Internet-enabled cameras: they’re supposed to secure and monitor our babies, or our pets, or our homes and offices. Realistically? All too often, a child could hack them.
The latest news from the department of Internet of Things (IoT) gadgets that you can use to spy on people: SEC Consult, an Austrian cybersecurity company, on Wednesday urged owners of MiSafes Mi-Cam baby monitors to turn them off if they want to keep their kids from being eyeballed by prying eyes or chatted up by strangers roaming the internet.
One of what the firm called multiple critical vulnerabilities allows for the hijacking of arbitrary video baby monitors. An attacker can eavesdrop on nurseries and talk to whoever’s near the baby monitor by simply modifying a single HTTP request, SEC Consult says.
The tweaked HTTP request allows an attacker to get at information about a given cloud-based Mi-Cam customer account and whatever baby monitors are paired with it, and to view and interact with those connected webcams. This video demonstrates the attack.
The baby monitors also have outdated firmware riddled with numerous publicly known vulnerabilities; root access protected by only four digits worth of credentials (and default credentials, at that); and a password-forget function that sends a six-digit validation key that’s good for 30 minutes: plenty of time for a brute-force attack.
As far as the software goes, one of the problems with the Mi-Cam app is broken session management, SEC Consult says:
A number of critical API calls can be accessed by an attacker with arbitrary session tokens because of broken session management.
This allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID [unique identifier].
SEC Consult isn’t giving away much detail about these vulnerabilities. That’s because it can’t figure out how to get through to the vendor to responsibly disclose them: it’s been trying to get in touch with MiSafes since December, without any luck. It’s also tried to ask the Chinese Computer Emergency Response Team for coordination support, but CERT/CC decided not to coordinate a response or to publish the vulnerabilities.
What’s the best you can do if you’re one of the 52,000 or so people who own one of these baby monitors?
Turn it off.
After that, you might want to check out our tips on how to secure your baby monitor or other IP cameras.
Tod
The video demo doesn’t specify if the attacker needs both the user ID and session ID. Maybe they’re transmitted in the clear or something, but that would require a MITM presence, and thus, would be a much more difficult attack.
Can you clarify? Is the failure: (1) MiSafes is transmitting session ID in the clear, or (2) MiSafes is failing to validate the session ID, and merely requires the predictable user ID for pairing?
Lisa Vaas
It’s an open vulnerability, they haven’t been able to get through to the manufacturer, and SEC Consult wants to disclose it responsibly, so it didn’t give out a lot of detail.
The vulnerability shown in the video, which is of a hacker exploiting the Mi-Cam Android application, bypasses the need for a password. All the attacker has to do is set up a proxy server that can intercept and modify the HTTP request between the phone and the device.
Jeffrey
The picture in your article is of a Motorola camera setup of which I own 3. While hardly “secure” mine were NOT IP enabled cameras, they used their own spread spectrum network that never touched my 802.x wireless network. That’s the reason I bought them – no IoT.
Paul Ducklin
I switched the pic for a supergeneric “camera” sort of thing, just to avoid any confusion.
Jez
I’ve enjoyed reading Naked Security for years now and generally can’t fault the articles. A great mix of informative, serious and fun.
However, the baby monitor pictured in the thumbnail for this article (not the one shown above) isn’t an Internet enabled monitor; I know, I’ve got one! Perhaps it’s only minor, but if you are alerting people about security flaws in a product, probably best to use an accurate picture. Please read this as a helpful comment, rather than pedantic criticism!