Bitdefender announced that it discovered critical vulnerabilities in an unidentified manufacturer's Internet of Things (IoT) cameras that could threaten the privacy of their owners and enable distributed denial of service (DDoS) attacks.
The security company identified three key problems with the cameras:
- They do not require people to change their default passwords
- They send network credentials in plain text
- They don't encrypt data as it travels between the cameras, the company's servers, and the apps used to watch their recordings.
These failings would be problematic individually, but together, they represent a complete failure to secure devices people are supposed to trust.
Bitdefender said the password problem is compounded by the cameras using MAC addresses to verify their connections to other devices. This means someone could set up a malicious device to collect information about a specific person simply by using a MAC address trusted by the cameras. That person could then learn any passwords used to secure the cameras, which means changing the default password won't be enough to keep hackers out.
This is how Bitdefender described the potential impact of this problem:
“Anyone can use the app, just as the user would”, George Cabau, antimalware researcher said. “This means turning on audio, mic and speakers to communicate with children while parents aren’t around or having undisturbed access to real-time footage from your kids’ bedroom. Clearly, this is an extremely invasive device, and its compromise leads to scary consequences.”
These vulnerabilities pose a problem outside of the home, too. Bitdefender said that someone could trick the device into executing commands by performing an HTTP request to set up another NTP server. The cameras won't verify the server, which means whoever sets up the impostor can make them execute commands. This could be used to make the devices crash, for instance, or to enlist them in the increasingly popular IoT-fueled botnets.
Botnets powered by IoT devices were recently used in DDoS attacks that took down many popular websites on the East Coast and Midwest. These episodes led U.S. Senator Mark Warner (D-Va.) to call for improved security in IoT devices and fueled concerns about devices having to be recalled if they are insecure. This report shows how easy it can be to recruit devices into these botnets and how many IoT companies still have not made security a top priority.
Bitdefender did not identify the manufacturer of the devices it studied. However, the company did include a screenshot of an app affected by these problems in an email to journalists, and an image search revealed that it was taken from an app called EdiView that is available on both Android and iOS devices. EdiView is used to access IoT cameras made by Edimax, a manufacturer in Taiwan that also makes wireless routers, smart plugs, and other products.
Edimax has not responded to an email requesting confirmation that these vulnerabilities affect its cameras. Here's what a Bitdefender spokesperson said in response to Tom's Hardware's request for more information:
It's Bitdefender's policy not to reveal the names of specific vendors in order to avoid directly causing damage to a particular brand. Bitdefender aims to draw attention to the wider issue around IoT vulnerabilities, as many different products and brands may contain similar vulnerabilities which would leave users susceptible to attacks. However, in this instance Google Image Search re: the image from the release could help.
The company did say in its announcement that it gave the manufacturer 30 days to fix the vulnerabilities before they were made public knowledge. "The problems persist on the latest firmware version (2.02)," Bitdefender said. "However the vendor is currently working on a fix."