The company gained access to the home network’s Wi-Fi password, obtaining full control of the pan-tilt-zoom controls and redirecting the video feed and movement alerts. The Motorola IP camera, manufactured by Binatone, boasts a wide range of features and offers cloud connectivity through the Hubble service, hosted by Amazon Elastic Compute Cloud. This allows customers to watch and control cameras remotely and receive movement alerts through a free mobile app.
It was found by Context researchers that setting up the camera involved a private Wi-Fi security key, transmitted unencrypted over an open network, with the HTTP Authentication of username ‘camera’ and password ‘000000’. A number of legacy webpages on the camera revealed that the device is based on the same hardware as a legacy baby monitor product.
Investigations revealed that malicious firmware could be installed as it wasn’t secured or checked for validity by the cameras software and that root access to the device and discovering the root password “proved trivial” as it was 123456. Researchers also revealed that access to the home network Wi-Fi password, factory wireless credentials for secure test networks and credentials for the developers’ Gmail, Dropbox and FTP accounts was in plaintext. The device's logs were accessible through the open web interface and contained the AES encryption key for the remote control messages and FTP credentials for video clip storage.
The camera uses the STUN (Session Traversal Utilities for NAT) protocol to maintain communications with the Hubble server and control the camera. An AES key allowed Context to access encrypted commands sent from the cloud to the camera and re-create them to initiate instructions such as start recording, change video server, move left and reboot. Once the researchers had established control of the camera they were also able to subvert and redirect the Hubble DNS configuration to receive a feed of movement alert JPEG images and video clips – a service only available to paying customers of Hubble.
Unencrypted media meant it was possible to store uploads for review at a later time. As part of Context’s responsible disclosure policy, the company contacted Motorola Monitors in early October 2015 and were referred to Hubble, who have since taken steps to address the issues identified and tighten up security, working with partners Motorola, Binatone, Nuvoton and software developer CVision. Hubble has released new firmware updates to camera users and as the update process is automated, it is understood that the critical vulnerabilities in both outdoor and indoor Focus models have been mitigated without end users having to do anything.
“Hubble Connected has fully patched the vulnerability to ensure that the reported bug is addressed,” said Brendan Gibb, CISO at Hubble. “This firmware will be released on 2 February 2016 to all affected cameras. It is my understanding that this addresses the most serious concern to public safety and reduces risk that our cameras are used by a third-party. The Hubble brand remains committed to ensuring our products and customers are safe from compromise and we remain ready to address problems that are found and reported by security researchers.”
“This is one more example of an IoT product getting to market with little attention being paid to security,” said Neil Biggs, head of research at Context. “The benefits of these security cameras are clear but it rather defeats the object if they are also open to compromise. The message is clear; companies wanting to get on the IoT bandwagon need to design in security from the outset.”