The IZON surveillance camera sold in Apple Stores and Best Buy outlets is filled with security holes that enable a hacker to easily commandeer the device, a security researcher said.
Mark Stanislav, security evangelist for two-factor authentication platform vendor Duo Security, started investigating the camera after buying the Wi-Fi device for his home and discovering it was configured, so anyone could access the device if it's on the Internet.
Stanislav's findings, presented this week at the Rochester Security Summit in Rochester, N.Y., were startling.
With only an IP address for the device, a person could log into the Web interface of any IZON camera, using the default user name and password, which was "user" for both, Stanislav said. Once logged in, a person could view everything the camera sees within the home.
Stanislav found the credentials hardcoded in the camera manufactured by Stem Innovation. The IZON is managed through an iPhone or iPad mobile app available for free on Apple's App Store.
Stem Innovation did not respond to requests for comment.
Within the mobile app, Stanislav found the hardcoded credentials for administration privileges, which means a person could set alerts and make other configuration changes. The camera has a motion and an audio sensor that can be turned on when people are away from their homes.
The purpose of the credentials stored in the app is to perform firmware updates. However, there are certainly tradeoffs in security.
"This camera was (according to Stem Innovation) the first IP camera like this that had no need for a computer. It was meant to be used entirely from your iOS device," Stanislav told CSOonline Friday. "The everyday end user would never know the Web interface was there."
Finding IP addresses for IZON devices on the Internet can be found using the Shodan search engine. (http://www.shodanhq.com/) Once a criminal logged into a camera, he could attempt to find its location by using the device's internal scanner to see the names of nearby Wi-Fi networks.
This is useful for finding locations because people often name their networks using their street name or the name of their neighborhood, Stanislav said. "I've seen all kinds of crazy things (like that) over the years."
The IZON security weaknesses went beyond just the camera. When an alert is triggered, the camera automatically records a short video and sends it to IntelliVision, a video analytics firm that stores the media on the Amazon Simple Storage Service (S3).
Stanislav found that the data sent to IntelliVision was not encrypted. In addition, when he deleted the video on his smartphone, it was still available two months later on the S3 server.
Stanislav did his research by accessing his and his brother's IZON devices through the camera's Telnet port. Telnet is a 40-year-old network protocol used on the Internet and local area networks for bidirectional text communications. Stanislav said the security holes he found would be the same if someone accessed the device over over the Internet through a browser.
Stanislav said he contacted Stem Innovation Sept. 6, which started weeks of back-and-forth communications. As of mid-October, he had received no commitment from the vendor that the holes would be fixed.
"I haven't had confirmation that they're fixing or have fixed any of these (problems)," Stanislav said.
Stem Innovation told The Security Ledger that Stanislav's research contained "inaccuracies and misleading information," but declined to elaborate.
Stem Innovation is not the first surveillance camera vendor to be called out for security lapses. The Federal Trade Commission accused TRENDnet of having so poor security in its SecurView cameras that a hacker could post links on the Web to live camera fees, exposing the private lives of customers.
TRENDnet settled the charges by agreeing not to misrepresent the security, privacy, confidentiality or integrity of the information that its cameras or other devices transmit.