Hijacking of arbitrary miSafes Mi-Cam video baby monitors

Project Description

The miSafes Mi-Cam device is vulnerable against multiple critical vulnerabilities which includes unauthenticated access and hijacking of arbitrary video baby monitors.


We have published an accompanying blog post to this technical advisory with
further information:

https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html

Vendor description

“Mi-CamHD, Wi-Fi remote video monitor for everyone; 720P HD quality video, easy set up & use, two-way talk and supports free local video recording, all can be use by our user friendly Mi-Cam app.”

Source: http://www.misafes.com/mi-cam

Business recommendation

SEC Consult recommends not to use this device until a thorough security review has been performed by security professionals and all identified issues have been resolved! Although cloud-connected hardware may have an advantage regarding usability and convenience for users, if security is lacking those products pose a great risk for all customers.

Furthermore, it seems there exist similar products from other vendors, e.g. “Qihoo 360 Smart Home Camera”, that look exactly the same and may also be affected but SEC Consult could not verify this. The cloud component hosted by “qiwocloud2.com” may be used by other products as well. Additional information regarding other vendors are described in our blog post linked at the top of this advisory.

Vulnerability overview/description

The usage of the Mi-Cam video baby monitor and its Android (or iOS) application, involves numerous requests to a cloud infrastructure available at ipcam.qiwocloud2.com with the aim of communicating with the video baby monitor or respective Android application. The Android application has at least 50000-100000 installations according to Google Play Store with potentially as many iOS users as well.

SEC Consult has identified multiple critical security issues within this product.

1) Broken Session Management & Insecure Direct Object References

The usage of the Android application “Mi-Cam” and the interaction with the video baby monitor involves several different API calls. A number of critical API calls can be accessed by an attacker with arbitrary session tokens because of broken session management.

This allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID.

2) Missing Password Change Verification Code Invalidation

The password forget functionality sends a 6-digit validation key which is valid for 30 minutes to the supplied email address in order to set a new password. Multiple codes can be requested though while previously delivered codes do not get invalidated and anyone of them can be used as a valid key. This can easily be brute-forced to take over other accounts.

3) Available Serial Interface

The PCB of the video baby monitor holds an unlabeled UART interface where an attacker is able to get hardware level access to the device and for instance extract the firmware for further analysis. SEC Consult identified further security issues such as outdated software (issue 6) or weak passwords (issue 4) by analyzing the firmware using IoT Inspector.

4) Weak Default Credentials

The “root” user available on the video baby monitor uses very weak default credentials with only 4 digits.

5) Enumeration of user accounts

The password reset functionality leaks information about the existence of supplied user accounts which can aid in further (brute-force) attacks.

6) Outdated and Vulnerable Software

Several software components which are affected by publicly known vulnerabilities were identified in the firmware of the video baby monitor.

Proof of concept

As the vendor could not be reached in order to get the issues fixed we will omit detailed proof of concept information in this advisory.

1) Broken Session Management & Insecure Direct Object References

Several functionalities are vulnerable because session tokens are not checked properly and can be used without any valid user account.

Excerpt of API calls:

  • /family/get_list
  • /family/get_group_list
  • /family/invite_join
  • /family/change_name
  • /family/unbind

Sending or respectively intercepting the following request and supplying an arbitrary consecutively numbered UID, allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID.

<HTTP POST request PoC removed>

2) Missing Password Change Verification Code Invalidation

By sending the following request to “/user/request_email_code“, a validation key can be requested:

<HTTP POST request PoC removed>

This request can be sent multiple times in order to increase the possibility for a successful brute-force attack on the validation key. Each requested validation key is valid for 30 minutes and can be used to reset the password. During the period of the assessment, the following two sender addresses could be observed:

  • passwords@misafes.com
  • misafes@ug-smart.com

3) Available Serial Interface

Unlabeled and grouped through-hole pins located on the PCB of the video baby monitor can be used to connect to a UART interface. This leads to access to the boot loader and extraction of the firmware for further analysis.

Further information regarding the hardware including screenshots can be found within our blog post.

4) Weak Default Credentials

By analysing the extracted firmware or by simply perfoming a brute force attack, it is possible to identify the following very weak 4-digit default credentials used by the video baby monitor:

root:<redacted>

5) Enumeration of user accounts

By sending the following request to “/user/request_email_code“, it is possible to gain information about the existence of registered user accounts by observing the response:

<HTTP POST request PoC removed>

The HTTP response contains information of either the existence or non-existence of the supplied email address.

<HTTP server response removed>

This behavior can also be observed using the “/user/check_username” request.

6) Outdated and Vulnerable Software

The following publicly known vulnerable software componenents were identified in the firmware of the video baby monitor by using IoT Inspector:

  • BusyBox 1.22.1 – multiple CVE
  • hostapd 0.8.x – CVE-2015-8041
  • OpenSSL 1.0.1j – multiple CVE
  • Linux Kernel 2.6.35 – multiple CVE

Vulnerable / tested versions

During our investigation the main focus was to analyse the communication between the app, the video baby monitor and the cloud infrastructures but not the applications (Android, iOS) themselves.

Android Application:

  • Mi-Cam v1.2.0 (most up to date version in November 2017)

Video baby monitor:

  • Firmware 1.0.38 (most up to date version in November 2017)

It is assumed that the iOS app v1.0.5 is affected as well, as the vulnerabilities are within the server-side API.

Vendor contact timeline

2017-12-06:Contacting vendor through contact@misafes.com
2018-01-03:Resending initial contact approach
2018-01-29:Resending initial contact approach
2018-02-07:Attempting to contact China CNCERT/CC (PGP encrypted), received “550 Mail content denied” from their mailserver, resending unencrypted without attachments, same error message
2018-02-07:Contacting CERT/CC, asking for coordination support
2018-02-12:Asking CERT/CC again
2018-02-12:CERT/CC has decided not to coordinate or publish this vulnerability
2018-02-21:Public release of security advisory

Solution

The vendor could not be reached and there is no update available.

Workaround

It is highly recommended not to use this product as there is no workaround available.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

 

EOF Mathias Frank / @2018

Project Details

  • TitleHijacking of arbitrary miSafes Mi-Cam video baby monitors
  • ProductmiSafes Mi-Cam
  • Vulnerable versionAndroid application v1.2.0, iOS v1.0.5, Firmware v1.0.38
  • Fixed version-
  • CVE number-
  • Impactcritical
  • Homepagehttp://www.misafes.com/mi-cam
  • Found2017-11-30
  • ByMathias Frank (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back