Researchers at Context Information Security have succeeded in hacking a Motorola Focus 73 outdoor security camera, gaining access to the home network’s Wi-Fi password, obtaining full control of the pan-tilt-zoom controls and redirecting the video feed and movement alerts to effectively watch the watchers. This latest exploit, published today reinforces security concerns around the Internet of Things and the growing number of IoT devices hitting the market without adequate protection.
The Motorola IP camera, manufactured by Binatone, boasts a wide range of features and offers cloud connectivity via the Hubble service, hosted by Amazon Elastic Compute Cloud. This allows customers to watch and control their cameras remotely as well as receive movement alerts through a free mobile app.
[su_note note_color=”#ffffcc” text_color=”#00000″]Researchers at Context:
Context researchers found that during set up, the private Wi-Fi security key is transmitted unencrypted over an open network, using only basic HTTP Authentication with username ‘camera’ and password ‘000000’, while a number of legacy webpages on the camera revealed that the device is based on the same hardware as a legacy baby monitor product.
With detailed investigation, the researchers obtained root access to the camera and cracking the root password proved trivial as it was ‘123456’. Further digging provided access to the home network Wi-Fi password in plaintext as well as factory wireless credentials for secure test networks and even more surprisingly, credentials for the developers’ Gmail, Dropbox and FTP accounts. The device’s logs, accessible via the open web interface, also contained the AES encryption key for the remote control messages and FTP credentials for video clip storage. Furthermore, the researchers were able to install their own malicious firmware as it wasn’t secured or checked for validity.
The camera uses the STUN (Session Traversal Utilities for NAT) protocol to maintain communications with the Hubble server and control the camera. Armed with the AES key, Context was able to access encrypted commands sent from the cloud to the camera and re-create them to initiate instructions such as start recording, change video server, move left and reboot.
Once the researchers had established control of the camera they were also able to subvert and redirect the Hubble DNS configuration to receive a feed of movement alert JPEG images and video clips, normally only available to paying customers of the Hubble service. As the media is sent unencrypted, it was possible to store uploads for review at a later time.
As part of Context’s responsible disclosure policy, the company contacted Motorola Monitors in early October 2015 and were referred to Hubble, who have since taken steps to address the issues identified and tighten up security, working with partners Motorola, Binatone, Nuvoton and software developer CVision. New firmware updates have been released to camera users by Hubble and as the update process is automated, it is understood that the critical vulnerabilities in both outdoor and indoor Focus models have been mitigated without end users having to do anything.
“Hubble Connected has fully patched the vulnerability to ensure that the reported bug is addressed, Brendan Gibb, CISO at Hubble. “This firmware will be released on 2 February 2016 to all affected cameras.”
Gibb continues, “It is my understanding that this addresses the most serious concern to public safety and reduces risk that our cameras are used by a third-party. The Hubble brand remains committed to ensuring our products and customers are safe from compromise and we remain ready to address problems that are found and reported by security researchers. Thanks to Context information Security for raising the concern to our attention and providing us with sufficient time to address the vulnerability.”
“This is one more example of an IoT product getting to market with little attention being paid to security,” said Neil Biggs, Head of Research, who added, “The benefits of these security cameras are clear but it rather defeats the object if they are also open to compromise. The message is clear; companies wanting to get on the IoT bandwagon need to design in security from the outset.”[/su_note]
[su_box title=”About Context” style=”noise” box_color=”#336588″]