HACKING IOT: A CASE STUDY - ON BABY MONITOR EXPOSURES AND VULNERABILITIES - #IOTSEC
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
HACKING IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities Written by Mark Stanislav and Tod Beardsley | September 2015* #IoTsec © Rapid7 2015 *Last updated September 29, 2015
HACKING IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities Contents 01 The Internet of Things 2 02 No Easy Fixes 3 03 Why Baby Monitors? 4 04 What is the Business Impact? 5 05 Common Vulnerabilities and Exposures for IoT Devices 6 06 Vulnerability Reporting and Handling 8 07 Disclosures 9 08 Working to Improve IoT Security 14 09 About Rapid7 15
Executive Summary
The term “Internet of Things” (IoT) is applying a firmware update when one
used to describe a galaxy of wildly becomes available, or with updates to
different devices, from twenty dollar centralized vendor cloud services.
children’s toys to airliners that cost
hundreds of millions of dollars. While The vulnerabilities explored and
This is especially this paper focuses on the consumer disclosed in this paper are broken
down according to the “reach” of the
end of the IoT spectrum, we believe that
attack, that is, if the issues are exploit-
relevant today, the findings can inform how security
researchers look at undiscovered able only with physical access to the
vulnerabilities affecting expensive, device; if they are exploitable via the
as employees industrial devices as well. local network; or if they are exploitable
from the Internet.
While Rapid7 is not aware of specific
increasingly blur campaigns of mass exploitation of It is important to stress that most
of the vulnerabilities and exposures
consumer-grade IoT devices, this
discussed in this paper are trivial to
the lines between paper should serve as an advisory on
the growing risk that businesses face exploit by a reasonably competent
as their employees accumulate more attacker, especially in the context of
home networks of these interconnected devices on
their home networks. This is especially
a focused campaign against company
officers or other key business person-
relevant today, as employees increas- nel. If those key personnel are
and business ingly blur the lines between home operating IoT devices on networks
networks and business networks that are routinely exposed to business
networks. through routine telecommuting and
data storage on cloud resources
assets, a compromise on an otherwise
relatively low-value target – like the
shared between both contexts. video baby monitors covered in this
paper – can quickly provide a path to
Several video baby monitors from a compromise of the larger, nominally
cross-section of manufacturers were external, organizational network.
subjected to in-depth security testing,
and all of the devices under test Finally, this paper also discusses the
exhibited several of these common insecure-by-default problems inherent
security issues. in the design of IoT devices, the diffi
culty for vendors to develop and deliver
This paper focuses specifically on patches, the difficulties end-users
ten new vulnerabilities which were face in learning about, acquiring, and
disclosed to the individual vendors, to applying patches once developed, and
CERT, and to the public, in accordance the friction involved in reporting issues
with Rapid7’s Disclosure Policy1. to vendors in a way that is beneficial
CVE-2015-2880 through CVE-2015- to end-users. Only one vendor cited in
2889 (inclusive) were assigned by this report, Philips N.V., responded with
CERT. Typically, these newly disclosed an expected timeline for producing
vulnerabilities are only effectively fixes for the issues described.
mitigated by disabling the device and
https://www.rapid7.com/disclosure.jsp
101
THE INTERNET OF THINGS
For our purposes, we can think of a The classic example of a manufactur- designers and vendors of these
“Thing” with “Internet” as simply any er-imposed prohibited action is media systems to forget this general-purpose
device, regardless of size, use, or playback restrictions based on a digital property. As a result of this oversight,
form factor, that contains a CPU and rights management (DRM) system. The basic precautions to thwart even casual
memory, runs software, and has a strategies employed for blocking some attackers can fail to make it into
network interface which allows it to kinds of media, while allowing others, production.
communicate to other devices, usually are proven to be fundamentally flawed,
as a client, sometimes as a server. time and time again. IoT devices are actually general
In addition, these Things tend not to purpose, networked computers in
resemble traditional computers. They Self-identified hackers and tinkerers disguise, running reasonably complex
lack a typical keyboard and mouse have been compromising DRM systems network-capable software. In the field
interface, and they often have a user for decades, coercing media data files of software engineering, it is generally
interface not centered around a and media playback devices into a form believed that such complex software
monitor or other text-filled screen. more useful for the end-user. Such is going to ship with exploitable bugs
Finally, these devices are marketed efforts merely require time, materials, and implementation-based exposures.
and treated as if they are single and ingenuity, and are based on a Add in external components and
purpose devices, rather than the foundational realization that there is dependencies, such as cloud-based
general purpose computers they truly no such thing as a single-purpose controllers and programming inter
actually are. computer. Efforts to evade DRM may faces, the surrounding network, and
ultimately be too costly in terms of time other externalities, and it is clear that
This last distinction is often the most and materials, and may require vulnerabilities and exposures are all
dangerous one to make when it comes expertise beyond that of the end-user. but guaranteed.
to deploying IoT devices. In his keynote While such DRM-evading efforts tend
address to the Chaos Computer Club, to violate local intellectual property
Lockdown: the coming war on gener- laws, they do not violate the principles https://boingboing.net/2012/01/10/
2
al-purpose computing2, Cory Doctorow of computer science or engineering. lockdown.html
makes the case that with today’s
technology and current computer Security systems, like DRM, are for
science thinking, we cannot yet create controlling access. Users rely on these
a computer that is anything other than systems to prevent unauthorized
a general purpose computer. End users adversaries from viewing, altering, or
may have devices that are nominally destroying data on the secured system.
prohibited from performing certain Also like DRM, such systems are not
actions according to the manufacturer, foolproof, since again, the barriers
and those manufacturers sometimes to defeating security systems are time,
go to great lengths to foil modification materials, and expertise, and not the
efforts. In the end, though, it is not fundamental design of the computing
possible to build and sell a computing platform. Because IoT devices do
device that cannot be coerced into not normally appear to be, or behave
rebelling against a manufacturer’s like, the traditional computers we
intentions. are familiar with, it is easy for the
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 202
NO EASY FIXES
With traditional computers, we under- Unpatchable devices are coming the supply chain, ultimately delaying
stand that access controls are required online at an unprecedented rate, and effective patching for the particular
in order to satisfy basic security require- represent a tsunami of unsecurable- device in which the vulnerability was
ments. We also know that these controls after-the-fact devices. According to first discovered.
will contain bugs, or may simply be a 2014 Gartner report3, the IoT space
rendered obsolete in the face of a novel will be crowded with over 25 billion This patchwork of common compo-
new attack. Such circumstances are devices in five years, by 2020. The nents leads to confusing amalgamations
inevitable, and require a configuration devices being built and shipped today of interdependencies, and can leave
change, a patch, or an entirely new are establishing the status quo of how end-users exposed while the details of
design. these Things will be designed, assem- remediating vulnerabilities are worked
bled, commoditized, and supported, out between vendors.
IoT devices, unlike traditional comput- so we must take the opportunity, now,
ers, often lack a reasonable update to both learn the details of the supply
and upgrade path once the devices chain that goes into producing and
leave the manufacturer’s warehouse. shipping IoT devices, the vulnerabilities https://www.gartner.com/newsroom/
3
Despite the fact that the network is and exposures most common to these id/2905717
what makes the Internet of Things so computers in disguise, and how we can
interesting and useful, that network is work across the entire manufacturing
rarely, if ever, used to deliver patches space to avoid an Internet-wide
in a safe and reasonably secure way. disaster caused by the presence of
these devices on the nervous system
The absence of a fast, reliable, and
of Planet Earth.
safe patch pipeline is a serious and
ongoing deployment failure for the Compounding these patching problems
IoT. A sub-one hundred dollar video is the fact that the use of commodity,
baby monitor, a five hundred dollar third-party hardware, software, and
smart phone, a thirty-five thousand cloud-based resources is prevalent in
dollar connected car, and a four the IoT industry. While reusing off-the-
hundred million dollar jet airliner are shelf technologies is critical in keeping
all difficult to patch, even when vulner- costs of production low, it introduces an
abilities are identified, known, and a fix ambiguity of ownership for developing
is in hand. This situation is due to a and deploying patches and other
confluence of factors, ranging from the upgrades.
design of these devices, through the
regulatory environment (or lack If a vulnerability’s root cause is traced
thereof) in which these components to a third-party software library, for
and devices exist. Today, a commonly example, the more correct fix would
accepted (or truly acceptable) way to be to patch that library. However, this
effect a rapid rollout of patches simply decision can lead to a “pass the buck”
does not exist. mentality for the vendors involved in
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 303
WHY BABY MONITORS?
The research presented focuses on the from home. They are also largely transferable to plenty of other areas
security of retail video baby monitors commodity devices, built from general of interest. Other products of direct
for a number of reasons. Baby moni- purpose components, using chipsets, interest to commercial and industrial
tors fulfill an intensely personal use firmware, and software found in many consumers and security researchers
case for IoT. They are usually placed other IoT devices. (commercial security systems, home
near infants and toddlers, are intended automation systems, on-premise
to bring peace of mind to new parents, Video baby monitors make ideal candi- climate control systems) share many
and are marketed as safety devices. By dates for security exploration; not only of the insecure design and deployment
being Internet accessible, they also are they positioned as safety and issues found in video baby monitors.
help connect distant family members security devices (and therefore, should
with their newest nieces, nephews, and be held to a reasonably high standard
grandchildren, as well as allow parents for security), but the techniques used
to check in on their kids when away in discovering these findings are easily
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 404
WHAT IS THE BUSINESS
IMPACT?
While video baby monitors are vastly to the network to which it’s connected. Given the lack of home network and
more commonplace in a home environ- As the IoT is made up of general on-board monitoring, remediating such
ment and uncommon in an office purpose computers, attackers may attacks may prove extremely difficult
environment, office environments and be able to leverage an exposure or once underway, and short-term
home environments are, increasingly, vulnerability to gain and maintain solutions will tend to deny service to
literally the same environment. persistent access to an IoT device. large chunks of residential network
That device can then be used to pivot space. This, in turn, can knock sizable
The percentage of employees and to other devices and traditional com- percentages of the aforementioned
contractors who are working from puters by taking advantage of the stay-at-home workforce offline, with
home on at least a part time basis unsegmented, fully trusted nature of little recourse for employers not
continues to rise across every modern a typical home network. prepared to offer alternative workplace
economy. New parents are traditionally accommodations.
at the core of this trend, though it is Today, employees’ home networks
increasingly common across all are rarely, if ever, “in scope” for
genders, ages, and family statuses4. organizational penetration testing
These employees are, as a matter of exercises, nor are they subject to
necessity, connecting to their work- centralized vulnerability scanners. http://www.nytimes.com/2014/03/08/
4
place virtually, either through VPN your-money/when-working-in-your-pa-
connections or through the use of Another concern is the raw computing jamas-is-more-productive.html
cloud services shared by colleagues. power available to attackers in the
form of millions to billions of IoT
The presence of devices that are devices. In total, the teraflops of
insecure by default, difficult to patch, processing power may be effectively
and impossible to directly monitor by harnessed by malicious actors to
today’s standard corporate IT security launch powerful distributed denial
practices constitutes not only a threat of service (DDoS) attacks against
to the IoT device and its data, but also arbitrary Internet targets.
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 505
COMMON VULNERABILITIES
AND EXPOSURES FOR IoT
DEVICES
The items below describe the common vulnerabilities and exposures for IoT devices.
Not all IoT devices suffer from all of these software, firmware, and hardware issues,
but it is rare to find an IoT device that doesn’t exhibit at least one critical failing.
Of the devices under test, all exhibited several common vulnerabilities and exposures.
KNOWN VULNERABILITIES OLD VULNERABILITIES THAT SHIP WITH NEW DEVICES
Cleartext Local API Local communications are not encrypted
Cleartext Cloud API Remote communications are not encrypted
Unencrypted Storage Data collected is stored on disk in the clear
Remote Shell Access A command-line interface is available on a network port
Backdoor Accounts Local accounts have easily guessed passwords
UART Access Physically local attackers can alter the device
Table 1, Common Vulnerabilities and Exposures
Known Vulnerabilities The upstream vendors of these sub- chain, individual software components
components tend to run extremely may be months to years old before
Brand-name manufacturers of IoT large operations, producing millions being assembled into the final product,
devices tend to implement much of the of units in a given year, and any change bringing old and commonly known
technology used by their products as in this supply chain is both time software vulnerabilities along with
embedded systems subcomponents, consuming and expensive. Due to the them.
sourced from third party suppliers. nature of this time-lagged supply
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 6Cleartext Local API Remote Shell Access UART Access
Devices built with commodity compo- IoT devices often ship with default or Universal Asynchronous Receiver/
nents and software often fail to use otherwise unconfigured portable Transmitter (UART) interfaces often
modern cryptographic standards for operating systems, and are often host enable a physically close attacker to
LAN-local communications. While it is to a Linux or other POSIX kernel with access and alter IoT devices in ways
“only the LAN,” there are many passive a set of stock utilities, such as BusyBox. that bypass the normal authentication
and active network attacks which can While these are quite useful for devel- mechanisms via a serial cable connec-
be defeated simply by using common oping and tinkering with hardware, tion. In addition, UART interfaces tend
encrypted protocols, such as HTTPS they should not be made available on to grant root access, far exceeding the
and SSH. production systems where shell access permissions of regular users. UART
is never desired or required. access is both a useful diagnostic tool
Cleartext Cloud API and an excellent means of “rooting” or
Backdoor Accounts “jailbreaking” consumer devices. Such
Major Internet brands, such as activities on a device specifically made
Facebook, Google, Twitter, and other As these devices are developed, for safety and security can lead to some
household names are adopting en manufacturers occasionally include very sneaky persistent attacks. IoT
cryption across the board in order either default accounts or service devices such as these should at least
to ensure the privacy and authenticity accounts, which are either difficult be tamper-evident, and give the owner
of communications routed over the or impossible to disable under normal or investigator some obvious indication
public (and eavesdroppable) Internet. usage. Furthermore, these accounts that it has been altered, if UART access
However, services connected with IoT often use default or easily guessable is intended at all.
devices often fail to adhere to this passwords, and tend to share the same
increasingly common standard. unchangeable password, SSH key, or
other secret-but-universally-shared Newly Discovered
Unencrypted Storage token. Finally, these accounts may be
protected by a password unique to the
Vulnerabilities and
In addition to the cleartext implement device, but the password generating Exposure Summary
ations described above, an ideal IoT algorithm is easily deduced and the
recording device such as a video baby This report is primarily focused on
passwords for all devices can be
monitor should store all recordings in newly discovered vulnerabilities, rather
guessed with low attacker effort.
industry standard, encrypted formats, than exhaustively detailing the expected
where only authorized users have and typical vulnerabilities found across
access to the recorded data. the IoT space. Table 2 summarizes the
new vulnerabilities discovered and
disclosed to the vendors and CERT.
Predictable Information
CVE-2015-2886 Remote R7-2015-11.1 iBaby M6
Leak
CVE-2015-2887 Local Net, Device R7-2015-11.2 Backdoor Credentials iBaby M3S
CVE-2015-2882 Local Net, Device R7-2015-12.1 Backdoor Credentials Philips In.Sight B120/37
CVE-2015-2883 Remote R7-2015-12.2 Reflective, Stored XSS Philips In.Sight B120/37
CVE-2015-2884 Remote R7-2015-12.3 Direct Browsing Philips In.Sight B120/37
Summer Baby Zoom Wifi
CVE-2015-2888 Remote R7-2015-13.1 Authentication Bypass Monitor & Internet Viewing
System
Summer Baby Zoom Wifi
CVE-2015-2889 Remote R7-2015-13.2 Privilege Escalation Monitor & Internet Viewing
System
CVE-2015-2885 Local Net, Device R7-2015-14 Backdoor Credentials Lens Peek-a-View
CVE-2015-2881 Local Net R7-2015-15 Backdoor Credentials Gynoii
TRENDnet WiFi Baby Cam
CVE-2015-2880 Device R7-2015-16 Backdoor Credentials
TV-IP743SIC
Table 2, Newly Identified Vulnerabilities
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 706
VULNERABILITY REPORTING
AND HANDLING
One of the goals of this research is other obvious Internet presence beyond IoT-in-the-cloud framework for
to practice reasonable, coordinated an Amazon store listing. Some vendors Philips, was especially open with and
disclosures with vendors of IoT equip- did not respond to the reported findings responsive to the authors of this paper.
ment. So, as a matter of course, the at all. Others responded with concerns
vulnerabilities discovered as part of about the motives behind the research, The range of responses itself is
this research were reported in accor- and were wondering why they should worrying, and representative of the
dance to Rapid7’s Vulnerability be alerted or why they should respond IoT industry as a whole. While it is
Disclosure Policy. According to this at all. possible for an organization to maintain
policy, vendors are contacted once the a flexible, mature process for handling
findings are verified, then after 15 days, On the exemplary side, one vendor, unsolicited vulnerability reports, it is
CERT is contacted. 45 days after that Philips N.V., had an established far from the norm. It is hoped that
(60 days after the initial disclosure protocol for handling incoming product the publication of these findings will
attempt), the findings are published. vulnerabilities, which included using help IoT vendors establish reasonable,
a documented PGP key to encrypt effective vulnerability handling practices.
During the course of the vulnerability communications around this sensitive
disclosure process, we saw vendors material. Philips was also able to
exhibit the entire range of possible involve upstream vendors in pursuing
responses. One vendor was impossible solutions to those technologies provided
to contact, having no domain or any by others. Weaved, a provider of an
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 807
DISCLOSURES
What follows are the ten vulnerabilities reported to the vendors (when the vendor could be
reached), to CERT, and ultimately, disclosed at the High Technology Crime Investigation
Association (HTCIA) conference on September 2, 2015. Each vendor was provided with an
opportunity to address their product vulnerabilities in advance of this public disclosure, in
accordance with Rapid7’s Disclosure Policy.
Vendor: iBaby Labs, Inc. Once an attacker is able to view an as of at least June 2015, continuing
account’s details, broken links provide through the publication of this paper in
The issues for the iBaby devices were a filename that is intended to show September 2015. These errors started
disclosed to CERT under vulnerability available “alert” videos that the camera after testing was conducted for this
note VU#745448. recorded. Using a generic AWS Cloud- research, and today, do not allow for
Front endpoint found via sniffing iOS logins to the cloud service. That noted,
Device: iBaby M6 app functionality, this URL can have the it may be possible to still get a valid
harvested filename appended and data session via the API and subsequently
The vendor’s product site for the accessed from the account. This leverage the site and API to gain these
device assessed is https://ibabylabs. effectively allows anyone to view videos details.
com/ibaby-monitor-m6 that were created from that camera
stored on the ibabycloud.com service, Mitigations
Vulnerability R7-2015-11.1: until those videos are deleted, without
Predictable public information Today, this attack is more difficult
any further authentication.
leak (CVE-2015-2886) without prior knowledge of the
camera’s serial number, as all logins
The web site ibabycloud.com has a Relevant URLs are disabled on the ibabycloud.com
vulnerability by which any authenticated Access a camera’s details, including website. Attackers must, therefore,
user to the ibabycloud.com service is video-recording filenames: http://www. acquire specific object IDs by other
able to view camera details for any ibabycloud.com/cam/index/camid/ means, such as sniffing local network
other user, including video recording {serial_number}/camtype/{cam_type} traffic.
details, due to a direct object reference [any authenticated user]
vulnerability. In order to avoid local network traffic
Access a camera’s video recording: cleartext exposure, customers should
The object ID parameter is eight http://d3a9yv3r4ycsw2.cloudfront.net/ inquire with the vendor about a firm-
hexadecimal characters, correspond- monitor/alert/{serial_number}/ ware update, or cease using the device.
ing with the serial number for the {filename}[no authentication required]
device. This small object ID space
enables a trivial enumeration attack,
Additional Details Device: iBaby M3S
where attackers can quickly brute The vendor’s product site for the device
force the object IDs of all cameras. The ibabycloud.com authentication
assessed is https://ibabylabs.com/
procedure has been non-functional
ibaby-monitor-m3s
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 9Vulnerability R7-2015-11.2, Backdoor The vendor’s product site for the device A web service used on the backend of
Credentials (CVE-2015-2887) assessed is http://www.usa.philips. Philips’ cloud service to create remote
The device ships with hardcoded com/c-p/B120_37/in.sight-wire- streaming sessions is vulnerable to
credentials, accessible from a telnet less-hd-baby-monitor reflective and stored XSS. Subsequently,
login prompt and a UART interface, session hijacking is possible due to
which grants access to the underlying Vulnerability R7-2015-12.1, Backdoor a lack of an HttpOnly flag.
operating system. Those credentials Credentials (CVE-2015-2882)
When accessing the Weaved cloud
are detailed below. The device ships with hardcoded and web service6 as an authenticated user,
Operating System (via Telnet or UART) statically generated credentials which multiple pages have a mixture of
Username: admin can grant access to both the local web reflective and stored XSS in them,
Password: admin server and operating system. allowing for potential session hijacking.
With this access, a valid streaming
Mitigations The operating system “admin” and
session could be generated and
“mg3500” account passwords are
In order to disable these credentials, eavesdropped upon by an attacker.
present due to the stock firmware used
customers should inquire with the by this camera, which is used by other
vendor about a firmware update. UART Two such examples are:
cameras on the market today.
access can be limited by not allowing
1. https://developer.weaved.com/
untrusted parties physical access to the The web service “admin” statically-
portal/members/deviceSettings.
device. A vendor-provided patch should generated password was first
php?id={mac_
disable local administrative logins, documented by Paul Price at his blog5.
address}&name={base64_encod-
and in the meantime, end-users should
In addition, while the telnet service ed_xss_string}
secure the device’s housing with
tamper-evident labels. may be disabled by default on the most
2. https://developer.weaved.com/
recent firmware, it can be re-enabled
Disclosure Timeline portal/members/shareDevice.
via an issue detailed below.
php?id={mac_
Sat, Jul 04, 2015: Initial contact to vendor address}&name={base64_encod-
Operating System (via Telnet or UART)
ed_xss_string}
Mon, Jul 06, 2015: Vendor reply, Username: root
requesting details for ticket #4085 Password: b120root
Vulnerability R7-2015-12.3, Direct
Tue, Jul 07, 2015: Disclosure to vendor Browsing via Insecure Streaming (CVE-
Tue, Jul 21, 2015: Disclosure to CERT Operating System (via Telnet or UART) 2015-2884)
Fri, Jul 24, 2015: Confirmed receipt Username: admin
The method for allowing remote
by CERT Password: /ADMIN/ viewing uses an insecure transport,
does not offer secure streams protected
Wed, Sep 02, 2015: Public disclosure
Operating System (via Telnet or UART) from attackers, and does not offer
Wed, Sep 02, 2015: iBaby Labs commu- Username: mg3500 sufficient protection for the the
nicated that access token expiration Password: merlin camera’s internal web applications.
and secure communication channels
have been implemented. Once a remote viewing stream has
Local Web Server been requested, a proxy connection
Note: According to iBaby Labs, it Reachable via http://{device_ip}/cgi-bin/ to the camera’s internal web service
contacted Rapid7 by email on August 8 to {script_path}
via the cloud provider Yoics7 is bound
let us know that access token expiration Username: user to a public hostname and port number.
and secure communication channels had Password: M100-4674448 These port numbers appear to range
been implemented. We did not receive the from port 32,000 to 39,000 as deter-
message, and therefore did not learn Local Web Server mined from testing.This bound port
about the changes until we received a Reachable via http://{device_ip}/cgi-bin/ is tied to a hostname with the pattern
communication on September 2, after this {script_path} of proxy[1,3-14].yoics.net, limiting the
report was first published. Username: admin potential number of port and host
Password: M100-4674448 combinations to an enumerable level.
Vendor: • A recent update changes this Given this manageable attack space,
Philips Electronics N.V. password, but the new password attackers can test for an HTTP 200
is simply the letter ‘i’ prefixing the response in a reasonably short amount
The issue for the Philips device was first ten characters of the MD5
disclosed to CERT under vulnerability hash of the device’s MAC address. of time.
note VU#569536. Once found, administrative privilege is
Vulnerability R7-2015-12.2, Reflective
Device: Philips In.Sight B120/37 available without authentication of any
and Stored XSS (CVE-2015-2883) kind to the web scripts available on
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 10the device. Further, by accessing a Mon, Jul 06, 2015: Vendor reply, access. A URL retrievable via an HTTP
Unicode-enabled streaming URL requesting details GET request can be used to add a new
(known as an “m3u8” URL), a live user to the camera. This URL does not
video/audio stream will be accessible Tue, Jul 07, 2015: Philips Responsible require any of the camera’s administra-
to the camera and appears to stay open Disclosure ticket number 15191319 tors to have a valid session to execute
for up to one hour on that host/port assigned this request, allowing anyone request-
combination. There is no blacklist or ing the URL with their details against
Tue, Jul 17, 2015: Phone conference
whitelist restriction on which IP any camera ID to have access added
with vendor to discuss issues
addresses can access these URLs, to that device.
as revealed in testing. Tue, Jul 21, 2015: Disclosure to CERT
After a new user is successfully added,
Relevant URLs Fri, Jul 24, 2015: Confirmed receipt an e-mail will then be sent to an
by CERT e-mail address provided by the attacker
Open audio/video stream of a camera: with authentication details for the
http://proxy{1,3-14}.yoics.net:{32000- Thu, Aug 27, 2015: Contacted by MySnapCam website and mobile
39000}/tmp/stream2/stream.m3u8 Weaved to validate R7-2015-12.2 application. Camera administrators
[no authentication required] are not notified of the new account.
Tue, Sep 01, 2015: Contacted by
Enable Telnet service on camera Philips regarding the role of Gibson
remotely: http://proxy{1,3-14}.yoics. Relevant URL
Innovations
net:{32000-39000}/cgi-bin/cam_ Add an arbitrary user to any camera:
service_enable.cgi [no authentication Wed, Sep 02, 2015: Public disclosure https://swifiserv.mysnapcam.com/
required] register/?fn={first_name}&ln={last_
Sat, Sep 05, 2015: Affected cloud name}&email={email}&user-
Mitigations services updated Type=3&userGroup={id}
[no authentication required]
In order to disable the hard-coded Fri, Sep 11, 2015: Insight firmware
credentials, customers should inquire updated to version 7.4
with the vendor about a firmware
update. UART access can be limited by Sat, Sep 12, 2015: Insight Android app Vulnerability R7-2015-13.2, Privilege
not allowing untrusted parties physical updated Escalation (CVE-2015-2889)
access to the device. A vendor-provided An authenticated, regular user can
Thu, Sep 17, 2015: Insight iOS app
patch should disable local admin access an administrative interface that
updated
istrative logins, and in the meantime, fails to check for privileges, leading to
end-users should secure the device’s privilege escalation.
housing with tamper-evident labels.
In order to avoid the XSS and cleartext Vendor: Summer Infant A “Settings” interface exists for the
streaming issues with Philips’ cloud camera’s cloud service administrative
service, customers should avoid using The issues for the Summer Infant user and appears as a link in their
the remote streaming functionality device was disclosed to CERT under interface when they login. If a non-
of the device and inquire with the vulnerability note VU#837936. administrative user is logged in to that
vendor about the status of a cloud camera and manually enters that URL,
service update. Device: Summer Baby Zoom they are able to see the same adminis-
trative actions and carry them out as
WiFi Monitor & Internet if they had administrative privilege.
Additional Information Viewing System This allows an unprivileged user to
Prior to publication of this report, The vendor’s product site for the device elevate account privileges arbitrarily.
Philips confirmed with Rapid7 the assessed is http://www.summerinfant.
tested device was discontinued by com/monitoring/internet/babyzoomwifi. Relevant URL
Philips in 2013, and the current manu-
facturer and distributor is Gibson Access administrative actions as
Vulnerability R7-2015-13.1, an unprivileged, but valid, user:
Innovations. Gibson has developed
Authentication Bypass (CVE-2015-2888) https://www.summerlinkwifi.com/
a solution for the identified vulner
abilities, an expects to make updates An authentication bypass allows for the settings_users.php [a user account
available by September 4, 2015. addition of an arbitrary account to any for the camera is required]
camera, without authentication.
Mitigations
Disclosure Timeline The web service MySnapCam8 is used
to support the camera’s functionality, In order to avoid exposure to the
Sat, Jul 04, 2015: Initial contact authentication bypass and privilege
including account management for
to vendor escalation, customers should use the
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 11device in a local network only mode, and the local OS ‘admin’ account has The device ships with hardcoded
use egress firewall rules to block the effective ‘root’ privileges. credentials, accessible via the local
camera from the Internet. If Internet web service, giving local application
access is desired, customers should Operating System (via UART) access via the web UI.
inquire about an update to Summer Username: admin
Infant’s cloud services. Password: 2601hx Local Web Server
Site: http://{device_ip}/admin/
Local Web Server Username: guest
Disclosure Timeline
Site: http://{device_ip}/web/ Password: guest
Sat, Jul 04, 2015: Initial contact
Username: user
to vendor
Password: user Local Web Server
Tue, Jul 21, 2015: Disclosure to CERT Site: http://{device_ip}/admin/
Local Web Server Username: admin
Fri, Jul 24, 2015: Confirmed receipt Password: 12345
Site: via http://{device_ip}/web/
by CERT
Username: guest
Tue, Sep 01, 2015: Confirmed receipt by Password: guest Mitigations
the vendor In order to disable these credentials,
Mitigations customers should inquire with the
Wed, Sep 02, 2015: Public disclosure
In order to disable these credentials, vendor about a firmware update.
Wed, Sep 02, 2015: Summer Infant customers should inquire with the
tweeted that all reported issues have vendor about a firmware update. UART Disclosure Timeline
been resolved access can be limited by not allowing
untrusted parties physical access to the Sat, Jul 04, 2015: Initial contact
device. A vendor-provided patch should to vendor
disable local administrative logins, and
Vendor: Lens in the meantime, end-users should
Tue, Jul 21, 2015: Disclosure to CERT
Laboratories(f) secure the device’s housing with Fri, Jul 24, 2015: Confirmed receipt
tamper-evident labels. by CERT
The issues for the Lens Laboratories(f)
device was disclosed to CERT under
Wed, Sep 02, 2015: Public disclosure
vulnerability note VU#931216. Disclosure Timeline
Sat, Jul 04, 2015: Attempted to find Wed, Sep 02, 2015: Gynoii acknowl-
Device: Lens Peek-a-View vendor contact edged the above research shortly after
publication and are assessing appropri-
The vendor’s product site for the device
Tue, Jul 21, 2015: Disclosure to CERT ate patch strategies.
assessed is http://www.amazon.com/
Peek---view-Resolution-Wireless- Fri, Jul 24, 2015: Confirmed receipt
Monitor/dp/B00N5AVMQI/ by CERT
Vendor: TRENDnet
Of special note, it has proven difficult Wed, Sep 02, 2015: Public disclosure
to find a registered domain for this The issue for the TRENDnet device was
vendor. All references to the vendor disclosed to CERT under vulnerability
point at Amazon directly, but Amazon note VU#136207.
does not appear to be the manufacturer Vendor: Gynoii, Inc.
or vendor.
The issues for the Gynoii devices was Device: TRENDnet WiFi Baby
disclosed to CERT under vulnerability Cam TV-IP743SIC
Vulnerability R7-2015-14, Backdoor
note VU#738848. The vendor’s product site for the device
Credentials (CVE-2015-2885)
under test is http://www.trendnet.com/
The device ships with hardcoded Device: Gynoii products/proddetail.asp?prod=235_
credentials, accessible from a UART
The vendor’s product site for the device TV-IP743SIC
interface, which grants access to the
underlying operating system, and via assessed is http://www.gynoii.com/
product.html Vulnerability R7-2015-16: Backdoor
the local web service, giving local
Credentials (CVE-2015-2880)
application access via the web UI.
Vulnerability R7-2015-15, Backdoor The device ships with hardcoded
Due to weak filesystem permissions, Credentials (CVE-2015-2881) credentials, accessible via a UART inter-
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 12face, giving local, root-level operating in the meantime, end-users should Tue, Jul 21, 2015: Disclosure to CERT
system access. secure the device’s housing with
tamper-evident labels. Wed, Sep 02, 2015: Public disclosure
Operating System (via UART)
Thu, Sep 03, 2015: TRENDnet reports
Username: root
Password: admin
Disclosure Timeline updated firmware available here
(version 1.0.3), released on Sep 02,
Sat, Jul 04, 2015: Initial contact
2015.
Mitigations to vendor
In order to disable these credentials, Mon, Jul 06, 2015: Vendor reply, details
customers should inquire with the disclosed to vendor
vendor about a firmware update. UART
access can be limited by not allowing Sun, Jul 16, 2015: Clarification sought
untrusted parties physical access to the by vendor
device. A vendor-provided patch should
disable local administrative logins, and Mon, Jul 20, 2015: Clarification provided
to vendor
http://www.ifc0nfig.com/a-close-look-
5
at-the-philips-in-sight-ip-camera-
range/
http://www.weaved.com/
6
https://www.yoics.net
7
8
http://www.mysnapcam.com/
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 1308
WORKING TO IMPROVE
IoT SECURITY
It is the authors’ hope that everyone outreach efforts, BuildItSecure.ly Group10, which is developing the “IoT
who reads this paper has a better not only provides curated information Trust Framework” to provide clear
sense of security issues facing the security guidance to IoT vendors of all guidance to vendors on expectations of
current generation of the Internet of sizes, but also pairs those vendors with both privacy and information security
Things. While we take great pride in highly regarded information security features for their products. Vendors
performing research on individual IoT researchers. Through this pro bono, that utilize this framework will have a
devices that have real-world benefits coupled approach, BuildItSecure.ly is set of minimum boundaries for how
to consumers and businesses, we also able to translate research and knowl- their products and related services
realize that those efforts alone don’t edge transfer into real security should handle the data and trust being
scale to the massive size and growth improvements that will impact the provided to them by their customers.
of IoT. entire product line of participating By establishing this framework,
vendors. vendors can be confident in how to
In February 2014, Mark Stanislav approach tough design and implemen-
co-founded the IoT security initiative, Additionally, Mark also participates in tation choices that produce high quality,
BuildItSecure.ly.9 Through vendor the Online Trust Alliance’s IoT Working secure, and affordable products.
http://builditsecure.ly/
9
10
https://otalliance.org/initiatives/inter-
net-things
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 1409
ABOUT RAPID7
Rapid7 is a leading provider of security data and analytics solutions that
enable organizations to implement an active, analytics-driven approach to
cyber security. We combine our extensive experience in security data and
analytics and deep insight into attacker behaviors and techniques to make
sense of the wealth of data available to organizations about their IT
environments and users. Our solutions empower organizations to prevent
attacks by providing visibility into vulnerabilities and to rapidly detect
compromises, respond to breaches, and correct the underlying causes of
attacks. Rapid7 is trusted by more than 4,150 organizations across 90
countries, including 34% of the Fortune 1000. To learn more about Rapid7
or get involved in our threat research, visit www.rapid7.com.
| Rapid7.com Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities 15You can also read
