A few weeks ago, a headline popped up on the BBC that caught the eye of security researchers: “Swann home security camera sends video to wrong user”.
It was clear what happened: the camera uploaded a bunch of data on purpose, and then it sent it to the entirely wrong person. As in, Louisa Lewis started to get “motion detected” alerts on her phone that showed somebody else’s kitchen, in somebody else’s house, with somebody she didn’t know, washing their dishes.
But it wasn’t clear why it happened, beyond the camera manufacturer’s explanation that it was human error, caused by two cameras being manufactured with the same cryptographic key to secure communications with their owners, and the duplicate camera owner having ignored the warning prompt that the “Camera is already paired to an account.”
…Nor was it clear that it wouldn’t happen again. Which it did. Nor was any evidence given to support Swann’s promise that “this was a one-off incident.” Which, it’s now clear, it was not.
We know this because a team of Europe-based security researchers came together to pick apart the security on these internet-connected cameras, to get a better sense of the “why”: Ken Munro, Andrew Tierney, Vangelis Stykas, Alan Woodward and Scott Helme.
They published their findings on Thursday. Munro’s TL;DR version of what they found:
We successfully switched video feeds from one camera to another through the cloud service, proving arbitrary access to anyone’s camera.
“Anyone’s” camera? So much for Swann’s “one-off” claim. As Holme describes in his writeup, there’s no way that Swann could have known, as the company claimed, that “no further data was breached or accessed.”
How could they? If this was human error on the production line (which I think is nonsense) and they didn’t detect this one until someone told them, how do they know it hasn’t happened again?
Tierney said in his write-up that it was a “simple trick” to convince the Swann app that it was talking to some other camera and to begin streaming from another user’s device.
As first reported by the BBC, the new vulnerability has to do with the messages sent from the server – that would be OzVision servers – to the Safe by Swann app, which is the smartphone app used to view cameras’ motion-triggered recordings.
Those messages included a reference to a unique serial number given to each camera in the factory. Using commonly used, free security tools – they used Charles, Tierney said, though Burp or MITMproxy will do the trick – the researchers easily intercepted the messages. Then, they tweaked the serial numbers. In order to stay on the right side of privacy and avoid unethically/illegally turning into snoopers, the researchers only spied on webcams that they’d bought themselves.
But Vangelis checked the API and found that the serial number could be enumerated. The researchers didn’t have to guess at whether any given enumerated number would get them to a valid Swann camera: when they tried to add an existing serial number, the “device already paired” error popped up, signifying that they’d hit on an existing serial number.
Once they switched to another camera, they found that they could view its stream, with no username/password authentication needed, given that the cameras failed to check whether the person viewing the stream was an authorized user.
Tierney said that the researchers found it would be possible to enumerate every Swann camera serial number in three days.
Swann and OzVision – the provider of Swann’s cloud technology – said the issue is now fixed. According to the BBC, Swann said that the vulnerability only occurred in one model: the SWWHD-Intcam, also known as the Swann Smart Security Camera. You can pick one of them up for about USD $100 on Amazon, though the BBC says they’ve also been sold by Maplin, Currys, Debenhams, and Walmart.
So that’s the situation with camera maker Swann. OzVision, however, is another matter. Tierney says the researchers believe that the cloud service maker has known about the issue for some nine months: they came across a report about it from Depth Security back in October. When the issue was brought to its attention, OzVision deflected questions back to Swann. OzVision only fixed the vulnerability when Swann pressured it to, Tierney said.
The concern now is that OzVision provides cloud service to at least one other major camera brand; in fact, it claims to provide cloud service to 3 million smart cameras.
OzVision told the BBC that the vulnerability was fixed when the stream-swapping problem first came to light in June. Now, it’s working on making sure the problem has truly been fixed. The BBC quoted OzVision sales executive Uri Kerstein:
A security concern which was raised a few weeks ago was immediately addressed and resolved by the company and its partners. OzVision is conducting a thorough examination of the system to ensure that any remaining or potential security concerns are resolved within days.
That doesn’t particularly assure Munro, who noted that there’s always risk when you’re talking about an Internet of Things (IoT) security camera:
I’d make sure you don’t put them in very personal places like your bedroom. Just bear in mind someone might be looking in.
Tell us about it! Looking in is just the start of it. From there, you get to hackers blackmailing women into stripping in front of their webcams, CCTV feeds of kids at school being streamed live online, and oh, so many baby monitors being used to spy on kids (or to broadcast obscenities at babies, as the case may be).
Unfortunately, the Swann/OzVision situation is just one more case of the IoT chickens come home to roost. Put a “security” camera into the cloud, and you run the risk that you’ll be overrun by chickens.
Image courtesy of Swann.com
Hector
I think these manufactures should also have a training plan for their customers. Many consumers get themselves in trouble simply because they do not understand the technology.
Bryan
Hector, that’s a good idea. Unfortunately, it’s far too common that people just want stuff to work quickly without spending any time to learn about it.
A manufacturer advising users through security will likely be disregarded–while forcing them through secure setup will lead to “didn’t work out of the box” reviews.
One alternative is default secure configuration, which is complex to implement on a large scale and raises cost.
Laurence Marks
I don’t get it. You need a unique identifier for a camera? Why not use a hash of the Ethernet MAC address which is guaranteed to be globally unique?
Paul Ducklin
Why not use the MAC address as the source of a non-public identifier?
Here’s one jolly good reason not to:
https://nakedsecurity.sophos.com/2018/06/14/the-99-digital-padlock-that-kept-crooks-out-for-2-whole-seconds/
stoatwblr
An ethernet address is only 48 bits (IP addresses are 32 bits). What makes you think they’re anywhere near globally unique? The best you can hope for (and actually need) is unique in your LAN and I’ve run into a number of cases with cheap devices where the makers hadn’t bothered getting licenses where even that wasn’t true.
Fred
Lisa, in your article you wrote “OzVision provides cloud service to at least one other major camera brand”. Do you know who the other major brand is? Any chance it is Arlo (Netgear)? Not getting much coverage in the news is that many Arlo cameras haven’t been working for at least the past month!