The ability to monitor our homes and businesses remotely has been a trend in recent years, brought about by the desire of the public to check on their homes and loved ones to ensure they’re safe. Smart cameras, with feeds accessible through the Internet, bring significant convenience for users worldwide and peace of mind to parents and pet owners concerned about loved ones at home while they are away. Users have the ability to monitor, zoom in and out, move, change vision mode, record, and much more just by using a simple mobile application.
The biggest threat of a smart camera is arguably the potential ability of hackers to gain access to the feed and, as a result, live stream of your children and loved ones.
As a result, the testing approach in this case was mainly directed to obtaining access to the camera feed and potentially escalating the privilege level to administrator. After completing a complex in-depth analysis of the application source code, the team noticed that there were particularly poor validation practices related to the password-reset process. This misconfiguration provided a reliable attack vector, which could be further escalated by the ethical hackers.
By utilising manual testing techniques, our hackers were able to establish the smart camera IP address and exploit a vulnerability, which allows an attacker to successfully complete a password reset for the administrative account without knowing the original password. This critical issue occurs because of a poorly coded script used for initial administrative account set up. The means a hacker can call the same script after the original password has already been created. By exploiting this weakness, the team was able to reset the pre-existing administrative password and gain full control over the wireless camera with relative ease.
As a result, a hacker with can gain full access to the very camera footage from inside your home that you set up to protect it. This is particularly concerning when considering the fact that the product is largely marketed towards, and used by, parents watching over their young children.
- Always perform an open source research through reliable search engines (e.g. Google, Bing, etc.) on possible vulnerabilities identified for the smart device you are interested in.
- Keep your externally facing smart devices on a separate network.
- Be aware of any signs for physical intervention with the product.
- Make sure your smart device is properly configured and regularly updated.