The popular home surveillance webcam service DropCam that keep an eye on your house when you aren’t there, can be used as a weapon against you by the cybercriminals, claimed a pair of researchers.
San Francisco-based DropCam, last month announced it would be acquired by Google’s Nest for $555 million in cash, makes home-monitoring cameras for the past five years, which allow users to keep track of what's going on inside their homes using a small surveillance camera.
Two researchers named Patrick Wardle and Colby Moore of Synack who discovered the weakness in the Wi-Fi enabled video monitoring system, which they will demonstrate at the DEFCON 22 Hacker Conference in Las Vegas next month.
This WiFi-enabled security camera, that comes for $149 or $199, depending on video quality, requires little-to-no-effort to maintain. You plug it in, get it up on your WiFi, and all is set. If you want to check in on your cameras remotely, it cost you nothing, and if you want DropCam to keep an archive of the recorded footage on their servers, it will cost you from $10 to $30 a month.
The discovered weakness could allow hackers to spy on the targets by watching video and "hot-mike" audio on the cameras, inject fake videos into the surveillance startup in an effort to hide their malicious activities and use the compromised system to attack network.
The hardware of DropCam was reverse engineered by the researchers that allow them to insert a malware "implant" on the device and make them exploit the software vulnerabilities they found in the device's internal software.
"If someone has physical access [to a DropCam device], it's pretty much game over," the director of research at Synack, Wardle told DarkReading. "People need to be aware that these devices can be accessed by hackers or adversaries, and they should be scrutinized in the way people protect their laptops for instance.”
Apart from other hardware and software weaknesses in the DropCam equipment, researchers discovered a Heartbleed vulnerability used in the cloud-based WiFi video monitoring service.
The device runs an outdated and unpatched version of an open source Unix toolkit BusyBox, that may not even receive updates, and the older as well as vulnerable version of OpenSSL that made it vulnerable to the critical Heartbleed bug.
Heartbleed, the biggest internet threat, is a critical vulnerability in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory, potentially revealing users data in the plaintext, that the server did not intend to reveal.
An attacker could exploit the Heartbleed vulnerability in the OpenSSL in order to fetch passwords and SSL server's private key.
"The camera is vulnerable to client-side Heartbleed attacks. You could spoof the DropCam DNS server, and the camera would beacon out," Wardle says. "You could throw a Heartbleed exploit and start dumping memory and get [digital] certs."
Moreover, researchers would also reveal how to infect Windows or Mac OS X boxes that were used to configure the vulnerable DropCam systems. The duo will provide a detailed demonstration on their findings in their presentation titled, "Optical Surgery: Implanting a DropCam,” at DEF CON hacking Conference, which will be held on August 10.
Like we are so much proactive towards security vulnerabilities of our computers and networks, in the same way their is an important need to actively tackle the security issues with the Internet of Things (IoTs) devices such as this DropCam cameras.