"The device follows the standard setup routine, creating a hotspot during configuration via a wireless network. Once installed, the corresponding mobile application tries to establish a connection with the device’s hotspot and after it detects it, the app connects to it automatically. Next, the app asks the user to introduce the credentials of his home network, which it transmits to the device. The smart plug connects to the local network and the setup process is complete."
- The hotspot isn't password-protected, meaning anyone can connect to it.
- The device's infrastructure doesn't use robust security or authentication measures. For example, the app remotely connects to the device via a generally insecure authentication method known as Basic Access Authentication. Additionally, the device's username and password are not encrypted but encoded using a Base64 scheme when sent over the wire. That means an attacker could reverse the process to access the camera, change the login settings, and shut out the user.
- The mobile app sends the local network credentials over to the device in plaintext, meaning an actor could eavesdrop on that communication and gain unauthorized access to the user's Wi-Fi network.
- The webcam authenticates with its cloud server using its MAC address only. An attacker could therefore use another device with the same MAC address to impersonate the genuine product, intercept login information, and gain access to the device through the mobile app.
"Anyone can use the app, just as the user would. This means turning on audio, mic and speakers to communicate with children while parents aren’t around or having undisturbed access to real-time footage from your kids’ bedroom. Clearly, this is an extremely invasive device, and its compromise leads to scary consequences."Nowhere in the blog post do the researchers name the product or the vendor. They do say, however, that they practiced responsible disclosure and that the vendor is currently working to fix the camera's security flaws. In the meantime, both users and manufacturers should do more to emphasize the importance of IoT security. Users should ask themselves questions about the devices they own and want to buy in order to select the most secure products out there, while manufacturers should implement better update mechanisms in their products. For additional perspective on the security challenges of the Internet of Things, please read this conversation.