SAN FRANCISCO – Researchers have discovered a slew of security vulnerabilities in a popular baby monitor, which if exploited allows attackers to remotely access the camera’s video footage.
The vulnerabilities were discovered in the iBaby Monitor M6S connected baby camera by researchers with Bitdefender. On Wednesday, here at the RSA Conference, some technical details of the discovery were disclosed. Researchers said the initial discovery was on May 20 (PDF) and that despite privately disclosing the bugs to the camera’s manufacture, iBaby Labs, it still has not heard from the company.
“We’ve tried to reach out to iBaby since May 2019 about three major vulnerabilities in their baby monitor but haven’t heard back,” Alex Jay Balan, chief security researcher at Bitdefender, said during an RSA session. “If someone registers a [baby monitor], it’s possible to get full access.”
Threatpost has also reached out to iBaby Labs for comment.
The most severe flaw stems from an issue with the baby monitor’s implementation of the MQTT communication protocol, which is often used by IoT and machine-to-machine applications. Configuration issues with MQTT protocols have also plagued other IoT device makers. Over the past year, improper configuration of MQTT has opened the doors to various vulnerabilities including bugs in smart deadbolts and just this week researchers at RSAC shared details of a vulnerability in a connected vacuum cleaner.
In the context of the vulnerable iBaby Monitor, the MQTT protocol used between the baby monitor and the corresponding mobile app was leaking camera ID numbers, user ID numbers, camera status (online or offline) data and in some cases user credentials. While the data is encrypted using AES256, the key and initialization vector (a fixed-size input for payload encryption) are easily predictable and are all hardcoded for all messages, Balan said.
An attacker would be able to monitor this data remotely when a user configures a camera, ultimately giving them the ability to stream video, take screenshots, record video and play music using obtained credentials.
“They used MQTT in the wrong way, so if you subscribe to iBaby, you will get spammed with notifications of the devices registered – including the device ID of each device,” said Balan. “In some cases, the user device password is also broadcast.”
Researchers also found a misconfigured AWS bucket, which is used to store videos, pictures and sound collected from the baby monitor. Because the S3 bucket is improperly set up, an attacker would be easily able to access files stored in it – including private video recordings of babies and their parents.
Finally, an Indirect Object Reference (IDOR) vulnerability in the iBaby Monitor M6S was broadcasting personal data of device owners insecurely. IDOR vulnerabilities occur when an application provides direct access to objects based on user-supplied input. This reveals potentially sensitive data about the user. If an attacker knows the device ID of one device (which they can easily obtain through either data exposed by the MQTT protocol or the S3 bucket), they can use it to exploit the IDOR vulnerability to access all of the device’s information. That includes the names and profile pictures of the devices’ owners, as well as their email addresses and location and timestamps showing when they accessed their camera.
Over the past years, vulnerabilities in an array of connected consumer devices have compromised children’s privacy. For example, the popular smartwatch TicTocTrack was plagued by security issues that could allow hackers to track and call children. Flaws in a component used by an IP security camera makers exposed more than 2 million devices to attackers who could hijack the company’s security cameras, baby monitors and smart doorbells. Researchers warn enterprises in particular to be wary of connected device security issues.
“These [flaws] may be present in the devices that you own… Be mindful of that,” said Balan. “They’re extremely difficult to catch and prevent. You won’t know about exposed recordings or other data without a thorough audit, so I strongly advise if you have any device without a graphic interface, to hire pentesters to look at it.”
For all Threatpost’s RSA Conference 2020 coverage, please visit our special coverage section, available here.