We have published an accompanying blog post to this technical advisory with
further information:
www.sec-consult.com/blog/detail/internet-of-babies-when-baby-monitors-fail-to-be-smart/
Vendor Description
“Mi-CamHD, Wi-Fi remote video monitor for everyone; 720P HD quality video, easy set up & use, two-way talk and supports free local video recording, all can be use by our user friendly Mi-Cam app.”
Source: http://www.misafes.com/
Business Recommendation
SEC Consult recommends not to use this device until a thorough security review has been performed by security professionals and all identified issues have been resolved! Although cloud-connected hardware may have an advantage regarding usability and convenience for users, if security is lacking those products pose a great risk for all customers.
Furthermore, it seems there exist similar products from other vendors, e.g. “Qihoo 360 Smart Home Camera”, that look exactly the same and may also be affected but SEC Consult could not verify this. The cloud component hosted by “qiwocloud2.com” may be used by other products as well. Additional information regarding other vendors are described in our blog post linked at the top of this advisory.
Vulnerability Overview/ Description
The usage of the Mi-Cam video baby monitor and its Android (or iOS) application, involves numerous requests to a cloud infrastructure available at ipcam.qiwocloud2.com with the aim of communicating with the video baby monitor or respective Android application. The Android application has at least 50000-100000 installations according to Google Play Store with potentially as many iOS users as well.
SEC Consult has identified multiple critical security issues within this product.
1) Broken Session Management & Insecure Direct Object References
The usage of the Android application “Mi-Cam” and the interaction with the video baby monitor involves several different API calls. A number of critical API calls can be accessed by an attacker with arbitrary session tokens because of broken session management.
This allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID.
2) Missing Password Change Verification Code Invalidation
The password forget functionality sends a 6-digit validation key which is valid for 30 minutes to the supplied email address in order to set a new password. Multiple codes can be requested though while previously delivered codes do not get invalidated and anyone of them can be used as a valid key. This can easily be brute-forced to take over other accounts.
3) Available Serial Interface
The PCB of the video baby monitor holds an unlabeled UART interface where an attacker is able to get hardware level access to the device and for instance extract the firmware for further analysis. SEC Consult identified further security issues such as outdated software (issue 6) or weak passwords (issue 4) by analyzing the firmware using IoT Inspector.
4) Weak Default Credentials
The “root” user available on the video baby monitor uses very weak default credentials with only 4 digits.
5) Enumeration of user accounts
The password reset functionality leaks information about the existence of supplied user accounts which can aid in further (brute-force) attacks.
6) Outdated and Vulnerable Software
Several software components which are affected by publicly known vulnerabilities were identified in the firmware of the video baby monitor.
Proof Of Concept
As the vendor could not be reached in order to get the issues fixed we will omit detailed proof of concept information in this advisory.
1) Broken Session Management & Insecure Direct Object References
Several functionalities are vulnerable because session tokens are not checked properly and can be used without any valid user account.
Excerpt of API calls:
- /family/get_list
- /family/get_group_list
- /family/invite_join
- /family/change_name
- /family/unbind
Sending or respectively intercepting the following request and supplying an arbitrary consecutively numbered UID, allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID.
<HTTP POST request PoC removed>
2) Missing Password Change Verification Code Invalidation
By sending the following request to “/user/request_email_code“, a validation key can be requested:
<HTTP POST request PoC removed>
This request can be sent multiple times in order to increase the possibility for a successful brute-force attack on the validation key. Each requested validation key is valid for 30 minutes and can be used to reset the password. During the period of the assessment, the following two sender addresses could be observed:
- passwords@misafes.com
- misafes@ug-smart.com
3) Available Serial Interface
Unlabeled and grouped through-hole pins located on the PCB of the video baby monitor can be used to connect to a UART interface. This leads to access to the boot loader and extraction of the firmware for further analysis.
Further information regarding the hardware including screenshots can be found within our blog post.
4) Weak Default Credentials
By analysing the extracted firmware or by simply perfoming a brute force attack, it is possible to identify the following very weak 4-digit default credentials used by the video baby monitor:
root:<redacted>
5) Enumeration of user accounts
By sending the following request to “/user/request_email_code“, it is possible to gain information about the existence of registered user accounts by observing the response:
<HTTP POST request PoC removed>
The HTTP response contains information of either the existence or non-existence of the supplied email address.
<HTTP server response removed>
This behavior can also be observed using the “/user/check_username” request.
6) Outdated and Vulnerable Software
The following publicly known vulnerable software componenents were identified in the firmware of the video baby monitor by using IoT Inspector:
- BusyBox 1.22.1 – multiple CVE
- hostapd 0.8.x – CVE-2015-8041
- OpenSSL 1.0.1j – multiple CVE
- Linux Kernel 2.6.35 – multiple CVE
Vulnerable / Tested Versions
During our investigation the main focus was to analyse the communication between the app, the video baby monitor and the cloud infrastructures but not the applications (Android, iOS) themselves.
Android Application:
- Mi-Cam v1.2.0 (most up to date version in November 2017)
Video baby monitor:
- Firmware 1.0.38 (most up to date version in November 2017)
It is assumed that the iOS app v1.0.5 is affected as well, as the vulnerabilities are within the server-side API.