[UPDATED with DropCam CEO comments 7/17/14]
That handy plug-and-play webcam-based video monitoring system used for keeping any eye on the house while you're away at the beach, the kids at daycare, and small businesses after hours, also can be turned against you by bad guys, a pair of researchers found.
Patrick Wardle and Colby Moore of Synack -- who will demonstrate the security weaknesses in the WiFi security camera system at the DEF CON 22 hacker conference in Las Vegas next month -- discovered a Heartbleed vulnerability and other software and hardware weaknesses in the DropCam equipment used in the cloud-based WiFi video monitoring service.
They found that weaknesses in the devices could allow an attacker to view video and "hot-mike" audio on the cameras to spy on the targets, as well as inject their own video frames into the DropCam feed or freeze frames in order to hide malicious activity, such as a physical break-in.
The researchers reverse engineered the DropCam camera's hardware and were able to insert in it a malware "implant," as well as exploit software vulnerabilities they found in the device's internal software.
DropCam's security holes are yet another example of the inherent risks of IP-based consumer devices, a.k.a. the Internet of Things. Security researchers increasingly are warning about flaws in embedded software in these devices, many of which run older software that may not even receive updates.
"If someone has physical access [to a DropCam device], it's pretty much game over," says Wardle, who is director of research at Synack. "People need to be aware that these devices can be accessed by hackers or adversaries, and they should be scrutinized in the way people protect their laptops," for instance.
Wardle and Moore say DropCam runs older software components, including the Heartbleed-vulnerable version of OpenSSL, and an outdated and unpatched version of BusyBox, an open source Unix toolkit typically found in embedded devices and Android devices.
The Heartbleed bug, a read-overrun flaw in OpenSSL's 1.0.1 and 1.0.2 beta's implementation of the Transport Layer Security protocol's "heartbeat" extension, could allow an attacker to gain access to the contents of the memory from the server to the client and vice versa, potentially exposing passwords and other sensitive data -- including the SSL server's private key. OpenSSL has fixed the bug with a newer version of the software.
"The camera is vulnerable to client-side Heartbleed attacks. You could spoof the DropCam DNS server, and the camera would beacon out," Wardle says. "You could throw a Heartbleed exploit and start dumping memory and get [digital] certs," for example.
[Encryption gets a big wakeup call -- and a little more scrutiny. Read SSL After The Heartbleed.]
He and Moore, who is security research engineer at Synack, also found they could theoretically trigger a known bug in the older version of BusyBox running on the video cameras.
"A lot of the software is really old, and there's a lot of potential for vulnerabilities to go unnoticed and unpatched," Moore says.
The researchers also found that they were able to open the back of the camera, where they found a serial port header, which had a serial console that they used to "root" the camera. They then found that the camera's USB connection could be abused to upload malicious firmware to the device -- all merely by holding a button on the back of the camera and connecting it with some software. "Given physical access, an attacker could root the device without popping it open," Wardle says.
They also found a flaw in DropCam where, when an OS X machine is used to configure it, any user on that OS X machine can "write" to that application. "When you connect to the OS X computer, the app on DropCam is mounted with writeable permissions," Wardle says. "So if an attacker has access to a Mac, he can wait until the DropCam is plugged in and then infect the configuration utility... and write to it."
The researchers built an "implant" that can infect computers used to configure the DropCam.
The bottom line is that a targeted DropCam could be hijacked to steal information and to wage other attacks. "Don't trust a camera from strangers," he quips. "A targeted DropCam becomes a full-fledged computer you can fully remote control and launch other attacks from it. Whenever it's plugged into a Mac or Windows machine, we can inspect that computer."
DropCam, which last month announced it would be acquired by Nest, has fixes for some of the flaws in the works, the researchers say. As of this posting, DropCam had not responded to a press inquiry on the researchers' findings and possible patches.
[UPDATE: DropCam CEO and co-founder Greg Duffy provided a response to the researchers' work]:
"The Synack folks were not actually able to remotely compromise any of our cameras -- only ones they had physical access to. This is not a unique problem. All hardware technology products -- from smartphones to laptops - are susceptible to jailbreaking, which requires physical access to a device. What's great about Dropcam is that you'll be notified as soon as someone approaches your device or takes it offline. Most importantly, we have excellent security for preventing remote access. Our cameras won't communicate with anyone on the Internet, only Dropcam cloud servers, and to the best of our knowledge, we haven’t had any intrusions or access to private data to date," Duffy said.
He also said the company updated the Heartbleed 2.0 vulnerability on July 14 via an automatic update to the devices, so customers didn't need to take any action to get the patch. DropCam had fixed the original Heartbleed flaw within four hours of the vulnerability's disclosure.
The researchers will provide demonstrations and more details on their findings at DEF CON on Aug. 10 in their presentation, "Optical Surgery: Implanting a DropCam."