Slashdot Mirror
Home Security Camera Sends Video To Wrong User (bbc.com)
An anonymous reader quotes a report from the BBC: A leading security camera-maker has sent footage from inside a family's home to the wrong person's app. Swann Security has blamed a factory error for the data breach -- which was brought to its attention by the BBC -- and said it was a "one-off" incident. The BBC first learned of the problem on Saturday, when a member of its staff began receiving motion-triggered video clips from an unknown family's kitchen. Until that point, Louisa Lewis had only received footage from her own Swann security camera, which she had been using since December. The development coincided with Ms Lewis's camera running out of battery power and requiring a recharge. A Swann spokeswoman said that "human error" had caused two cameras to be manufactured that shared the same "bank-grade security key -- which secures all communications with its owner." "This occurred after the [family] connected the duplicate camera to their network and ignored the warning prompt that notified: 'Camera is already paired to an account' and left the camera running," she added.
How is an ordinary user supposed to know the meaning or significance of that geekish warning message?
Yeah, right.
'Camera is already paired to an account' as a warning when you've already paired it to your account? That's not human error, that's a design flaw.
A subtle attempt to shift blame to the people that bought this piece of (apparent) junk, ""This occurred after the [family] connected the duplicate camera to their network and ignored the warning prompt that notified: 'Camera is already paired to an account' and left the camera running," she added."
'Camera is already paired to an account'? Could mean it's already been paired to my account and I'm trying to re-pair it. Could be a message indicating success – that you've paired it to the intended account. I'm sure the company will claim this message's meaning is crystal clear and that the people who bought it are partially to blame. I'm not buying that (the dodge or the webcam).
Your gun is currently aimed at your own foot. Are you sure you wish to continue pulling trigger?
Given that the system identified the multiple account issue, and I assume they didn't have a common system in place to allow multiple accounts to work with one camera why was:
a) the camera not depaired from the old account?
b) was the camera allowed to be paired to a new account?
bonus question:
c) if this was by design to allow multiple accounts to access a camera, why is the system setup in such a poor way?
>A Swann spokeswoman said that "human error" had caused two cameras to be manufactured that shared the same "bank-grade security key"
if i fucked up that hard, i would not try to sneak in marketing-speech into an apology...
Also, what does "bank-grade security key" actually mean, "it's one of those fancy keys made with bits"?
It's not 'bank-grade' if you re-use the damned key.
They can say this is a one-off all they want, but I suspect this is yet another company with shit products and terrible security.
"We are regretful that this was not addressed immediately and adequately by our support team, when discovered. We have addressed this and made some internal changes."
They do however have a previous incident where the exact same thing happened, and in that case they apparently suggested it was because two completely unrelated users used the same user and password (which wasn't true).
Warning messages like this are entirely useless. If someone gets a message 'Camera is already paired to an account', they'll get annoyed and click through it. It doesn't tell them what the problem really is, it doesn't warn them of the consequences, and it's just plain in the way of them finishing the onerous task of registering their devices to get basic functionality.
A better message might have warned them, 'this camera appears to be already registered to another account, possibly because it was resold. If you continue, the camera's previous owner will be able to view this camera in your home'. Even better, it could instruct them to contact tech support to switch ownership of this camera. Better yet, do away with the annoying useless popup message and just deregister the old account's ownership.
They say it's a one-off factory error, but they still should have been able to foresee a camera being bought by one user and later sold to another user. Dealing with that problem would have made the one-off factory error a nonissue. Yes it would have deregistered the old camera, but at least that's something that can be handled through support rather than by sending video to the wrong account.
Trust the cloud. Believe the cloud!
Another good cloud implementation. The video leaves the local network, goes to some server somewhere where anyone can access it, and then the server sends it to someone else. Of course, you COULD just store the video on the local SDcard in the camera, but then it wouldnt be cloud enabled.
And there's a big part of the problem: the phrase 'Camera is already paired to an account' is just so much word salad to the average user. They will look at it for a moment, briefly wonder what those words might mean, then click through and forget about them.
If you want people to take such warnings seriously, you need to make it much more explicit, as in: "WARNING: The camera is already paired to another user's account. If you continue to use this camera, that user will be able to view the images from it without your knowledge. Please contact Swann technical support at xxx-xxx-xxxx immediately."
The way it should work is for a device to check if it has a key, if it doesn't generates it internally. It should *not* be the case that a device have the private key injected by something externally generating the key. Moving private keys around is bad practice and everything that purports to be secure needs to generate the key on-device rather than accept an external key.
XML is like violence. If it doesn't solve the problem, use more.
Is that like the "military-grade aluminum" Ford has been advertising as making their trucks out of now?
In that context it probably means material that is mil-spec. Just means it has certain characteristics specified by and conforming to a standard set by the military. Doesn't mean it's necessarily anything special. Milspec parts often meet other standards too though milspec parts are typically more rigorous than many other standards available.
Companies like to use this to do some promotional puffery that makes their product sound more impressive than it might otherwise but what they are saying isn't a lie and it does have some meaning.
If I'd have received the "already paired" text alert on my (sounds like) 2nd boot of the device, I'd think it was telling me it was paired to my account. Now if said "already paired to SOMEONE ELSE'S account" that'd be a bit different.
Poor Programming and "DevOps" done by the team.
-Poor manufacturing quality control [ duplicate key ]
-Poor programming - duplicate key not detected
-Poor testing - duplicate keys should be rejected
-Poor security - duplicate keys should be revoked
-Poor quality App Testing
-Poor quality hardware/software integration - duplicate keys should be rejected by server, and a new key generated
I build my own security cam with a raspberry pi, a CSI camera, and an infrared detector, it cost less then $100. It mails me snaps of motion, and doesn't need "cloud" access. It also avoids all these problems above.
Bank grade would be a four digit PIN.
Mail gets delivered to wrong person: no biggie.
Data mistakenly gets sent to wrong account: OMG THIS IS SO TERRIBLE. MAH PRIVACY. GAWDDDDD COMPANIES. OH DAMN YOU CRUEL WORLD.
There's really no difference in the systems underlying both in terms of routing and handling information - so why is everyone surprised that they're equally error prone?
I'd just like to know... thanks... what makes a security key "bank grade?" What is so special about the security keys used by banks?
WHY do cameras 'have' to be connected to 'the cloud'? Every camera on the market apparently NEEDS to be internet-connected.
Why can't they offer the ability - if the customer wants it - to simply stream to a router and then from the router to a device IN the house? As an example: I (wheelchair-bound, two floors, stairlift, wheelchair on each floor, slow but sufficient-for-me cheap internet) would LOVE to have a secure system to let me see all my cameras on a wifi/smartphone off a separate non-internetted router rather than have it streamed somewhere (needing a faster, pricey connection) to be bounced back to me.
It's what they want you to think, but nope. If it was actually mil-spec, they'd have said so.
Mil-spec doesn't mean anything to most general consumers. Saying "military grade" is the marketing BS for the same thing and it provides some legal cover in case some lawyer gets a burr in their saddle about it.
Ford can't say "mil-spec" unless there is actually a military spec that addresses the material in question, and the material actually meets that specification.
And as it happens there ARE military specifications for most materials including aluminum. I deal with them daily. Most metals have mil-spec options if you want them. In many cases they don't even cost extra. I deal in wire (copper mostly) that routinely has UL, mil-spec, and several other specifications attached to it. I sell products daily that I could say have "military grade copper" in them if I wanted to. Wouldn't mean much but it wouldn't be a lie either. Without looking I can almost guarantee you some amount of the aluminum that Ford uses happens to have a mil-spec on it.
It sounds like this is an identifier rather than an encryption key, but let's suppose we're talking about keys, and specifically private keys.
Yes, it's more secure to generate a private key on the device, so insider threats don't know the key. However, that makes it MORE likely to have duplicates, not less likely. Generating them externally, you can easily ensure you don't get repeats, or more easily, control the likelihood of repeats with a good random source.
If the device generates it's own key, the default is that two cameras with the same electronics will generate the same key. You have to put in significant work to come up with a pseudo random number from determinate electronics. Unless the device publishes something about the key, you can't be sure there are no duplicates.
Does anyone have a suggestion for a good wifi camera for somoene that already has FreeNAS?
I'm a good cook. I'm a fantastic eater. - Steven Brust
The message "Camera is already paired to an account" to me means that after I replaced the battery I don't need to set up my account again, because it still paired to my account.
Everybody else sells Military Grade!
Today's lazy dev mentality. Every fiscal quarter a certain dev or other will delegate a dangerous bug into the realm of "one-off". I am tired of this mentality of waving bug tracker reports away and closing them. We know they never get to the bug if it's delayed as a "corner case", improbable, right off the bat. They often close 'em when long enough has passed that we've stopped posting new leads, reports and requests for updates. Worse, many bug reports remain as "NEW" for years even after several different weeks of our trying to escalate them. It's intentional cruft.
Devs are saving face when they mess up. "One-off" is PR made to alude to some lottery-winning odds... a quantum soup with flukes so infinitely improbable that "NEVER GONNA HAPPEN AGAIN because the user will go away if we hide and we can pretend it never happened in the first place!" is the lie we're expected to live with and to spread to the users.
Helpdesk staff and programmers are supposed to follow logical thinking, fully aware that computers are powered by deterministic processes. A certain set of conditions will ALWAYS railroad an input from every single user who mounted the minecart right into a hard brick wall. It's just a matter of having the cart placed visibly enough for the conditions to be met over and over. Yet the people with the power to fix it deem the report as worthless due to negligence and shiny-chasing desires. The tech industry's drive is painfully shifting to a realm of stupid^W willfully hostile decisions the likes of Firefox, KDE4, Gnome3, Windows Metro and 10, SystemD proliferation and the Tracking + Analytics + Ad wars.
I've seen cases of severe bugs waved away by either hiding the feature that led to the bug or just giving an inaccurate warning that eventually comes back when some other related component is inadvertently not obfuscated with the same malice. Today's companies only "change" when something horribly high-profile happens and the reputation lands an egg on its face. The low-wage guys at the bottom were unable to change things when there was time and ample focus on the problem and reasons to fix it. Until tech makers --not tech *users* become the focus of today's court retribution worldwide (ie: being arrested for stupid stuff like breaking in when you're reporting an authentication / login breach as a user, but never seeing arrests of developers who create the breach to abuse the back door, let alone policy-makers... closed-door conspirators and knowing CEOs --think internet of things and remote power plant insecurity, while you're at it), things will continue this way.
I can't wait until my bank issues me with a "Bank Grade" key so a least that way I will have access to an account with money in it.
a "one-off" incident
I was really imagining this was weasel-speak for an "off-by-one" error, and everyone was getting the feed from the customer's account with the ID one lower than theirs.
My guess would be that 1 of the devices was the last of a production run, and the other was the first of the next run.
Your theory is way more likely... and less interesting. =)
This is why my cameras are on a separate VLAN that does not route to internet and are only controlled and viewed internally or over VPN.