We have published an accompanying blog post to this technical advisory with further information: https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html SEC Consult Vulnerability Lab Security Advisory < 20180221-0 > ======================================================================= title: Hijacking of arbitrary video baby monitors product: miSafes Mi-Cam remote video monitor vulnerable version: Android application v1.2.0, iOS v1.0.5 Firmware v1.0.38 fixed version: - CVE number: - impact: critical homepage: http://www.misafes.com/mi-cam found: 2017-11-30 by: Mathias Frank (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal Moscow - Munich - Kuala Lumpur - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Mi-CamHD, Wi-Fi remote video monitor for everyone; 720P HD quality video, easy set up & use, two-way talk and supports free local video recording, all can be use by our user friendly Mi-Cam app." Source: http://www.misafes.com/mi-cam Business recommendation: ------------------------ SEC Consult recommends not to use this device until a thorough security review has been performed by security professionals and all identified issues have been resolved! Although cloud-connected hardware may have an advantage regarding usability and convenience for users, if security is lacking those products pose a great risk for all customers. Furthermore, it seems there exist similar products from other vendors, e.g. "Qihoo 360 Smart Home Camera", that look exactly the same and may also be affected but SEC Consult could not verify this. The cloud component hosted by "qiwocloud2.com" may be used by other products as well. Additional information regarding other vendors are described in our blog post linked at the top of this advisory. Vulnerability overview/description: ----------------------------------- The usage of the Mi-Cam video baby monitor and its Android (or iOS) application, involves numerous requests to a cloud infrastructure available at ipcam.qiwocloud2.com with the aim of communicating with the video baby monitor or respective Android application. The Android application has at least 50000-100000 installations according to Google Play Store with potentially as many iOS users as well. SEC Consult has identified multiple critical security issues within this product. 1) Broken Session Management & Insecure Direct Object References The usage of the Android application "Mi-Cam" and the interaction with the video baby monitor involves several different API calls. A number of critical API calls can be accessed by an attacker with arbitrary session tokens because of broken session management. This allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID. 2) Missing Password Change Verification Code Invalidation The password forget functionality sends a 6-digit validation key which is valid for 30 minutes to the supplied email address in order to set a new password. Multiple codes can be requested though while previously delivered codes do not get invalidated and anyone of them can be used as a valid key. This can easily be brute-forced to take over other accounts. 3) Available Serial Interface The PCB of the video baby monitor holds an unlabeled UART interface where an attacker is able to get hardware level access to the device and for instance extract the firmware for further analysis. SEC Consult identified further security issues such as outdated software (issue 6) or weak passwords (issue 4) by analyzing the firmware using IoT Inspector (https://www.iot-inspector.com). 4) Weak Default Credentials The "root" user available on the video baby monitor uses very weak default credentials with only 4 digits. 5) Enumeration of user accounts The password reset functionality leaks information about the existence of supplied user accounts which can aid in further (brute-force) attacks. 6) Outdated and Vulnerable Software Several software components which are affected by publicly known vulnerabilities were identified in the firmware of the video baby monitor. Proof of concept: ----------------- As the vendor could not be reached in order to get the issues fixed we will omit detailed proof of concept information in this advisory. 1) Broken Session Management & Insecure Direct Object References Several functionalities are vulnerable because session tokens are not checked properly and can be used without any valid user account. Excerpt of API calls: - /family/get_list - /family/get_group_list - /family/invite_join - /family/change_name - /family/unbind Sending or respectively intercepting the following request and supplying an arbitrary consecutively numbered UID, allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID. <HTTP POST request PoC removed> 2) Missing Password Change Verification Code Invalidation By sending the following request to "/user/request_email_code", a validation key can be requested: <HTTP POST request PoC removed> This request can be sent multiple times in order to increase the possibility for a successful brute-force attack on the validation key. Each requested validation key is valid for 30 minutes and can be used to reset the password. During the period of the assessment, the following two sender addresses could be observed: - passwords@xxxxxxxxxxx - misafes@xxxxxxxxxxxx 3) Available Serial Interface Unlabeled and grouped through-hole pins located on the PCB of the video baby monitor can be used to connect to a UART interface. This leads to access to the boot loader and extraction of the firmware for further analysis. Further information regarding the hardware including screenshots can be found at our blog post: https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html 4) Weak Default Credentials By analysing the extracted firmware or by simply perfoming a brute force attack, it is possible to identify the following very weak 4-digit default credentials used by the video baby monitor: root:<redacted> 5) Enumeration of user accounts By sending the following request to "/user/request_email_code", it is possible to gain information about the existence of registered user accounts by observing the response: <HTTP POST request PoC removed> The HTTP response contains information of either the existence or non-existence of the supplied email address. <HTTP server response removed> This behavior can also be observed using the "/user/check_username" request. 6) Outdated and Vulnerable Software The following publicly known vulnerable software componenents were identified in the firmware of the video baby monitor by using IoT Inspector: - BusyBox 1.22.1 - multiple CVE - hostapd 0.8.x - CVE-2015-8041 - OpenSSL 1.0.1j - multiple CVE - Linux Kernel 2.6.35 - multiple CVE Vulnerable / tested versions: ----------------------------- During our investigation the main focus was to analyse the communication between the app, the video baby monitor and the cloud infrastructures but not the applications (Android, iOS) themselves. Android Application: - Mi-Cam v1.2.0 (most up to date version in November 2017) Video baby monitor: - Firmware 1.0.38 (most up to date version in November 2017) It is assumed that the iOS app v1.0.5 is affected as well, as the vulnerabilities are within the server-side API. Vendor contact timeline: ------------------------ 2017-12-06: Contacting vendor through contact@xxxxxxxxxxx 2018-01-03: Resending initial contact approach 2018-01-29: Resending initial contact approach 2018-02-07: Attempting to contact China CNCERT/CC (PGP encrypted), received "550 Mail content denied" from their mailserver, resending unencrypted without attachments, same error message 2018-02-07: Contacting CERT/CC, asking for coordination support 2018-02-12: Asking CERT/CC again 2018-02-12: CERT/CC has decided not to coordinate or publish this vulnerability 2018-02-21: Public release of security advisory Solution: --------- The vendor could not be reached and there is no update available. Workaround: ----------- It is highly recommended not to use this product as there is no workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal Moscow - Munich - Kuala Lumpur - Singapore Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Mathias Frank / @2018
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature