Flaws Found in Geeni Smart Doorbells, Security CamerasRemote Attackers Could Spy on Audio, Video
A security audit of a batch of consumer IoT devices sold by Walmart, Amazon and Home Depot has turned up serious vulnerabilities, underscoring the security minefield consumers face as the smart home market expands.
See Also: Hybrid IT-OT Security Management
The research focused on devices made by Merkury Innovations, which has a line of smart home products including doorbells and security cameras sold under the Geeni name.
The vulnerabilities were found by TJ O'Connor, an assistant professor and director of the IoT Security and Privacy Lab at the Florida Institute of Technology in Melbourne, Florida, and Daniel Campos, a graduate student there.
"The vulnerabilities could enable a remote attacker to gain privileges access to the devices, listen to all audio and video recorded on the devices, and ultimately use the devices to covertly spy on their users," O'Connor writes in a guest blog post for ReFirm Labs.
Merkury Innovations spokesman Sol Hedaya says: "We’ve encountered no exploits of these vulnerabilities. We regularly update our app and devices for security and performance updates. We appreciate and often work with security researchers such as the disclosure that was recently released."
Some models will get updated firmware later this month, Hedaya says. He didn’t specify the models that will get patches.
"Most of the vulnerabilities noted were based on a single old model that has been discontinued for some time and represents less than 0.1% of our active devices," Hedaya says.
O'Connor's team reported the issues to Merkury in November and published the notice shared with Merkury on Thursday. Security researchers often wait 90 days for a vendor to fix a product and, if there's no action, they release the details.
Telnet On, Hard-Coded Credentials
The Florida Tech team analyzed four security cameras and three doorbells. One doorbell and two cameras had hard-coded Telnet credentials. Telnet was enabled as well, which means such devices could be easily accessible for hackers.
"This exists because the following administrator password hashes are statically built into the firmware," according to Florida Tech's advisory. "These hashes exist on the SPI flash of the device or can be retrieved through the RESTful interface as described in the following section."
Three cameras and two doorbells contain a vulnerability in their RESTful Services API, which could allow an attacker to gain full control of the camera via a high-privileged account, the advisory says.
"The vulnerability exists because a static username and password are compiled into the ppsapp RESTful application," it says. "An attacker could exploit this vulnerability by using this default account to connect to the affected system."
Other issues included a backdoor account with hard-coded credentials that is part of a streaming video service, a RSTP daemon denial-of-service issue and a RSTP daemon remote code execution flaw.
Addressing IoT Issues
To address IoT device security issues, the Atlantic Council, a think tank, has pushed for what's termed a reverse cascade. Under this model, retailers would demand that manufacturers produce devices and components that are secure or otherwise not carry the products (see: How Amazon and Walmart Could Fix IoT Security).
Although the U.S. now has a federal law requiring that IoT devices procured by government agencies meet minimum security standards, it doesn’t apply to consumer devices (see: First Federal IoT Security Legislation Becomes Law). At the state level, however, California and Oregon mandate that manufacturers meet basic security requirements.
In the European Union, the European Standards Organization has released a globally applicable standard for consumer IoT devices. Also, the U.K. launched a Code of Practice for Consumer IoT Security in 2018.
Retailers have caught on to the concerns. In its FY2019 corporate responsibility report, Best Buy Co. noted it was already “working to establish a customer baseline of expectations in the area of security and privacy with respect to IoT devices.”
And in response to the issue with the Geeni devices, a Home Depot spokeswoman tells The Washington Post: "We require all vendors to follow applicable laws, regulations and industry standards and will work directly with the vendor to look into these concerns."