UPDATE
Researchers have publicly disclosed security flaws found in ADT-owned LifeShield security cameras, which, if exploited, could have allowed a local attacker to eavesdrop on victims’ conversations or tap into a live video feed.
The LifeShield brand is owned by security giant ADT. Specifically affected is the LifeShield DIY HD Video Doorbell, which connects to users’ Wi-Fi networks and lets them answer the door remotely using the LifeShield mobile app.
Researchers contacted ADT before publicly disclosing the flaw, and ADT has deployed patches to all impacted devices. However, security experts warn that ADT’s glitches serve as warning and are just the latest camera maker to patch similar security issues tied to connected cameras.
“Gaps in this fragile ecosystem can have unforeseen consequences and might even turn devices that protect our privacy into tools that violate it,” said researchers with Bitdefender on Wednesday.
According to ADT, 1,500 devices were affected by the flaw. These devices were part of a single model of LifeShield doorbell camera, which was marketed and sold as a residential device, and is no longer currently sold. According to ADT, its current line of DIY hardware, under the “Blue by ADT” brand, is completely new hardware and is not affected by the flaw.
What Are the Flaws
Researchers outlined several issues in the security cameras. Firstly, local attackers (i.e., connected to the same Wi-Fi network) could view credentials from the cloud for each device. The camera is identified by the cloud via its MAC address, and is then authenticated. However, after the device is set up and a password is created, the server would respond to requests that contained the wrong credentials, said researchers. Moreover, it actually responded with the last-known credentials – which could have allowed an attacker to obtain the administrator password of the camera by simply knowing its MAC address.
Finding a device’s MAC address is “not difficult at all,” Bogdan Botezatu, director of threat research and reporting for Bitdefender, told Threatpost. “Networked devices broadcast their MAC Address freely on the same LAN,” he said.
In order to exploit the flaw, “an attacker would only need to be connected to the same network as the wireless camera,” Botezatu told Threatpost. Attackers could then use a packet sniffer to scope out the requests between the camera and the server, Botezatu said: “Any packet sniffer would work. Wireshark and TCPdump would be the go-to tools in any hacker’s arsenal,” he said.
“This way, they would be able to intercept the camera communication that also contains the administrator password encoded in base64,” said Botezatu. “Once these credentials are obtained, the attacker can control the camera for as long as they share the same network (the camera’s web interface is only available on the same network).”
Secondly, local attackers were able to gain unrestricted real-time streaming protocol (RTSP) access to the video feed. RTSP is a network control protocol utilized by communication systems to control streaming media servers.
After gaining credentials via the device MAC address, attackers could have easily accessed the interface. This would have given them unauthenticated access to the RTSP server – allowing them to access both video and audio of the camera’s streaming live feed.
Finally, after gaining administrative credentials and accessing the interface, there was an endpoint vulnerable to command injection which can be exploited to gain root access, said researchers. Stemming from unsanitized input, this flaw (CVE-2020-8101) allows local attackers to inject authenticated commands.
“The attacker gains control to the audio and video feed even in the absence of credentials, as vulnerable versions of firmware used to expose RSTP feeds on the network at rtsp://[ip-address]:554/img/media.sav,” Botezatu told Threatpost.
Disclosure to ADT
Researchers first contacted the vendor on Feb. 6 last year, and did not hear back until Aug. 3. On Aug. 17, an automatic update was released to fix the issue. Fast forward to this Wednesday, researchers finally publicly disclosed the vulnerability.
“We worked with Bitdefender to identify and quickly patch the vulnerabilities its researchers privately brought to our attention,” an ADT spokesperson told Threatpost. “All the affected doorbell cameras have been patched.”
Researcher meanwhile said that ADT “was quick to address the issues once contact was established.”
“Patches were applied to the production servers and all 1,500 affected devices within 2 weeks of being notified of the vulnerabilities,” they said.
In-Security Cameras
Various vulnerabilities continue to plague security cameras. In March 2020, Taiwan-based LILIN warned that attackers were exploiting multiple zero-day flaws in its CCTV security cameras in order to add them to various botnets. And in October 2020, Cisco issued patches for high-severity vulnerabilities plaguing its popular video surveillance IP cameras, which could allow an unauthenticated, adjacent attacker to execute arbitrary code.
However, the level of sensitive footage and audio that these devices collect also make them prime targets for disturbing attacks that impede on customers’ privacy.
Last week, former ADT employee Telesforo Aviles pleaded guilty to accessing customers’ security camera footage in order to spy on their most private moments, according to the U.S. Attorneys’ Office.
Threatpost has reached out to ADT for further comment on this latest flaw.
Updated on Jan. 27 at 3pm ET: A previous version of this article quoted a market share percentage for ADT; this percentage does not encompass for ADT’s DIY security products and DIY internet-connected security cameras.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!