Security Glitch in IoT Camera Enabled Remote Monitoring

Swann has patched a flaw in its connected cameras that would allow a remote attacker to access their video feeds.

A research team, consisting of Andrew Tierney, Chris Wade and Ken Munro from Pen Test Partners, as well as security researchers Alan Woodward, Scott Helme and Vangelis Stykas, developed a proof-of-concept attack taking advantage of security issues in the device’s cloud service, Safe by Swann. They ultimately were able to access Swann-connected cameras via their mobile devices — so that they could see and hear footage on the other end.

“As a consumer, I would be pretty bothered by the potential for someone else accessing my home video feed. Swann acted promptly and resolved the issue as soon as they became aware of it,” wrote Pen Test Partners in a posting on Thursday.

After noticing a BBC article outlining how a BBC employee had seen someone else’s footage on the mobile app for their home security camera, the researchers decided to dig into the incident.

The camera impacted is a battery-powered HD camera that is able to stream video either direct over the local network or via a cloud service, with the cloud provided by Ozvision. When a user logs into the system through Safe by Swann, a request is made (userListAssets) to the server. This returns a response containing the devices associated with the account.

The researchers used proxy software (Charles – although they said Burp and MITMproxy also work) to intercept these serial numbers, and then altered them with another camera’s serial number.

The researchers said they were easily able to find a serial number that corresponds to the targeted device via the API endpoint and APK.

“This is both for the Swann-specific web API and the OzVision peer-to-peer tunnel,” they explained.

They could then access the camera stream for the new serial number. Subsequently, they showed how they were then able to hack into each others’ cameras and both watch – and hear – what was happening on the other end.

“At this point the mobile app sees the details of someone else’s camera,” they said. “In the app, one simply presses ‘play’. This made a request to deviceWakeup using the modified serial, then the Ozvision tunnel to the device was established using the modified serial. We could then watch the camera live.”

The researchers notified both Swann and Ozvision about the security flaw.

“Ozvision already knew about the vulnerability, as Swann had informed them,” the researchers said. “The Swann customer camera cloud environment had quickly been fixed. Swann took swift action to fix the flaw and had a constructive dialogue with us.”

However, the cloud service provider Ozvision was a different matter, researchers said.

“We suspect they knew about this issue for about nine months, and only fixed it when pressured by Swann; and we are confident the vulnerability was present in at least one other major camera brand to which they provide a cloud service,” they said. “Further, they initially deflected direct questions about the issue back to Swann.”

IoT Issues Rampant

Security vulnerabilities continue to plague internet of things objects. Just Wednesday, researchers at Cisco Talos revealed that Samsung’s SmartThings Hub, which is its IoT smart home controller, had 20 vulnerabilities.

Earlier in July researchers uncovered vulnerabilities in a connected vacuum cleaner lineup that could allow attackers to eavesdrop, perform video surveillance and steal private data from victims.

Helme, for his part, stressed in a post about the security glitch that the infosec community needs to be doing better in the IoT world.

“Honestly I’m not sure if these cameras were ever penetration-tested, and if they were, how could a tester miss that a simple string replace on the serial would allow you access to arbitrary cameras?” he wrote. “The industry still has a long way to go.”