IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer?...
Transcript of IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer?...
![Page 1: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/1.jpg)
IOT SECURITY: CONSUMER DEVICES AND THE
EXTENDED CORPORATE NETWORK
![Page 2: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/2.jpg)
Get CPE Credits for this Webcast
• Attendees of this Webcast are eligible for 1 CPE credit
• Self-report on your organization’s website
• Keep the email invitation as confirmation for possible future audits
• More info: http://bit.ly/R7CPE
![Page 3: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/3.jpg)
Speakers
Mark Stanislav
Senior Security ConsultantRapid7
Michael McNeil
Global Product Security & Services OfficerPhilips Healthcare
Tod Beardsley
Research ManagerRapid7
![Page 4: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/4.jpg)
Hacking IoT Baby Monitors
Mark Stanislav, Sr. Security Consultant
![Page 5: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/5.jpg)
What Does an Internet-Connected Monitor Offer?• “Connected” Features (via a Web Site and/or a Mobile Application)
• Viewing a live stream locally (the home’s Wi-Fi) or remotely (Internet)
• Controlling the camera’s position via pan, tilt, and zoom functionality
• Communicating audio through the monitor (i.e. two-way audio)
• Playing music or other recorded audio clips (i.e. bring your own lullabies)
• Manage device preferences such as the audio volume and “night vision”
• Share access and provide privileges to other people (e.g. family, friends)
• Access recordings for humidity, temperature, noise, and/or motion alerts
• Remote (e.g. SaaS, FTP) and local (e.g. Micro SD) DVR recordings
![Page 6: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/6.jpg)
A Mess of Dependencies and Attack Surface• Many IoT baby monitors leverage third-party services, firmware, and software
• Some vendors put a lot of trust in their supply chain without testing security
• Implementation errors or failure to comply with best practices also occurs
• Complex ecosystems means that there are plenty of ways to screw up:
• Mobile applications, cloud services, backend services, web applications, firmware, hardware, network protocols, wireless protocols, & cryptography
• It’s difficult for a single IoT vendor to be proficient in security across all of it
• The frameworks, protocols, and design patterns of IoT are still very much in flux
![Page 7: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/7.jpg)
SO, HOW DO WE HACK THESE THINGS?
![Page 8: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/8.jpg)
Via Dumping Firmware
Pomona SOIC Clip + Bus Pirate flashrom to Dump Flash
binwalk to Extract Filesystems
![Page 9: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/9.jpg)
Hash Cracking with cudaHashcat
Scouring Google for Useful Details
Via Brute Force of Various Means
![Page 10: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/10.jpg)
JTagulator(or Bus Pirate, Shikra, etc.)
U-Boot Configuration
UART Scan & Connect
Via Serial Console (UART)
![Page 11: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/11.jpg)
Via JTAG (e.g. Dumping Memory via GDB)
Not a baby monitor… but you get the idea!
![Page 12: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/12.jpg)
Acquire Firmware with dex2jar + JD-GUI for Android
View API Calls with mitmproxy (esp. SSL/TLS)
Find API End-Points with Clutch + strings for iOS
Via Mobile Applications
![Page 13: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/13.jpg)
View Protocol Details with wireshark
Uncover Network Services with nmap
Via Network Analysis
![Page 14: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/14.jpg)
XSS on Camera Cloud Web Service
Hidden Administrative Web Interface
Via Web Applications
![Page 15: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/15.jpg)
THE BABY MONITORS
![Page 16: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/16.jpg)
A Variety of Vendors, Styles, Costs, & FeaturesVendor Model Price Amazon
Rank* / StarsTwo-Way
Audio Pan Tilt Zoom Wi-Fi Ethernet
Gynoii GCW-1010 $89.34 #56 / 3.8 ✓ ✗ ✗ ✗ ✓ ✗
iBaby M3S $169.95 #243 / 3.4 ✓ ✓ ✓ ✓ ✓ ✓
iBaby M6 $199.95 #31 / 3.7 ✓ ✓ ✓ ✓ ✓ ✗
Lens LL-BC01W $54.99 #149 / 2.8 ✓ ✗ ✗ ✗ ✓ ✓
Philips B120/37 $77.54 #N/A / 2.2 ✓ ✗ ✗ ✗ ✓ ✗
Summer 28630 $199.99 #64 / 3.1 ✓ ✓ ✓ ✓ ✓ ✗
TRENDnet TV-IP743SIC $69.99 #N/A / 3.5 ✓ ✗ ✗ ✓ ✓ ✗
WiFiBaby WFB2015 $259.99 #156 / 3.2 ✗ ✗ ✗ ✓ ✓ ✓
Withings WBP01 $204.60 #101 / 2.9 ✓ ✓ ✓ ✓ ✓ ✓
* Amazon Ranking Based on Category “Baby > Safety > Monitors”, Which Includes Non-IoT Baby Monitors
![Page 17: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/17.jpg)
THE FINDINGS
![Page 18: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/18.jpg)
Withings WBP01 - $204.60
![Page 19: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/19.jpg)
Disabled Doesn’t Quite Mean What it Used To
After a stream exists, “disabling” it via the app doesn’t actually stop it…
20 Minutes Later… The Stream Still Works!
![Page 20: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/20.jpg)
When Obfuscation Goes Wrong, or, Not at All?
At first, this looks like a really poor attempt at an obfuscation method to “hide” the password for this web service account. On further review, however, the mchunk method simply returns at the start of the for loop, yielding the output from the input to be a concatenation of “ff” and the integer passed as a parameter. Was this obfuscation intended to be enabled? Did someone give up on their dream of confusing reverse engineers? The world may never know…
![Page 21: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/21.jpg)
WiFi Baby WFB2015 - $259.99
![Page 22: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/22.jpg)
Unauthenticated Log With Stream Details Hardcoded SSL Cert … That’s Not Even Used …
Nothing Makes Sense to Me Any More
![Page 23: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/23.jpg)
UPnP RCE Bugs, CVE-2012-5958 & CVE-2012-5959
UPnP Bugs: Alive and Well in Baby Monitoring
![Page 24: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/24.jpg)
Lens Peek-A-View (LL-BC01W) - $54.99
![Page 25: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/25.jpg)
If You Needed Some Free Cloud Storage
An FTP Account Per Camera, Apparently Used for Configuration Backups
[redacted]
![Page 26: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/26.jpg)
Backdoor Credentials Galore
Hidden Web Interface CredentialsCracking the Linux ‘admin’ Password
This account has functional ‘root’ privilege due to ugly permissions
The Live Stream Passes Credentials in URL over HTTP
![Page 27: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/27.jpg)
Gynoii GCW-1010 - $89.34
![Page 28: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/28.jpg)
Unencrypted Web Services - Local and Cloud
Local Administrative API Calls
Vendor Cloud API Calls
Hidden Device Web Interface
Third-Party Streaming Service
None of these services or APIs use any encryption and often pass sensitive credentials and keys
![Page 29: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/29.jpg)
TRENDnet TV-IP743SIC - $69.99
![Page 30: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/30.jpg)
2-for-1 — Unencrypted Web Service + XSS
Either MITM a User or Just BYOJS to their DOM:)
[redacted]
![Page 31: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/31.jpg)
Telnet Available, Just Not Default
A Remote Shell Waiting to Happen…
Pro Tip: Remove Remote Access Services, Don’t Just Disable Them!
Username: root Password: admin
![Page 32: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/32.jpg)
iBaby M3S - $169.95
![Page 33: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/33.jpg)
Uncovering Backdoor Linux Accounts & Access
An nmap Scan Reveals Telnet :)
Password is “Protected” by UNIX Crypt
Username: admin Password: admin
* FYI, there is no ‘root’ on here, only ‘admin’
![Page 34: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/34.jpg)
iBaby M3S - A Historical Look at Software?
✦ U-Boot: 1.1.3, released August 14th, 2005 ✦ OpenSSL: 0.9.8e, released February 23rd, 2007
✦ Linux Kernel: 2.6.21, released April 26th, 2007 ✦ BusyBox: 1.12.1, released September 28th, 2008
✦ UNIX Crypt: First appeared in 1979, limited to 8-character passwords
✦ Telnet: Developed in 1968 — SSH-1 came out in 1995…
![Page 35: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/35.jpg)
Encryption! Just Not Great Choices For it :)
Stream Encryption… with XXTEA?
Encrypted Backups… with a Hardcoded Password?
![Page 36: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/36.jpg)
iBaby M6 - $199.95
![Page 37: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/37.jpg)
Cryptography? Naw, They Are Just Babies…
Unencrypted Web Service Login
Telnet & Unencrypted HTTP on DeviceUnencrypted Mobile API Calls
![Page 38: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/38.jpg)
This is the iBaby Cloud Web Site Today…
Login for Camera Owners …and What is Now Returned on Login…
![Page 39: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/39.jpg)
But a Few Months Ago, Direct Object Reference!<—Proper Account
“Attacker” Account—>
No Authorization/Privilege Given to Our “Attacker” Account
![Page 40: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/40.jpg)
Full Access to All Audio & Motion Alert Videos
View Source -> Find AVI Filename -> Access Static CloudFront URL
“Attacker” Account—>
Don’t let the broken images fool you… there’s live data ready to be viewed!
[redacted]
[redacted]
[redacted]
[redacted]
![Page 41: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/41.jpg)
Unauthenticated Access to Unencrypted VideosExample AVI Thumbnail File
Video Downloads via Amazon CloudFront
✦ URLs are not requested via HTTPS
✦ No IAM credentials or signed URLs
Mobile API Call for Alert Video Retrieval
[redacted]
[redacted] [redacted]
[redacted]
![Page 42: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/42.jpg)
…and Some Weirdly Exposed Web Applications?
…But an Admin Site? Now That’s an Interesting Find!
Apparently There’s a Private Wiki. What For? No Clue.
![Page 43: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/43.jpg)
Philips In.Sight B120/37
![Page 44: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/44.jpg)
Everything Old is New Again…My IZON Research - 2013 My InSight Research - 2015
The question is…
Did security issues fixed by one camera manufacturer ever trickle into devices also leveraging the same firmware?
![Page 45: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/45.jpg)
Shout out to Paul Price for his research into the In.Sight M100 which shares a few issues from my old Stem Innovation IZON research and subsequent research into the In.Sight B120. Check out his site detailing this and other research at ifc0nfig.com!
A Quick Look at “Old” Security Issues Still There
No SSL on Backend Web Service
Telnet Enabled by Default (Until Recently)Multiple Hardcoded Linux Accounts
Insecure Firmware Upgrade Process
![Page 46: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/46.jpg)
A Few Newer Issues. But Wait, There’s More! :)
Multiple XSS on Web Service Portal
Backdoor Telnet Enablement Script
Predictable ‘admin’ Web Service Password
Username: root Password: b120root
![Page 47: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/47.jpg)
Unauthenticated Administrative Camera Access
Camera
Home NetworkInternet
User
Web Service HTTP/80
Clear Text Clear Text Clear Text
HTTP Reverse Proxy
When a remote end user requests their camera’s stream, an HTTP reverse proxy is opened on a public host & port number, directly to the camera’s backend web service, allowing for a remote attacker to achieve the following:
✦ Unauthenticated and unencrypted video/audio stream access to the user’s camera
✦ Full administrative access to the camera’s powerful backend web service
✦ This includes manipulating camera configuration or even re-enabling Telnet
![Page 48: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/48.jpg)
Finding Exposed Cameras on the InternetThe reverse proxy is setup by the stream provider, Yoics, and has a finite number of enumerable hostnames, each with about ~30,000 possible ports that may be utilized. While this may seem like a lot, an attacker could test this entire range every minute to look for exposed cameras with a simple script or perhaps something powerful like zmap.
Unencrypted, Unauthenticated Remote Camera Access
Now “Friends” Can Remotely Enable Telnet For You! :)
Take David Adrian’s Word For It :)
![Page 49: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/49.jpg)
Summer Infant Baby Zoom (28630) - $199.99
![Page 50: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/50.jpg)
Oh, Be Sure to Change Your Password…
Default New User Passwords == Last name (truncated to 8 characters) + Group ID This is not required to be changed on first login and could be enumerated if someoneknows that you have this device — simply iterate over group ID integers!
![Page 51: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/51.jpg)
Adding a Privileged User to Any & All Cameras
Before… After!
This HTTP call could be ran against all possible IDs
![Page 52: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/52.jpg)
Coordinated Disclosure TimelineInitial Vendor DisclosureJuly 4th, 2015 — Because America!
CERT DisclosureJuly 21st, 2015 — 17 Days After Vendor Disclosure Public DisclosureSeptember 2nd, 2015 — 60 Days After Vendor Disclosure
![Page 53: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/53.jpg)
A Modest Baby Monitor Security ChecklistVendor Model Local API
HTTP SSLCloud API HTTP SSL
No Remote Shell
No Hidden Accounts
No Known Vulns
No UART Access
All Streams Encrypted
Gynoii GCW-1010 ✗ ✗ ✗ ✗ ✓ ✗ ✗
iBaby M3S N/A ✓ ✗ ✗ ✓ ✗ ✓
iBaby M6 ✗ ✗ ✗ ✗ ✗ ✗ ✗
Lens LL-BC01W ✗ ✗ ✓ ✗ ✓ ✗ ✗
Philips B120/37 ✗ ✓ ✗ ✗ ✗ ✗ ✗
Summer 28630 ✓ ✓ ✓ ✗ ✗ ✗ ✗
TRENDnet TV-IP743SIC ✗ ✗ ✓ ✗ ✗ ✗ ✗
WiFiBaby WFB2015 ✗ N/A ✓ ✗ ✗ ✗ ✗
Withings WBP01 N/A ✗ ✗ ✗ ✓ ✗ ✗
![Page 54: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/54.jpg)
Scoring Baby Monitors for Overall SecuritySecurity Concern Description of Concern Penalty for
Missing
Local API HTTP SSL All local web service/API calls should be encrypted, regardless of being on a LAN. -20 Points
Cloud API HTTP SSL All Internet-facing web service/API calls should be encrypted, including registration. -30 Points
No Remote Shell The presence of a remote shell (e.g. Telnet, SSH) create additional attack surface. -50 Points
No Hidden Accounts All accounts, whether web services or shell access should be known to customers. -30 Points
No Known Vulns All portions of the camera’s supply chain should be free of serious vulnerabilities. -75 Points
No UART Access Devices should disable direct serial access and definitely not drop to a root shell. -10 Points
All Streams Encrypted All video/audio streams, whether live or recorded, should be encrypted end-to-end. -35 Points
All Cameras Start With 250 Points and Receive Deductions
![Page 55: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/55.jpg)
Baby Monitor by Security Score & GradeVendor Model Price Amazon
Rank / Stars Score Grade*
Gynoii GCW-1010 $89.34 #56 / 3.8 75 F
iBaby M3S $169.95 #243 / 3.4 160 D
iBaby M6 $199.95 #31 / 3.7 0 F
Lens LL-BC01W $54.99 #149 / 2.8 125 F
Philips B120/37 $77.54 #N/A / 2.2 30 F
Summer 28630 $199.99 #64 / 3.1 100 F
TRENDnet TV-IP743SIC $69.99 #N/A / 3.5 50 F
WiFiBaby WFB2015 $259.99 #156 / 3.2 80 F
Withings WBP01 $204.60 #101 / 2.9 95 F
* Grading Scale Based on Points:F: < 150 (<60%) ; D: 150 - 174 (60-69%) ; C: 175 - 199 (70-79%) ; B: 200 - 224 (80-89%) ; A: 225 - 250 (90-100%)
Baby is Unsatisfied
![Page 56: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/56.jpg)
…But Really?1. The iBaby M6, Summer, and Philips all had what I would consider “critical”
security issues that make them a deal breaker, despite their overall scoring.
2. Only the iBaby M3S had apparent encryption for all streaming of content and even then, it’s not exactly “industry standard” and has its own potential issues.
3. More vulnerabilities likely exist such as RCE, XSS, and CSRF in backend web applications — in addition to already noted backdoor credentials/interfaces.
4. Frankly? Nine devices were way too much and while I am satisfied in the issues that were found, there’s a lot I probably missed others may find!
![Page 57: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/57.jpg)
Conclusions1. The status quo of security for “connected” baby monitors is deeply concerning.
2. Even the “best” cameras tested were well below what I’d consider “secure.”
3. Consumers are woefully unaware that camera security features such as end-to-end encryption of audio/video and well defined, secured access don’t exist.
4. It’s highly unlikely, based on the issues found, that any of these vendors have third-party security audits and/or a security-focused development program.
Parents and their children deserve better. Whether you paid $54.99 or $259.99, a minimum level of security should be expected, and achieved, for all baby monitors.
![Page 58: IOTSECURITY - Rapid7 · 2019-07-02 · What Does an Internet-Connected Monitor Offer? •“Connected” Features (via a Web Site and/or a Mobile Application) •Viewing a live stream](https://reader033.fdocuments.us/reader033/viewer/2022050602/5fa9b5bf3d026a4e30600979/html5/thumbnails/58.jpg)
Not All Hope is Lost, However :)BuildItSecure.ly: Initiative targeted at sharing technical resources with IoT engineering teams and pairing IoT vendors with pro-bono security researchers.
OWASP IoT Top 10: Provides vendors a list of the top 10 areas of IoT security that should be focused on during development to ensure a secure ecosystem.
Cloud Security Alliance: Released a guidance document targeted at IoT engineering teams to ensure more security during design/development.
Google Projects: Brillo is a hardened, stripped-down version of Android for IoT, while secure Weave is a secure solution for inter-device communication.