Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
1/7/2016
05:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Mobile Apps A Vulnerable Spot For Connected Security Cameras

Study finds security camera vendors making the same rookie infosec mistakes that other IoT vendors make.

Internet of Things vendors continue to make rookie mistakes when it comes to security -- even if they're in the business of making people safe. Security cameras that they can be managed remotely with mobile apps are becoming popular with homeowners -- but these mobile apps are prone to fundamental infosec failures that leave the camera feeds open to snooping and manipulation, according to researchers at NowSecure.

The most common failures across the board, were sending and storing sensitive data, including credentials, in plaintext.

"I was shocked and disappointed at the same time to see how easy some of the systems made it for somebody else to access the account," says NowSecure researcher Jake Van Dyke.

Four different vendors -- all chosen for being "popular online choices," according to NowSecure researcher Jake Van Dyke -- were examined in the study, ranging from a one-camera set-up that cost around $100 to multi-camera systems costing thousands of dollars. The Vimtag Fujikam 361 HD camera, coupled with the Vimtag app; the Zmodo PKD-DK4216 model coupled with the Zsight and MeShare apps; the LaView LV-KDV0804B6S paired with the LaView Live app; and the Best Vision Systems SK-DVR-DIY system teamed up with the QMEye were all studied.

Which was worst? In Van Dyke's opinion, it's a toss-up between the Zmodo and Vimtag systems.

The ZSight app used by ZModo played fast and loose with credentials. As Van Dyke wrote, during account registration or login: 

...the app will send your username in plaintext and MD5-hashed password to http://openapi.meshare.com. The Zsight app for iOS sent the username and password as GET parameters meaning the credentials are recoverable from server access logs. Upon successful log in, MeShare's back-end server returns a token for app authentication on subsequent requests. As far as an attacker is concerned, the password, it's MD5 hash, or the token all grant access to the victim's account (i.e., any of these items are equal to a valid login).

It also left username, unencypted passwords, email addresses and valid tokens sitting in XML files. With account access, an attacker could then view the camera's live feed, take pictures, or disassociate the camera with that user's account, and more.

The Vimtag app's key problem was that the app and the back-end server mostly communicate through unencrypted channels, leaving certain activities vulnerable to man-in-the middle threats. Some of those vulnerable activities include, initiating recording of audio or video, accessing stored audio or video, registering a camera to an account, adjusting settings, and formatting an SD card.

Plus, when Van Dyke viewed the app's network settings, the Vimtag back-end server sent over the WPA2 key for the wireless network the camera is connected to and the SSIDs of all  wireless networks in the camera's proximity. "This means," Van Dyke wrote, "an attacker could use SSID to locate a house using the camera, sit on the curb in front, and connect to the network."

"The Zsight application made it easy for somebody to grab the credentials and watch your cameras," says Van Dyke. "The Vimtag system actually leaked enough information for somebody to be able to locate your house and connect your home network."

Of course the IoT world does not have a monopoly on insecure mobile apps. "It is not unique to IoT at all," says Van Dyke. "When we perform app assessments for our customers for a medical or financial-related mobile app, this would get you a report with a big fat red F on the top of it."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mark Liamey
50%
50%
Mark Liamey,
User Rank: Apprentice
4/14/2016 | 8:05:26 AM
Re: Scary
It's really awful!. When we develop new app, mobile app development company JatApp.com always think about security and safety.
audrey-privateblog
50%
50%
audrey-privateblog,
User Rank: Apprentice
2/28/2016 | 4:54:45 AM
Scary
scary... specially when you use security cams for your baby or your house....Thanks for this article Sara 
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .