Another day, another internet of things (IoT) issue: A design flaw in the Guardzilla home video surveillance system has been discovered that allows users to watch other homeowners’ Guardzilla videos.
The Guardzilla All-In-One Video Security System is a home security platform that provides indoor video surveillance. The GZ501W model camera contains a shared, hard-coded Amazon S3 credential used for storing saved video data in the Amazon cloud – so all users of the Guardzilla All-In-One Video Security System have the same password, and thus can access each other’s saved home video. And, any unauthenticated user can collect the data from any of the systems over the internet as long as they know the storage details.
“Embedded S3 credentials have unlimited access to all S3 buckets provisioned for that account,” Rapid7 researchers explained in a Thursday post. “This was determined through static analysis of the firmware shipping with the device. Once the firmware was extracted and the root password ‘GMANCIPC’ was cracked, the Amazon S3 access key was recovered.”
Using the access keys, an attacker can connect to the provisioned Amazon S3 account and access the various storage buckets associated with the service. These include the provocatively named “free-video-storage,” “free-video-storage-persist,” “premium-video-storage” and “premium-video-storage-persist.”
This issue, discovered by Nick McClendon, Andrew Mirghassemi, Charles Dardaman, INIT_6 and Chris, all of 0DayAllDay, was disclosed to the vendor by Rapid7 – but the vendor hasn’t yet remediated the problem, according to the firm.
Since there is no patch, users should ensure that the cloud-based data storage functions of the device are not enabled.
Guardzilla did not immediately respond to a request for comment on this story.