An internet-connected camera managed via the LookCam or other apps of the same developer is riddled with multiple security flaws, warns Wladimir Palant, a security researcher and maker of the AdBlock Plus content filtering and ad blocking extension. The camera is used by millions, and the flaws grant complete access to outsiders.
Have you ever bought a “spy cam,” “nanny cam,” or similar internet-connected camera disguised as a radio clock, USB charger, bulb socket, smoke detector, or wall outlet?
These devices can be found for as little as $40, and their supposed functionality may work very well. However, what also works is unrestricted access for strangers.
Fake access controls, pseudo encryption, completely unprotected cloud uploads, firmware riddled with security flaws – the list goes on. The security researcher was alarmed after conducting hands-on testing with the internet-connected camera.
“What I found far exceeded my expectations,” Palant writes in his blog.
“These cameras are Murphy’s Law turned solid: everything that could be done wrong has been done wrong here.“
The LookCam app has over a million downloads and over 5,000 reviews on the Google Play store, but is also available for iPhone and Windows. Moreover, the researcher argues that the findings apply to many other less popular apps by the same developer, including tcam, CloudWayCam, VDP, AIBoxcam, and IP System.
The vendors and developers of the cheap Chinese devices mask their identities. But even if they wanted, they couldn’t secure them – the cameras have no mechanism to update their firmware.
And there are no security mitigations that would allow users to use them safely.
Multiple flaws in a single device
The researcher found that users cannot isolate these cams from unauthorized access. They either function as a WiFi access point without a password or require constant internet access. Without internet access, they enter a reboot loop.
Communication is largely unencrypted: it’s optional, and even when used, it is compromised by weak proprietary encryption algorithms, which are also poorly implemented.
“The encryption key is part of the ‘init string,’ which is hardcoded in the app,” Palant noted.
“Even if the encryption key weren’t easily extracted, it is mashed into four bytes, which become the effective key. So there are merely four billion possible keys.”
Buffer overflow issues in firmware enable arbitrary code execution, and the protection mechanism are disabled. Firmware doesn’t enforce password checks – these can be skipped. There’s no TLS to encrypt cloud uploads, so data transfers use regular HTTP.
“If you happen to use their cloud functionality, your ISP better be very trustworthy because it can see all the data your camera sends to the LookCam cloud. In fact, your ISP could even run its own “cloud server” and the camera will happily send your recorded videos to it,” the researcher warns.
And it gets worse – the cloud server has no authentication whatsoever.
The “secret” device ID used to establish a connection is susceptible to enumeration, brute force attacks, or reverse engineering of the generation algorithm. Attackers can sniff the device’s ID just by examining unencrypted network packets.
Anyone with the device’s ID can access it from the internet or access the cloud server with the recordings.
“You might think that you can simply skip paying for the cloud service, which, depending on the package you book, can cost as much as $40 per month. But this doesn’t mean that you are on the safe side because you aren’t the one controlling the cloud functionality on your device – the cloud server is,” the researcher said.
Each time the internet camera boots up, it calls back home for commands – if the app developers decide they want to peek through your camera, they can just adjust the server response.
“Anybody who happens to know your device ID can buy a cloud package for it. This way, they can get access to your video recordings without ever accessing your device directly,” the researcher warns.
Attackers can compromise the camera in order to hack other devices on the user’s network or to simply include it to a botnet.
Due to the severe security issues, Palant urges owners to dispose of these devices.
“Don’t sell it please, because this only moves the problem to the next person.”
Your email address will not be published. Required fields are markedmarked