News
7/14/2014
06:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DropCam Vulnerable To Hijacking

Researchers at DEF CON to demonstrate flaws in a popular WiFi video monitoring system.

[UPDATED with DropCam CEO comments 7/17/14]

That handy plug-and-play webcam-based video monitoring system used for keeping any eye on the house while you're away at the beach, the kids at daycare, and small businesses after hours, also can be turned against you by bad guys, a pair of researchers found.

Patrick Wardle and Colby Moore of Synack -- who will demonstrate the security weaknesses in the WiFi security camera system at the DEF CON 22 hacker conference in Las Vegas next month -- discovered a Heartbleed vulnerability and other software and hardware weaknesses in the DropCam equipment used in the cloud-based WiFi video monitoring service.

They found that weaknesses in the devices could allow an attacker to view video and "hot-mike" audio on the cameras to spy on the targets, as well as inject their own video frames into the DropCam feed or freeze frames in order to hide malicious activity, such as a physical break-in.

The researchers reverse engineered the DropCam camera's hardware and were able to insert in it a malware "implant," as well as exploit software vulnerabilities they found in the device's internal software.

DropCam's security holes are yet another example of the inherent risks of IP-based consumer devices, a.k.a. the Internet of Things. Security researchers increasingly are warning about flaws in embedded software in these devices, many of which run older software that may not even receive updates.

"If someone has physical access [to a DropCam device], it's pretty much game over," says Wardle, who is director of research at Synack. "People need to be aware that these devices can be accessed by hackers or adversaries, and they should be scrutinized in the way people protect their laptops," for instance.

Wardle and Moore say DropCam runs older software components, including the Heartbleed-vulnerable version of OpenSSL, and an outdated and unpatched version of BusyBox, an open source Unix toolkit typically found in embedded devices and Android devices.

The Heartbleed bug, a read-overrun flaw in OpenSSL's 1.0.1 and 1.0.2 beta's implementation of the Transport Layer Security protocol's "heartbeat" extension, could allow an attacker to gain access to the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data -- including the SSL server's private key. OpenSSL has fixed the bug with a newer version of the software.

"The camera is vulnerable to client-side Heartbleed attacks. You could spoof the DropCam DNS server, and the camera would beacon out," Wardle says. "You could throw a Heartbleed exploit and start dumping memory and get [digital] certs," for example.

[Encryption gets a big wakeup call -- and a little more scrutiny. Read SSL After The Heartbleed.]

He and Moore, who is security research engineer at Synack, also found they could theoretically trigger a known bug in the older version of BusyBox running on the video cameras.

"A lot of the software is really old, and there's a lot of potential for vulnerabilities to go unnoticed and unpatched," Moore says.

The researchers also found that they were able to open the back of the camera, where they found a serial port header, which had a serial console that they used to "root" the camera. They then found that the camera's USB connection could be abused to upload malicious firmware to the device -- all merely by holding a button on the back of the camera and connecting it with some software. "Given physical access, an attacker could root the device without popping it open," Wardle says.

They also found a flaw in DropCam where, when an OS X machine is used to configure it, any user on that OS X machine can "write" to that application. "When you connect to the OS X computer, the app on DropCam is mounted with writeable permissions," Wardle says. "So if an attacker has access to a Mac, he can wait until the DropCam is plugged in and then infect the configuration utility... and write to it."

The researchers built an "implant" that can infect computers used to configure the DropCam.

The bottom line is that a targeted DropCam could be hijacked to steal information and to wage other attacks. "Don't trust a camera from strangers," he quips. "A targeted DropCam becomes a full-fledged computer you can fully remote control and launch other attacks from it. Whenever it's plugged into a Mac or Windows machine, we can inspect that computer."

DropCam, which last month announced it would be acquired by Nest, has fixes for some of the flaws in the works, the researchers say. As of this posting, DropCam had not responded to a press inquiry on the researchers' findings and possible patches.

[UPDATE: DropCam CEO and co-founder Greg Duffy provided a response to the researchers' work]:

"The Synack folks were not actually able to remotely compromise any of our cameras -- only ones they had physical access to. This is not a unique problem. All hardware technology products -- from smartphones to laptops - are susceptible to jailbreaking, which requires physical access to a device. What's great about Dropcam is that you'll be notified as soon as someone approaches your device or takes it offline. Most importantly, we have excellent security for preventing remote access. Our cameras won't communicate with anyone on the Internet, only Dropcam cloud servers, and to the best of our knowledge, we haven’t had any intrusions or access to private data to date," Duffy said.

He also said the company updated the Heartbleed 2.0 vulnerability on July 14 via an automatic update to the devices, so customers didn't need to take any action to get the patch. DropCam had fixed the original Heartbleed flaw within four hours of the vulnerability's disclosure.

The researchers will provide demonstrations and more details on their findings at DEF CON on Aug. 10 in their presentation, "Optical Surgery: Implanting a DropCam."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/17/2014 | 12:04:26 PM
DropCam CEO and co-founder responds
Physical access is definitely the bottom line with this research, as the Synack guys said in the story. 

I just added comments from DropCam CEO and co-founder Greg Duff, who reiterates that as well. See updated section of the article. Thanks!
SgS125
100%
0%
SgS125,
User Rank: Moderator
7/16/2014 | 9:39:29 AM
Re: HA! That's a lot of bunk. GET YOUR FACTS STRAIGHT
Ok I give, what exactly is a "facebook hacker".

Long rant with little substance.

My original comment would have been, if I have physical access to any device it's game over, and the device can be mesed with.  Really is'nt that true for any device, even ATM machines, Doors, Cars?

Oh well I still really want to know what the heck a facebook hacker is.

 

 
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/16/2014 | 9:21:38 AM
UPDATE
I confirmed with DropCam last night that they have patched the Heartbleed client-side bug, and users get the updates automatically.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 4:01:48 PM
Re: DropCam fixes in the works
Just got a message that I will be talking to DropCam this evening. =)

Sara, there have been no known attacks that the researchers know of. It would require the attacker to gain physical access to the device, of course.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 3:59:32 PM
Re: DropCam fixes in the works
I have not yet spoken directly with DropCam. I've been trying. =) They indicated they would talk to me yesterday, but no word yet and I don't know how they've handled this with their customers. It depends if they've got a software update/patch ready, which was unclear to the researchers as of yesterday.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/15/2014 | 3:53:00 PM
Oh my
"The bottom line is that a targeted DropCam could be hijacked to steal information and to wage other attacks."  Is there anything that can't be hijacked anymore? 

Kelly have the researchers given any indication of how prevalent/likely this kind of attack is? Is it mainly theoretical at this point?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/15/2014 | 3:48:07 PM
DropCam fixes in the works
I'm glad to read that they are working on fixes, but have they notified consumers of the probllem?
YewN926
0%
100%
YewN926,
User Rank: Apprentice
7/15/2014 | 3:31:59 PM
HA! That's a lot of bunk. GET YOUR FACTS STRAIGHT
It is a travesty to the world of technology that articles like this are posted, just when Dropcam gets some attention, you want to suck some of it for yourself. Well, go ahead and keep on sucking. And, how safe is your site, by the way, Facebook hackers out there be advised, DARKreading can be exposed to the light of day- Oh Yeah, but who really cares? No reason for DARKreading writers to come out of their safety closet....Their articles of fiction and name-dropping B (NOT C+) players are not a real market grabbing commodity, dream on, you, whoever you are I can't remember the author's name. I see your video java stuff is all messed up - could you be forgetting to test on a variety of browsers? Go back to grammar school..
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.