Slashdot Mirror
IZON IP Cameras Riddled With Security Flaws
An anonymous reader writes "With recent action by the FTC against TRENDnet, the 'Internet of Things' has taken a sharp turn in the eyes of the public and government with regard to security. This week, Duo Security employee Mark Stanislav presented security research he did on the IZON IP camera from Stem Innovation. Through his testing, Mark found hardcoded credentials for Linux accounts (accessible by Telnet; Yes, — really), an undocumented web interface allowing for viewing a camera's stream (also with hardcoded credentials, user/user), and a variety of other failings including a lack of cryptography in most of the camera's functionality, including when uploading videos to Amazon Web Services's S3 storage." According to the above-linked article, "Contacted by The Security Ledger, Stem Innovation CTO Matt McBeth said that the IZON firmware, server system and iOS applications tested by Stanislav have since been updated, and that the research contains “inaccurate and misleading information.” Stem did not provide specific information about any inaccuracies."
Who cares about izon?
You really need to worry more about dogs named Skippy.
I'll be generous and guess that IZON farmed out too much of their software development to ... wherever. Perhaps the company's principals are more hardware oriented, but it's interesting that they're now advertising for an iOS team lead.
Luke, help me take this mask off
...so do a lot of things - who gives a shit!
People that like to be able to watch what goes on inside their homes when they're gone, but don't want every spook and perv on the planet to be able to as well?
Do we really need a new story for each one of these?
How else would you know about it?
Man, it seems the trolls are running out of material these days.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Here's what happens... The company gets a Linux SDK from some chip vendor which works on some reference platform. This is intended for development and evaluation purposes and has many interfaces exposed, which is generally what you want for development. The producer then hires some cheap amateurish programmers to write some application code on top of the SDK to make the product do stuff. The stock kernel and filesystem is deployed as-is. No security audit is done, no unnecessary services are closed, and few things are removed from the stock SDK filesystem. It will never get fixed for any or all of the following reasons: 1) No one at the company has enough experience to lock down/strip down Linux - they just know how to write applications on-top. 2) There are deadlines and the management has a "it works, ship it!" mentality. 3) Some developer/engineer might know how to do things properly, but is so swamped with deadlines and babysitting all the juniors that it can't happen.
Oh, how many of this story fills out spots on the Public Relations Security Bingo game? I counted four. You have to refresh to get all of the possible options; there are more than fit on any one card :)
For your security, this post has been encrypted with ROT-13, twice.
Anybody that would think these systems offer any level of security is only kidding themselves. They are a simple convenience to avoid needing to set up a VPN for trivial data. I wish I could find a better solution, but for a camera that sits in the window looking at the street not especially worried.
This is just a consumer-grade device, I'm more worried about actual supposedly "professional grade" security cameras. For example the IQInvison cameras all have the hard-coded username/password of root/system and YOU CAN'T CHANGE IT. Several cameras can only take 6-8 character lower case alpha-numeric passwords. Many of them have root or system as their only user. Only Axis and Pelco seem to have a clue that a security device should actually be secure.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
A back door is not a security flaw. It's there by design not by accident.
Seven puppies were harmed during the making of this post.
What if you accidentally forget to disable it before the device you were developing for ends up on sale?
systemd is Roko's Basilisk.
Because people routinely do dumb things.
People should know about these backdoors, no question.
On the other hand, the first linked story about the FTC crackdown on TrendNet makes no sense what so ever, when another branch of the government makes it their business to crack every possible privacy protection of anyone in the world.
Sig Battery depleted. Reverting to safe mode.
A back door is not a security flaw. It's there by design not by accident.
A backdoor is a security flaw if
a) the owners are not told that it is there (or)
b) the owners can not turn it off (or)
c) if the FTC says it is.
There are (deliberately vague) promises about security made on the IZON site.
IZON lets you watch & listen from anywhere, with secure access to the IZON video stream.
To not reveal a backdoor account has already been found by the FTC (see first link) as a violation which
gets you 20 years worth of monitoring: Per the FTC in the TrendNet case:
The company also is required to obtain third-party assessments of its security programs every two years for the next 20 years.
Sig Battery depleted. Reverting to safe mode.
Until the really awfully managed company decided to outsource all of the software development to contractors. This was after wiping out the team in place before I joined. They are a very unstable company, which really favors knee-jerk decision making. I'm not surprised by any of this, the company is run by the idiot kid of a rich guy who doesn't know the first thing about tech. The hardware was well designed by the CTO, who apparently isn't able to steer the technology decisions of the company. Unfortunate. He's a good guy. But the company is ultimately helmed by the CEO, and he's a fat fucking moron.
"I would argue that this is an especially egregious flaw in something likely to be used in a security context, and perhaps by people unaware of these backdoors. So, in this instance, yes, I think it's a public service."
In TV shows and movies the local 'hacker' can get to these cameras in about 3.2 seconds and now we know why.
Well if they actually did have security then you couldn't troll google looking for active webcams like this one http://susandennis.axiscam.net/view/viewer_index.shtml?id=1304
That's an Axis camera, they could have required a login to view the image, it's just a check box. At least the Setup password appears to be something not-default, which is not surprising because Axis cameras require the user to create a password on first login (unlike a **LOT** of other cameras.) Considering the domain listed it's likely that it's actually intended to be viewable by anyone.
Damn that's ugly furniture.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
To boot, it isn't hard to make decent security. I was using NetBotz over ten years ago and never have heard of any security problems with their design.
Why would you have a back door in development? All you have to do is have the "front door" unlocked...and you lock it down before shipping.
Seven puppies were harmed during the making of this post.
People that like to be able to watch what goes on inside their homes when they're gone
Hard to believe that for thousands of years people went out without having the ability to watch what was going on inside their homes when they were gone. How ever did they manage?
So you can make sure the front door locks work, for one thing.
systemd is Roko's Basilisk.
Really? We didn't have x a millennia ago but we do now and we should avoid it because reasons?
I won't bother pointing out loads of nice things we didn't have before that, having now, has made us a lot happier,safer, more productive or just plain given us new experiences. Even so, I wouldn't mind having something like this so that when the motion alert popped on my phone I could eyeball the screen to see if it was the cat, the kids coming home or that spree burglar who's been making short work of the neighborhood near us.
Oh, and that guy was partially caught on one homeowner's outdoor cams so cops have a good description of his truck (assuming it's not a one-off hotwire) and I think a profile of him too.
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
I lost interest when I saw it requires an iPod, iPhone, or iPad.
People that like to be able to watch what goes on inside their homes when they're gone
Hard to believe that for thousands of years people went out without having the ability to watch what was going on inside their homes when they were gone. How ever did they manage?
Dogs.
An enigma, wrapped in a riddle, shrouded in bacon and cheese