Researcher finds major security holes in IZON surveillance camera

The IZON surveillance camera sold in Apple Stores and Best Buy outlets is filled with security holes that enable a hacker to easily commandeer the device, a security researcher said.

[Your (not-so) smart home]

Mark Stanislav, security evangelist for two-factor authentication platform vendor Duo Security, started investigating the camera after buying the Wi-Fi device for his home and discovering it was configured, so anyone could access the device if it's on the Internet.

Stanislav's findings, presented this week at the Rochester Security Summit in Rochester, N.Y., were startling.

With only an IP address for the device, a person could log into the Web interface of any IZON camera, using the default user name and password, which was "user" for both, Stanislav said. Once logged in, a person could view everything the camera sees within the home.

Stanislav found the credentials hardcoded in the camera manufactured by Stem Innovation. The IZON is managed through an iPhone or iPad mobile app available for free on Apple's App Store.

Stem Innovation did not respond to requests for comment.

Within the mobile app, Stanislav found the hardcoded credentials for administration privileges, which means a person could set alerts and make other configuration changes. The camera has a motion and an audio sensor that can be turned on when people are away from their homes.

The purpose of the credentials stored in the app is to perform firmware updates. However, there are certainly tradeoffs in security.

"This camera was (according to Stem Innovation) the first IP camera like this that had no need for a computer. It was meant to be used entirely from your iOS device," Stanislav told CSOonline Friday. "The everyday end user would never know the Web interface was there."

Finding IP addresses for IZON devices on the Internet can be found using the Shodan search engine. ( Once a criminal logged into a camera, he could attempt to find its location by using the device's internal scanner to see the names of nearby Wi-Fi networks.

This is useful for finding locations because people often name their networks using their street name or the name of their neighborhood, Stanislav said. "I've seen all kinds of crazy things (like that) over the years."

[Researchers show ways to bypass home and office security systems]

The IZON security weaknesses went beyond just the camera. When an alert is triggered, the camera automatically records a short video and sends it to IntelliVision, a video analytics firm that stores the media on the Amazon Simple Storage Service (S3).

Stanislav found that the data sent to IntelliVision was not encrypted. In addition, when he deleted the video on his smartphone, it was still available two months later on the S3 server.

Stanislav did his research by accessing his and his brother's IZON devices through the camera's Telnet port. Telnet is a 40-year-old network protocol used on the Internet and local area networks for bidirectional text communications. Stanislav said the security holes he found would be the same if someone accessed the device over over the Internet through a browser.

Stanislav said he contacted Stem Innovation Sept. 6, which started weeks of back-and-forth communications. As of mid-October, he had received no commitment from the vendor that the holes would be fixed.

"I haven't had confirmation that they're fixing or have fixed any of these (problems)," Stanislav said.

Stem Innovation told The Security Ledger that Stanislav's research contained "inaccuracies and misleading information," but declined to elaborate.

Stem Innovation is not the first surveillance camera vendor to be called out for security lapses. The Federal Trade Commission accused TRENDnet of having so poor security in its SecurView cameras that a hacker could post links on the Web to live camera fees, exposing the private lives of customers.

TRENDnet settled the charges by agreeing not to misrepresent the security, privacy, confidentiality or integrity of the information that its cameras or other devices transmit.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Amazon Web ServicesAppleFederal Trade CommissionTelnetTRENDnet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts