More than 52,000 internet-connected Mi-Cam baby monitors are broadcasting sound and video to whoever comes looking, researchers have claimed.
These Wi-Fi gizmos, built by Chinese biz MiSafes, stream 720p video and two-way audio in real-time to apps running on parents' smartphones, via Amazon cloud servers. The application connects to an AWS-hosted backend, logs into the user's Mi-Cam account, and accesses video and audio from their linked baby monitor, which is also talking to the cloud backend.
Grownups open their app, log into their account, and keep an eye on their tykes from their Mi-Cam, essentially.
Infosec bods at SEC Consult, working with master's student Mathias Frank at the University of Applied Sciences Technikum Wien in Austria, told The Register on Tuesday they have found six security flaws in the product. The worst of the flaws allows miscreants to spy on video streams of kids without any kind of permission check.
The main problems, we're told, are:
- Broken session management and insecure direct object references: MiSafes' backend code does not check whether or not someone requesting a user's profile and access to their connected cameras is legitimately that user. Just send off a request for access and a user account ID number, and bingo – you've got access as that person. No authentication required. Simply enumerate through all possible ID numbers to blanket surveil online Mi-Cam monitors.
- Missing password change verification code invalidation: If the above seems like too much effort, then request a password reset for a given Mi-Cam account. The email address associated with the profile will be sent a six-digit code to enter to reset their passphrase, a code that is valid for the next 30 minutes. That gives an attacker, once they've triggered the reset process, half an hour to try all possible 1,000,000 validation code combinations until they hit the right one, and allowed in to change their victim's Mi-Cam account password.
The hardware also exposed an internal UART serial port on its motherboard, allowing someone with physical access to the gadget to talk to the bootloader and extract the firmware. That code contains a hardcoded four-digit root password, and outdated and unpatched software that can be further exploited. The backend servers will also freely enumerate details of registered user accounts, if asked correctly albeit without any special permissions.
Communications between the app, the Linux-powered baby monitor, and the backend software is encrypted and protected using HTTPS. However, this system uses a hardcoded client SSL certificate embedded in the app, which can be extracted and used by miscreants to communicate with the backend servers as if their requests were coming from a legit application.
So what, you may think? Yet another Internet of Shit device turns out to have flaws that need to be patched. But the SEC team found securing this hardware was much harder than it looked.
For the past three months, the researchers have tried to inform the manufacturer about the issues, it is claimed. They received no response. More worryingly, China's National Computer Network Emergency Response Team were also contacted, looked at the problems, and decided not to publish an advisory of its own.
While the team – along with El Reg – is still waiting on a response from the gizmo maker, SEC is urging concerned parents to shut down or junk the Mi-Cam hardware. After all, you don't want just anyone watching your little version 1.1 do you? ®