BD Software Distribution (BD Soft), the country partner for Bitdefender in India, warns channel partners and end-users that IoT devices can be hijacked and turned into a full-fledged spying tools as study conducted by Bitdefender IoT & malware researchers discovers several critical security vulnerabilities in a smart network
As part of their ongoing effort to raise awareness on the serious consequences of security neglected
IoT devices, including smart network cameras and other smart devices for home, Bitdefender researchers have been constantly analyzing the security posture of various gadgets that may pose privacy and security risks to home users and their networks.
According to the technical analysis performed by Bitdefender researchers Dragos Gavrilut, Radu Basaraba and George Cabau (the details of the analysis are available at Bitdefender Labs here), the analyzed network camera is commonly used as a home surveillance system as well as a baby monitor and communication medium between parents and children. Such cameras are often used in small offices and business establishments, too.
While scrutinizing the device, which is operated via mobile phone app through a wireless network, in a controlled testing environment, Bitdefender researchers observed several security oversights. The hotspot was open with no password required, the data sent between application, device and server was simply encoded, and not encrypted. Also, the network credentials were sent in plain text from mobile app to device.
Researchers have found that when the mobile app connects remotely to the device, from outside the local network, it authenticates through a security mechanism known as a Basic Access Authentication. By today’s security standards, they note, this is considered an insecure method of authentication, unless used in conjunction with an external secure system such as SSL. Usernames and passwords are passed over wire in an unencrypted format,
encoded with a Base64 scheme in transit.
“Base64 is an encoding scheme, meaning it’s reversible and virtually useless for providing data security”, says Radu Basaraba, malware researcher at Bitdefender.
In addition, although the device’s communication with the push servers is HTTPS secured, the authentication of the device is based exclusively on the MAC address. Hence, an attacker can register a different device, with the same MAC address, to impersonate the genuine one. The server will communicate with the device that registered last, even if it’s rogue. So will the mobile app. This way, attackers can capture the webcam’s new password,
if the user changes the default one.
To speed up the process and grab the password faster, an attacker can take advantage of the camera’s push notification feature that allows users to opt to receive notifications on their smartphone, specifically video alerts, whenever the camera detects any suspicious sound or movement in their homes. When the user opens the app to view the alert, the app will authenticate on the device using Basic Access Authentication and, thus, send the new
password unencrypted to the hacker-controlled webcam following which the attackers can enter the username, password and ID to get full control of the user’s webcam, through the mobile app.
“Anyone can use the app, just as the user would”, George Cabau, antimalware researcher says. “This means turning on audio, mic and speakers to communicate with children while parents aren’t around or having undisturbed access to real-time footage from your kids’ bedroom. Clearly, this is an extremely invasive device, and its compromise leads to scary consequences.”
According to Bitdefender, the vulnerabilities were reported in accordance to Bitdefender’s vulnerability disclosure policy and the vendor is currently working on a fix.
According to the consumer segment of ISACA’s 2015 IT Risk/Reward Barometer, 81 percent of Indian consumers surveyed are confident they can control the security on the Internet of Things (IoT) devices they own. Smart TVs topped the list of most wanted IoT devices to get in the next 12 months, followed by smart watches (36%) and Internet-connected home alarm systems (29%).
At the same time, a majority of respondents (80%) believed their credit or debit card information could be potentially collected via IoT and could be misused by cybercriminals. Additionally, 93% respondents believed hacking into an IoT device amounted to burglary. As the usage of IoT devices is increasing and India and globally, BD Soft, the Country Partner for Bitdefender in India, advises users to perform a thorough research online before buying an IoT device, cross check the compliance of the manufacturer with existing security standards and always reading the privacy statements before activating the device and connecting it to the web.