Is your Dropcam live feed being watched by someone else?

Two researchers will show at Defcon how a Dropcam could turn into a Trojan horse

Patrick Wardle of Synack

Patrick Wardle of Synack

Dropcam, the popular video monitoring camera, bills itself as "super simple security." But a pair of researchers plan to show at the Defcon hacking conference later this week how a Dropcam could be a weak point.

Patrick Wardle and Colby Moore, both of whom work for security firm Synack, tore apart a US$200 Dropcam and figured out how its software works.

They found several vulnerabilities, none of which granted the holy grail of remote online access, but say their examination portends security problems because of the increasing pervasiveness of Internet-connected embedded devices, often referred to as the "Internet of things."

Google already has a strong stake in the Internet of things and devices for home automation. It owns Nest Communications, which makes Internet-connected thermostats and smoke detectors. Nest acquired Dropcam in June.

Embedded devices usually don't run security software, and it's very difficult "for consumers to vet the integrity of the devices," said Moore, a security research engineer, in a phone interview.

"People don't realize they are basically mini-computers," he said.

Dropcam sells subscription plans for online video storage. When someone wants to view the video, the service verifies a digital certificate shipped on a Dropcam in order to grant access.

Moore and Wardle plucked the private and public SSL (Secure Sockets Layer) certificates from the Dropcam they analyzed. With those in hand, it would be possible for them to view videos a person has stored or upload their own videos that would appear to have come from a specific Dropcam.

"It would allow an attacker to basically hijack or take over the video stream," Wardle said.

In an email statement, a Nest spokeswoman said such an attack would require physical access to a Dropcam.

"The Synack folks were not able to remotely compromise any of our cameras -- only ones they had physical access to," wrote spokeswoman Kate Brinks. "This is not a unique problem."

But it's not far fetched that an attacker could buy a Dropcam and give it as a gift to someone, essentially a Trojan horse attack that opens up their video to monitoring.

"This isn't too far out of the realm of the possible," Wardle said.

The German publication Der Spiegel reported late last year that the U.S. National Security Agency's Office of Tailored Access Operations ran an "interdiction" program that intercepted deliveries of new computer equipment and planted spyware. The publication said it was one of the most successful programs the agency ran.

Wardle said they stopped short of looking too deeply into Dropcam's storage service, which is on Amazon Web Services. But they were able to upload video using the device's SSL certificate.

"We were able to broadcast a stream to the cloud masquerading as the camera," said Wardle, who is Synack's director of research.

They also created malicious software for Apple's OS X that could be delivered by a new Dropcam to a person's computer, similar to a NSA-style interdiction attack.

Wardle and Moore referred to the code as an "implant." It defeated Apple's XProtect, which is a basic antimalware program; Gatekeeper, which blocks applications that haven't come from the Mac store or a known developer; and a defense in OS X Mavericks that requires properly-signed kernel drivers, Wardle said.

The implant allows a hacker to remotely view a Dropcam's live video feed and turn on its powerful microphone, a so-called "hot miking" attack. Attackers can also use the implant code to run a scan on the network it is connected to, potentially uncovering other weak points for attack, Moore said. The code also transmits geolocation information so the cameras can be plotted on a map.

Such tampering with a Dropcam would be unknown to a consumer or a company, Moore said. Embedded devices -- at least now -- don't run security software, and what goes on inside of them is often opaque.

"I'm not sure there's a good solution, but it's something the security industry needs to think about," Moore said.

One solution to tampering may be to require that new code uploaded to a Dropcam have an approved digital signature, known as code signing, Wardle said. Apple uses this model with its iPhone, which prevents devices from running applications not approved by the company. Then, it would at least require hackers to perform a "jailbreak" attack to break that restriction before putting malware on a Dropcam.

The Dropcam has a button on the device that, if pushed, allows unsigned firmware to be uploaded if the right protocol is used, Wardle said. The button is probably there for convenience for provisioning software after the hardware comes from the factory, Wardle said.

The researchers are waiting for Dropcam to fix the other vulnerabilities they found, which concern other applications on the device and configuration issues when a Dropcam is plugged into a computer.

Still, even with the vulnerabilities, Moore said, "I think Dropcam has done a lot of things right."

For example, it encrypts connections with its home servers over SSL. Dropcam also completely reimages its devices when it sends out updates, Moore said.

Moore and Wardle did catch Dropcam out on SSL -- Dropcam hadn't applied the patch for OpenSSL that fixes the Heartbleed vulnerability, but after it was notified by Synack, the company did it "very quickly," Wardle said.

Moore and Wardle's presentation is scheduled for 11 AM Sunday at Defcon in Last Vegas.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags DefconSynacksecurityDropcam

More about Amazon Web ServicesAmazon Web ServicesBrinksDropcamGoogleNational Security AgencyNestNSASpiegel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts