One of the cameras, built by Swann, had failed to check if the person viewing the stream was an authorized user. That meant anyone could watch and listen to the live feed from the internet-connected video camera.
A group of security researchers — Andrew Tierney, Chris Wade, and Ken Munro from Pen Test Partners, as well as Alan Woodward, Scott Helme, and Vangelis Stykas — worked on the project, after the BBC reported last month some users were inadvertently able to access someone else’s video stream.
Tierney said in his write-up it was “simple” to trick the Swann app into streaming from another camera.
“We successfully switched video feeds from one camera to another through the cloud service, proving arbitrary access to anyone’s camera,” he said.
Internet-connected devices, known as the Internet of Things (IoT), have long been a target for hackers, not least because manufacturers often neglect basic cybersecurity measures. That allows hackers to ensnare devices into botnets to launch crippling cyberattacks, steal data, or conduct surveillance.
Tierney said that if a malicious hacker had discovered the vulnerability, it could have resulted in customer data and sensitive video feeds “splattered all over the internet”.
The vulnerability worked because each Swann camera uses a hard-coded serial number to communicate with its cloud service, provided by New York-based firm OzVision. Using proxy software to modify the network traffic, Tierney replaced a camera’s serial number with another to access that camera’s stream.
Although the researchers tested their work on their own cameras to avoid legal issues, they found it’s possible to enumerate every Swann camera serial number in three days.
Swann fixed the vulnerability with new firmware within a week of private disclosure, but it did not respond to a request for comment when reached prior to publication.
The bulk of the criticism is left for OzVision, which says it has three million smart cameras who rely on its cloud to connect their devices to users’ apps. The researchers said other smart camera makers who rely on OzVision are still vulnerable — including the Flir FX smart camera, Tierney confirmed. It’s because the tunnel protocol it uses to view a device’s stream fails to properly verify that an app user was authorized to view a particular stream, explained Helme in his own write-up of the research.
The researchers also said OzVision likely knew of its tunnel protocol vulnerability last year, when Depth Security first made the discovery in October.
BBC News, which first reported the news, received comment from the device makers, confirming the vulnerabilities. OzVision did not respond to a request for comment, but told the BBC it aimed to resolve any security issues “within days,”
Lorex also issued a security advisory, which said it was “actively working” with FLIR and its partners to issue a fix, but did not give a timeline.
Alan Woodward, a professor at the University of Surrey, who also contributed to the research, told ZDNet it’s not just the tech companies — but also third parties — who are relied upon to maintain the infrastructure.
“Particularly in IoT, you buy a brand you may trust but they in turn can be dependent on third parties consumers may never have heard of,” said Woodward.
“As a user you are totally dependent on the brand you trust having done in-depth due diligence, and even then the levels of abstraction between user and the third-party technology means that vulnerabilities are quite difficult to fix or mitigate,” he said.