Security researchers have successfully hacked the Motorola Focus 73 outdoor security camera, using exploits that allowed them to gain access to the associated home network’s Wi-Fi password as a result.
White hats at Context Information Security were able to obtain full control of the camera’s pan-tilt-zoom controls as well as redirecting the video feed and movement alerts after hacking the IoT-enable camera.
The research provides evidence that even IoT products from some of the biggest tech companies have security issues.
The Motorola IP camera, manufactured by Binatone, offers cloud connectivity via the Hubble service, hosted by Amazon Elastic Compute Cloud. The facility allows customers to watch and control their cameras remotely as well as receive movement alerts through a free mobile app.
Context researchers found that during set up, the private Wi-Fi security key is transmitted unencrypted over an open network, using only basic HTTP Authentication with the username "camera" and password "000000". A number of legacy webpages on the camera revealed that the device is based on the same hardware as a legacy baby monitor product.
As part of a deeper dive, the researchers obtained root access to the camera after discovering its password was a lamentable "123456". Further digging provided access to the home network Wi-Fi password in plaintext as well as factory wireless credentials for secure test networks and even more surprisingly, credentials for the developers’ Gmail, Dropbox and FTP accounts.
The device's logs, accessible via the open web interface, also contained the AES encryption key for the remote control messages and FTP credentials for video clip storage. The wholly insecure setup allowed Context’s white hats to install their own malicious firmware because of the absence of security checks that would have questioned the validity of downloaded software.
The camera uses the STUN (Session Traversal Utilities for NAT) protocol to run communications with the Hubble server and control the camera. Armed with the AES key, Context’s boffins were able to access encrypted commands sent from the cloud to the camera and re-create them to initiate instructions such as start recording, change video server, move left and reboot.
Once they’d comprehensively pwned the camera, the researchers were able to subvert and redirect the Hubble DNS configuration to receive a feed of movement alert JPEG images and video clips, normally only available to Hubble paying customers.
Context researchers contacted Motorola Monitors in early October 2015 to pass on their findings. These queries were referred to Hubble, which has since taken steps to tighten up its security, after working with its partners Motorola, Binatone, Nuvoton and software developer CVision. New firmware updates have been released to camera users by Hubble.
The update process has reportedly been automated, so that the critical vulnerabilities in both outdoor and indoor Focus models have been mitigated without end users having to search for and apply downloads themselves.
“Hubble Connected has fully patched the vulnerability to ensure that the reported bug is addressed,” said Brendan Gibb, CISO at Hubble. “This firmware will be released on 2 February 2016 to all affected cameras.”
El Reg contacted Motorola’s PR reps and Hubble Connected (the latter via its Twitter feed) to seek comment. We’ll update this story as and when we hear more.
A blog post by Context providing a detailed description of the exploits it developed and its investigation into the (in)insecurity of Motorola Focus 73 outdoor security camera and linked technology can be found here.
Binatone makes web-connected cameras under the "Motorola" brand, a representative of Motorola Mobility explained. In a statement, Binatone confirmed it had issued a firmware patch.
“As a Hubble partner and the official licensee of Motorola home products, Binatone takes security matters extremely seriously and have worked diligently with Hubble to execute a prompt firmware solution before any customers were affected," it said. "As a result of extensive testing, including by researchers at Context Information Security who first brought this matter to our attention, we are confident in the security of our products and have concluded that this patch will effectively protect our customers’ privacy.” ®