14 DAY TRIAL // The home monitoring cameras from Dropcam have been found to be vulnerable to a set of attacks that would permit injecting video frames, watch the captured video, and access the sound recording capabilities of the device.
Dropcam equipment prides itself on the security of the recorded content, as it is encrypted on the camera and can be sent securely even over an insecure network.
It has been designed to cover the house monitoring needs by providing a simple way to check what is going on inside a room. This is achieved by sending the recorded video to a Dropcam server, which can stream it on a user’s device.
For security reasons, both the camera and the server have been designed to accept requests only from each other, based on authentication keys and certificates. The developers implemented the perfect forward secrecy crypto feature to secure each session.
“Each camera has its own private key and certificate used to authenticate with the server and derive per-session encryption keys. This means that to compromise a camera the intruder would need that specific camera’s key, which is only stored on the camera itself. Similarly, no matter which Dropcam client (iOS, Android, and Web) you use, your video stream is encrypted. Dropcam employs perfect forward secrecy to make each session secure.”
However, two researchers, Patrick Wardle and Colby Moore of Synack security firm, have discovered that Dropcam equipment runs an old version of OpenSSL, which is vulnerable to the Heartbleed attack and to other software flaws that would facilitate an attacker access to the content.
“The camera is vulnerable to client-side Heartbleed attacks. You could spoof the DropCam DNS server, and the camera would beacon out,” Wardle told DarkReading.
The duo managed to fully compromise the Dropcam device and leverage the Heartbleed flaw to intercept the video footage transmitted securely to online servers. They did it by reverse-engineering the camera device in order to extract the encryption key.
Basically, physical access to the equipment is all a hacker needs to have complete access to the video footage and manipulate it to hide malicious activity in the monitored room.
The two researchers also found an old version of the open-source BusyBox, laden with exploitable bugs. “A lot of the software is really old, and there's a lot of potential for vulnerabilities to go unnoticed and unpatched,” DarkReading writes, quoting Moore.
Wardle and Moore managed to break into the Dropcam and upload malicious firmware through an USB connection, thus rooting the device.
From a computer running OS X used to connect to the Dropcam, an attacker would be able to access the configuration file of the device with write permission.
Next month, at the Defcon hacker conference in Las Vegas, the researchers will make a full presentation of the methods that can be used to hack the Dropcam in order to steal and manipulate the recorded information.