Part 1: A complex problem with a simple explanation
Remotely connected security cameras have become commonplace in our everyday lives. They help organizations secure a facility, manage authorized areas, prevent theft, and more.
But these IoT devices that seem to blend into the landscape may not be as secure as other connected products we rely on daily, such as our phone, PC, or WiFi network. However, since these devices are trusted on our private networks, a security flaw in an IoT device may be synonymous with a network breach as in the case below.
In part 2, we dive into the technical ‘how’.
—–
While researching the Xiaomi’s C20 internet camera, Cybellum’s security team discovered a flaw in the binding process between the camera and the network. This flaw reveals how private network WiFi credentials can be captured by whoever is in WiFi range.
Vulnerable By Design – The Binding Process
Binding a new device to a local network using a personal smartphone is often the first step taken to set up an IoT device. During this process, the owner will receive a notification from the phone application, instructing them on how to connect their new device to the local network, also known as ‘binding’.
Xiaomi has simplified this experience in order to connect its powerful C20 camera to the local network. Instead of the usual flow of connecting to the devices temporary wi-fi network, the app instructs us to scan the QR code on the bottom of the device in order to bind it. This all happens while connected to the home Wifi network so the entire process is quick and seamless.
This relatively easy process aroused our team’s suspicion who proceeded by examining the QR Code itself. The QR very simply translates to:
https://web.app.imilab.com/download/imi_app.html?locale=en-US&pk=a1znn6t1et8
Upon comparing this URL to those given by other C20 internet cameras, it became evident that all devices of this model have the same QR code– including the value of the “pk” parameter in the query string.
This means the values used by the app to identify the specific camera being bound are not unique to the camera. Without needing to analyze the device binaries, a researcher’s intuition is enough to know that the likelihood of a vulnerability is high.
By deduction, if the phone app did not receive any unique device identifiers about the specific camera it is binding to. As the end result is a successful binding process, it can only mean that either the communication between the phone and the camera is not encrypted, or it is encrypted with a hardcoded value (more on that in part 2) that already pre-exists in the camera and is common to all other cameras of the same model. Since this communication contains our network’s WiFi credentials, this constitutes a security vulnerability.
It’s clear by now that the biggest danger here doesn’t have to do with the camera at all. As it attempts to discover and bind to the network, a bad actor within range can also snatch the credentials, allowing them to unknowingly join your home or office network and pivot from there to other devices. That same actor can choose instead to manipulate the communication, binding the camera to their own network. If allowing the camera owner full functionality into their camera, they may not even be aware that the camera never connected with their local network– recording or disconnecting the captured video.
The dangers lurking of poor product security
The rise of smart home devices and the Internet of Things (IoT) has made it easier to automate and control various aspects within a facility. However, this convenience also comes with significant cybersecurity risks.
One of the biggest risks of unsecured home WiFi connected devices as opposed to PC or phone is that they can be more vulnerable to security attacks (due to slightly older hardware, simpler SW stacks, permissive SW update mechanisms etc.). IoT devices usually incorporate older hardware, simpler software stacks. As opposed to a personal phone, which usually runs a Software on the chip (SoC) that has been introduced to the market in the past two or three years, a security camera can manage with a SoC that is older. Instead of running a battle hardened OS, such as iOS or Android, an IoT device may run a simpler Real-Time OS or an older version of Linux. On our phones, the operating system will pester the user until they run an update, whereas we have much subtler interaction without IoT devices and may be completely unaware of their software update status.
Running outdated software on a local network can be breached, forced to participate in distributed denial of service (DDoS) attacks. A DDoS attack involves overwhelming a website or online service with traffic from multiple sources, making it unavailable for legitimate users. Cybercriminals can use unsecured connected devices as part of a botnet to launch DDoS attacks against their targets.
The industry has seen many instances where a poorly secured WiFi connected device posed a significant threat to privacy, security, and network performance. To reduce these risks, make sure to change default login credentials, use encryption, keep devices up to date, disable remote management, and use a VPN. By following these steps, users can help protect their assets from the dangers of unsecured home WiFi connected devices.
Cleaning product security environments
This camera is one example of an IoT device that unknowingly can act as a bridge for threat actors who are looking for the right opportunity to penetrate a private network. Similar to supply chain attacks, these exploits are near-impossible to detect without going into the network infrastructure and discovering suspicious activity.
To keep products secure, the environments that these products secure to, which are recognized as an absolute trustworthy authority according to the device, must be kept to the highest cybersecurity standards with documentation to ensure proper network hygiene. Companies must ensure that all processes, protocols, and ultimately devices are in line with their cybersecurity standards, ensuring that no unauthorized access is granted through human error or other.