, it was possible to store uploads for review at a later time.
As part of Context’s responsible disclosure policy, the company contacted Motorola Monitors in early October 2015 and were referred to Hubble, who have since taken steps to address the issues identified and tighten up security, working with partners Motorola, Binatone, Nuvoton and software developer CVision. New firmware updates have been released to camera users by Hubble and as the update process is automated, it is understood that the critical vulnerabilities in both outdoor and indoor Focus models have been mitigated without end users having to do anything.
“Hubble Connected has fully patched the vulnerability to ensure that the reported bug is addressed, Brendan Gibb, CISO at Hubble. “This firmware will be released on 2 February 2016 to all affected cameras.”
Gibb continues, “It is my understanding that this addresses the most serious concern to public safety and reduces risk that our cameras are used by a third-party. The Hubble brand remains committed to ensuring our products and customers are safe from compromise and we remain ready to address problems that are found and reported by security researchers. Thanks to Context information Security for raising the concern to our attention and providing us with sufficient time to address the vulnerability.”
“This is one more example of an IoT product getting to market with little attention being paid to security,” said Neil Biggs, Head of Research, who added, “The benefits of these security cameras are clear but it rather defeats the object if they are also open to compromise. The message is clear; companies wanting to get on the IoT bandwagon need to design in security from the outset.”[/su_note]
[su_box title=”About Context” style=”noise” box_color=”#336588″]Launched in 1998, Context has a client base that includes some of the world’s most high profile blue chip companies, alongside government organisations. An exceptional level of technical expertise underpins all Context services, while a detailed and comprehensive approach helps clients to attain a deeper understanding of security vulnerabilities, threats or incidents. Many of the world’s most successful organisations turn to Context for technical assurance, incident response and investigation services. Context is also at the forefront of research and development in security technology. As well as publishing white papers and blogs addressing current and emerging security threats and trends, Context consultants frequently present at open and closed industry events around the world. Context delivers a comprehensive portfolio of advanced technical services and with offices in the UK, Germany and Australia, is ideally placed to work with clients worldwide.[/su_box]