Popular cameras used default passwords and unencrypted data transmission, and could enable a botnet attack.
Security firm Bitdefender says its found what it calls critical security flaws in a line of IoT home security cameras used for surveillance and baby monitoring.
The cameras include a sound and motion detection system, two-way audio with a built-in microphone, and a MicroSD slot. The vulnerabilities could allow a hacker to spy on kids or anyone in range of the camera and could allow the device to be used in a DDoS attack such as the one that caused a major internet outage a few weeks ago.
“Anyone can use the app, just as the user would,” George Cabau, an anti-malware researcher with Bitdefender said. “This means turning on audio, mic and speakers to communicate with children while parents aren’t around or having undisturbed access to real-time footage from your kids’ bedroom. Clearly, this is an extremely invasive device, and its compromise leads to scary consequences.”
The company identified three major problems with the cameras:
- Users are not required to change the default password.
- Network credentials are transmitted in plain text.
- Data transmitted between cameras — to the apps used to watch the footage and to the company’s servers — is not encrypted.
The cameras also create a hotspot during configuration with a wireless network and it is fully open with no password required. Furthermore, the camera use MAC addresses to verify connections, allowing a hacker to set up a malicious device that could collect data such as user credentials simply by using a MAC address trusted by the cameras. Changing the default password would not be effective against such an attack, the company said.
A hacker could also trick the device into executing malicious commands by sending an HTTP request to set up another NTP server. The cameras are not configured to verify it, so the hacker could crash the device, set it to send its data to a remote server, or add it to an IoT-fueled botnet.
Bitdefender said its policy is to withhold company identification to avoid damaging the brand. They said the company did respond to their notification and is working to fix the vulnerabilities.