There are several baby monitors that have come on the market recently with remote viewing capabilities, motion detection, and temperature sensors. These are great tools that give parents peace of mind, but with the proliferation of the Internet of Things and manufactures designing products for function and ease of use rather than security, one has to wonder just how secure these devices are.
The following example showcases manufactures that get it when it comes to device security, have issued warnings, and have fixed their devices. I want to point out these devices, because they have gone above and beyond, ensuring that their upgrade process is very simple and fixes the known disclosed vulnerabilities.
Many baby monitors work by downloading a companion app on your iPhone or Android device. You will then create a username and password for on the application and service.
After an easy setup, you typically plug in your baby monitor. It is designed to be extremely simple to setup and use. Your phone will display a QR code with instructions to hold it near the camera to complete the setup.
At that point you are typically complete. Open up the App and you are ready to go. However if you want to do a little digging you can go to your router and look at the ARP table to discover the IP address of your baby monitor.
You can see in our case, the baby monitor has an IP address of 192.168.1.100Let’s plug that into a web browser and see if anything happens.
As you can see, I got a web page (my IP address changed to 192.168.1.104 because I ended up replacing my router – don’t worry it will change again by the end of the article).I used nmap to scan the device
sudo nmap -v -O -sV -A -T4 192.168.1.100
A few minutes later we get a list of open ports.I see http is open, so I just put that into the web browser and it worked. However, I was not able to do much more than this at this point.
Next, we will use the tool APK Studio to examine the Android application. You will need to install Java JRE 1.7(http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html) and Android Developer Studio first (https://developer.android.com/sdk/index.html).
When you have completed the install, go to http://github.vaibhavpandey.com/apkstudio/ to download the APK Studio. The APK studio will let you examine an Android application. Getting the Android application, however, can be a little tricky.First I did a web search on the Android Play store for the Application.
I then launched Raccoon APK downloader (http://www.onyxbits.de/raccoon) and searched for the same App.
The Raccoon software allowed me to download a local copy of the APK to my PC
I found the following strings in the Android App:
public static final String CAMERA_USERNAME = "user"; public static final String CAM_DEFAULT_PASSWD = "M100-4674448";
Some devices did not have the default password, but they had functions that let you calculate the password.
For example, one device had an admin password that was the md5 checksum of the first ten characters of its own MAC address with the letter ”i” as a prefixOk….Further examination found more strings:
public static final String HTTP_RES_ROOT_PATH = "/cgi-bin/v1"; public static final String HTTP_RES_CAMERA = "/camera"; public static final String HTTP_RES_FW_AUTOUPGRADE = "/firmware/autoupgrade"; public static final String HTTP_RES_FW_VERSION = "/firmware/version"; public static final String HTTP_RES_JPEG_BIG = "/cgi-bin/img-0.cgi"; public static final String HTTP_RES_RTSP_SES_BIG = "/stream0"; public static final String HTTP_RES_SET_CAM_PASSWD = "/users/admin";
So, let’s try the first one:
Now let’s try our password that we uncovered in the first search. Bingo! Some of the URLs from the second search work. For example, the URL: http://192.168.1.100/cgi-bin/img-0.cgi captures an image from the baby monitor.
This and other vulnerabilities were described in detail in a report released by Rapid7 that can be found here:https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdfI applaud and commend the vendors here for addressing the problems and making upgrades available that address these problems.
Baby monitors, though, are just one example of how Internet of Things devices can open up unexpected cybersecurity vulnerabilities in our homes and workplaces.
Shodan is often referred to as the search engine for The Internet of Things, Found at https://www.shodan.io/, Shodan helps users search for specific types of computers, devices, and connected systems. It looks for systems that have specific ports open such as FTP servers, web servers, video cameras, and other things. It also indexes systems with default passwords on many devices, including home routers.
You can see from the screen shot below we were able to find FTP servers, Cisco routers, and other devices with basic passwords.
We were able to locate a number of webcams (over 20,000) with a simple search of “linux upnp avtech country:MX”
Almost all these devices had a username and password “admin” and “admin”. While we have yet to see an explosion of IoT-related hacks, unless vendors start taking a more proactive approach to security (like the baby monitor vendor featured at the beginning of this story), the growing number of IoT devices will make both consumers and businesses increasingly vulnerable. Whether that means viewing a feed from a random webcam in Mexico or executing a more serious attack using a vulnerable, connected device as a beachhead, IoT adopters and vendors alike need to be aware of the security issues surrounding this rapidly expanding market.
