News
7/14/2014
06:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DropCam Vulnerable To Hijacking

Researchers at DEF CON to demonstrate flaws in a popular WiFi video monitoring system.

[UPDATED with DropCam CEO comments 7/17/14]

That handy plug-and-play webcam-based video monitoring system used for keeping any eye on the house while you're away at the beach, the kids at daycare, and small businesses after hours, also can be turned against you by bad guys, a pair of researchers found.

Patrick Wardle and Colby Moore of Synack -- who will demonstrate the security weaknesses in the WiFi security camera system at the DEF CON 22 hacker conference in Las Vegas next month -- discovered a Heartbleed vulnerability and other software and hardware weaknesses in the DropCam equipment used in the cloud-based WiFi video monitoring service.

They found that weaknesses in the devices could allow an attacker to view video and "hot-mike" audio on the cameras to spy on the targets, as well as inject their own video frames into the DropCam feed or freeze frames in order to hide malicious activity, such as a physical break-in.

The researchers reverse engineered the DropCam camera's hardware and were able to insert in it a malware "implant," as well as exploit software vulnerabilities they found in the device's internal software.

DropCam's security holes are yet another example of the inherent risks of IP-based consumer devices, a.k.a. the Internet of Things. Security researchers increasingly are warning about flaws in embedded software in these devices, many of which run older software that may not even receive updates.

"If someone has physical access [to a DropCam device], it's pretty much game over," says Wardle, who is director of research at Synack. "People need to be aware that these devices can be accessed by hackers or adversaries, and they should be scrutinized in the way people protect their laptops," for instance.

Wardle and Moore say DropCam runs older software components, including the Heartbleed-vulnerable version of OpenSSL, and an outdated and unpatched version of BusyBox, an open source Unix toolkit typically found in embedded devices and Android devices.

The Heartbleed bug, a read-overrun flaw in OpenSSL's 1.0.1 and 1.0.2 beta's implementation of the Transport Layer Security protocol's "heartbeat" extension, could allow an attacker to gain access to the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data -- including the SSL server's private key. OpenSSL has fixed the bug with a newer version of the software.

"The camera is vulnerable to client-side Heartbleed attacks. You could spoof the DropCam DNS server, and the camera would beacon out," Wardle says. "You could throw a Heartbleed exploit and start dumping memory and get [digital] certs," for example.

[Encryption gets a big wakeup call -- and a little more scrutiny. Read SSL After The Heartbleed.]

He and Moore, who is security research engineer at Synack, also found they could theoretically trigger a known bug in the older version of BusyBox running on the video cameras.

"A lot of the software is really old, and there's a lot of potential for vulnerabilities to go unnoticed and unpatched," Moore says.

The researchers also found that they were able to open the back of the camera, where they found a serial port header, which had a serial console that they used to "root" the camera. They then found that the camera's USB connection could be abused to upload malicious firmware to the device -- all merely by holding a button on the back of the camera and connecting it with some software. "Given physical access, an attacker could root the device without popping it open," Wardle says.

They also found a flaw in DropCam where, when an OS X machine is used to configure it, any user on that OS X machine can "write" to that application. "When you connect to the OS X computer, the app on DropCam is mounted with writeable permissions," Wardle says. "So if an attacker has access to a Mac, he can wait until the DropCam is plugged in and then infect the configuration utility... and write to it."

The researchers built an "implant" that can infect computers used to configure the DropCam.

The bottom line is that a targeted DropCam could be hijacked to steal information and to wage other attacks. "Don't trust a camera from strangers," he quips. "A targeted DropCam becomes a full-fledged computer you can fully remote control and launch other attacks from it. Whenever it's plugged into a Mac or Windows machine, we can inspect that computer."

DropCam, which last month announced it would be acquired by Nest, has fixes for some of the flaws in the works, the researchers say. As of this posting, DropCam had not responded to a press inquiry on the researchers' findings and possible patches.

[UPDATE: DropCam CEO and co-founder Greg Duffy provided a response to the researchers' work]:

"The Synack folks were not actually able to remotely compromise any of our cameras -- only ones they had physical access to. This is not a unique problem. All hardware technology products -- from smartphones to laptops - are susceptible to jailbreaking, which requires physical access to a device. What's great about Dropcam is that you'll be notified as soon as someone approaches your device or takes it offline. Most importantly, we have excellent security for preventing remote access. Our cameras won't communicate with anyone on the Internet, only Dropcam cloud servers, and to the best of our knowledge, we haven’t had any intrusions or access to private data to date," Duffy said.

He also said the company updated the Heartbleed 2.0 vulnerability on July 14 via an automatic update to the devices, so customers didn't need to take any action to get the patch. DropCam had fixed the original Heartbleed flaw within four hours of the vulnerability's disclosure.

The researchers will provide demonstrations and more details on their findings at DEF CON on Aug. 10 in their presentation, "Optical Surgery: Implanting a DropCam."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/17/2014 | 12:04:26 PM
DropCam CEO and co-founder responds
Physical access is definitely the bottom line with this research, as the Synack guys said in the story. 

I just added comments from DropCam CEO and co-founder Greg Duff, who reiterates that as well. See updated section of the article. Thanks!
SgS125
100%
0%
SgS125,
User Rank: Moderator
7/16/2014 | 9:39:29 AM
Re: HA! That's a lot of bunk. GET YOUR FACTS STRAIGHT
Ok I give, what exactly is a "facebook hacker".

Long rant with little substance.

My original comment would have been, if I have physical access to any device it's game over, and the device can be mesed with.  Really is'nt that true for any device, even ATM machines, Doors, Cars?

Oh well I still really want to know what the heck a facebook hacker is.

 

 
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/16/2014 | 9:21:38 AM
UPDATE
I confirmed with DropCam last night that they have patched the Heartbleed client-side bug, and users get the updates automatically.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 4:01:48 PM
Re: DropCam fixes in the works
Just got a message that I will be talking to DropCam this evening. =)

Sara, there have been no known attacks that the researchers know of. It would require the attacker to gain physical access to the device, of course.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/15/2014 | 3:59:32 PM
Re: DropCam fixes in the works
I have not yet spoken directly with DropCam. I've been trying. =) They indicated they would talk to me yesterday, but no word yet and I don't know how they've handled this with their customers. It depends if they've got a software update/patch ready, which was unclear to the researchers as of yesterday.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/15/2014 | 3:53:00 PM
Oh my
"The bottom line is that a targeted DropCam could be hijacked to steal information and to wage other attacks."  Is there anything that can't be hijacked anymore? 

Kelly have the researchers given any indication of how prevalent/likely this kind of attack is? Is it mainly theoretical at this point?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/15/2014 | 3:48:07 PM
DropCam fixes in the works
I'm glad to read that they are working on fixes, but have they notified consumers of the probllem?
YewN926
0%
100%
YewN926,
User Rank: Apprentice
7/15/2014 | 3:31:59 PM
HA! That's a lot of bunk. GET YOUR FACTS STRAIGHT
It is a travesty to the world of technology that articles like this are posted, just when Dropcam gets some attention, you want to suck some of it for yourself. Well, go ahead and keep on sucking. And, how safe is your site, by the way, Facebook hackers out there be advised, DARKreading can be exposed to the light of day- Oh Yeah, but who really cares? No reason for DARKreading writers to come out of their safety closet....Their articles of fiction and name-dropping B (NOT C+) players are not a real market grabbing commodity, dream on, you, whoever you are I can't remember the author's name. I see your video java stuff is all messed up - could you be forgetting to test on a variety of browsers? Go back to grammar school..
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7178
Published: 2014-11-28
Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.

CVE-2014-7850
Published: 2014-11-28
Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation.

CVE-2014-8423
Published: 2014-11-28
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.

CVE-2014-8424
Published: 2014-11-28
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

CVE-2014-8425
Published: 2014-11-28
The management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?