News
7/14/2014
06:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DropCam Vulnerable To Hijacking

Researchers at DEF CON to demonstrate flaws in a popular WiFi video monitoring system.

[UPDATED with DropCam CEO comments 7/17/14]

That handy plug-and-play webcam-based video monitoring system used for keeping any eye on the house while you're away at the beach, the kids at daycare, and small businesses after hours, also can be turned against you by bad guys, a pair of researchers found.

Patrick Wardle and Colby Moore of Synack -- who will demonstrate the security weaknesses in the WiFi security camera system at the DEF CON 22 hacker conference in Las Vegas next month -- discovered a Heartbleed vulnerability and other software and hardware weaknesses in the DropCam equipment used in the cloud-based WiFi video monitoring service.

They found that weaknesses in the devices could allow an attacker to view video and "hot-mike" audio on the cameras to spy on the targets, as well as inject their own video frames into the DropCam feed or freeze frames in order to hide malicious activity, such as a physical break-in.

The researchers reverse engineered the DropCam camera's hardware and were able to insert in it a malware "implant," as well as exploit software vulnerabilities they found in the device's internal software.

DropCam's security holes are yet another example of the inherent risks of IP-based consumer devices, a.k.a. the Internet of Things. Security researchers increasingly are warning about flaws in embedded software in these devices, many of which run older software that may not even receive updates.

"If someone has physical access [to a DropCam device], it's pretty much game over," says Wardle, who is director of research at Synack. "People need to be aware that these devices can be accessed by hackers or adversaries, and they should be scrutinized in the way people protect their laptops," for instance.

Wardle and Moore say DropCam runs older software components, including the Heartbleed-vulnerable version of OpenSSL, and an outdated and unpatched version of BusyBox, an open source Unix toolkit typically found in embedded devices and Android devices.

The Heartbleed bug, a read-overrun flaw in OpenSSL's 1.0.1 and 1.0.2 beta's implementation of the Transport Layer Security protocol's "heartbeat" extension, could allow an attacker to gain access to the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data -- including the SSL server's private key. OpenSSL has fixed the bug with a newer version of the software.

"The camera is vulnerable to client-side Heartbleed attacks. You could spoof the DropCam DNS server, and the camera would beacon out," Wardle says. "You could throw a Heartbleed exploit and start dumping memory and get [digital] certs," for example.

[Encryption gets a big wakeup call -- and a little more scrutiny. Read SSL After The Heartbleed.]

He and Moore, who is security research engineer at Synack, also found they could theoretically trigger a known bug in the older version of BusyBox running on the video cameras.

"A lot of the software is really old, and there's a lot of potential for vulnerabilities to go unnoticed and unpatched," Moore says.

The researchers also found that they were able to open the back of the camera, where they found a serial port header, which had a serial console that they used to "root" the camera. They then found that the camera's USB connection could be abused to upload malicious firmware to the device -- all merely by holding a button on the back of the camera and connecting it with some software. "Given physical access, an attacker could root the device without popping it open," Wardle says.

They also found a flaw in DropCam where, when an OS X machine is used to configure it, any user on that OS X machine can "write" to that application. "When you connect to the OS X computer, the app on DropCam is mounted with writeable permissions," Wardle says. "So if an attacker has access to a Mac, he can wait until the DropCam is plugged in and then infect the configuration utility... and write to it."

The researchers built an "implant" that can infect computers used to configure the DropCam.

The bottom line is that a targeted DropCam could be hijacked to steal information and to wage other attacks. "Don't trust a camera from strangers," he quips. "A targeted DropCam becomes a full-fledged computer you can fully remote control and launch other attacks from it. Whenever it's plugged into a Mac or Windows machine, we can inspect that computer."

DropCam, which last month announced it would be acquired by Nest, has fixes for some of the flaws in the works, the researchers say. As of this posting, DropCam had not responded to a press inquiry on the researchers' findings and possible patches.

[UPDATE: DropCam CEO and co-founder Greg Duffy provided a response to the researchers' work]:

"The Synack folks were not actually able to remotely compromise any of our cameras -- only ones they had physical access to. This is not a unique problem. All hardware technology products -- from smartphones to laptops - are susceptible to jailbreaking, which requires physical access to a device. What's great about Dropcam is that you'll be notified as soon as someone approaches your device or takes it offline. Most importantly, we have excellent security for preventing remote access. Our cameras won't communicate with anyone on the Internet, only Dropcam cloud servers, and to the best of our knowledge, we haven’t had any intrusions or access to private data to date," Duffy said.

He also said the company updated the Heartbleed 2.0 vulnerability on July 14 via an automatic update to the devices, so customers didn't need to take any action to get the patch. DropCam had fixed the original Heartbleed flaw within four hours of the vulnerability's disclosure.

The researchers will provide demonstrations and more details on their findings at DEF CON on Aug. 10 in their presentation, "Optical Surgery: Implanting a DropCam."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/17/2014 | 12:04:26 PM
DropCam CEO and co-founder responds
Physical access is definitely the bottom line with this research, as the Synack guys said in the story. 

I just added comments from DropCam CEO and co-founder Greg Duff, who reiterates that as well. See updated section of the article. Thanks!
SgS125
100%
0%
SgS125,
User Rank: Moderator
7/16/2014 | 9:39:29 AM
Re: HA! That's a lot of bunk. GET YOUR FACTS STRAIGHT
Ok I give, what exactly is a "facebook hacker".

Long rant with little substance.

My original comment would have been, if I have physical access to any device it's game over, and the device can be mesed with.  Really is'nt that true for any device, even ATM machines, Doors, Cars?

Oh well I still really want to know what the heck a facebook hacker is.

 

 
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/16/2014 | 9:21:38 AM
UPDATE
I confirmed with DropCam last night that they have patched the Heartbleed client-side bug, and users get the updates automatically.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 4:01:48 PM
Re: DropCam fixes in the works
Just got a message that I will be talking to DropCam this evening. =)

Sara, there have been no known attacks that the researchers know of. It would require the attacker to gain physical access to the device, of course.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 3:59:32 PM
Re: DropCam fixes in the works
I have not yet spoken directly with DropCam. I've been trying. =) They indicated they would talk to me yesterday, but no word yet and I don't know how they've handled this with their customers. It depends if they've got a software update/patch ready, which was unclear to the researchers as of yesterday.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/15/2014 | 3:53:00 PM
Oh my
"The bottom line is that a targeted DropCam could be hijacked to steal information and to wage other attacks."  Is there anything that can't be hijacked anymore? 

Kelly have the researchers given any indication of how prevalent/likely this kind of attack is? Is it mainly theoretical at this point?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/15/2014 | 3:48:07 PM
DropCam fixes in the works
I'm glad to read that they are working on fixes, but have they notified consumers of the probllem?
YewN926
0%
100%
YewN926,
User Rank: Apprentice
7/15/2014 | 3:31:59 PM
HA! That's a lot of bunk. GET YOUR FACTS STRAIGHT
It is a travesty to the world of technology that articles like this are posted, just when Dropcam gets some attention, you want to suck some of it for yourself. Well, go ahead and keep on sucking. And, how safe is your site, by the way, Facebook hackers out there be advised, DARKreading can be exposed to the light of day- Oh Yeah, but who really cares? No reason for DARKreading writers to come out of their safety closet....Their articles of fiction and name-dropping B (NOT C+) players are not a real market grabbing commodity, dream on, you, whoever you are I can't remember the author's name. I see your video java stuff is all messed up - could you be forgetting to test on a variety of browsers? Go back to grammar school..
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.