back to article Leaks password, check. Leaks Wi-Fi password, check. Can be spoofed, check. Ding! We have an Internet of S**t winner

Here we have yet another example of an internet-facing home security camera with chocolate-padlock-grade security. The surveillance cam, examined by security firm Bitdefender, comes with motion and sound detectors, two-way audio, built-in lullabies to send children to sleep, temperature and humidity sensors and a microSD/SDHC …

  1. Voland's right hand Silver badge

    Which is exactly why I build mine out of Raspberries and Bananas

    This is exactly why for the time being I build my CCTV out of Raspberries or Bananas using dummy CCTV enclosures off Amazon. If you add one of the ELP camera modules the result is image quality on par or better than most sub-80£ internet of S**t.

    Once "live" the enclosures stop being dummy. The bill of materials is about the same.

    The other alternative is to keep the Internet of s**t on its own network and put a firewall in front of it. Less fun though.

    1. Anonymous Coward
      Anonymous Coward

      Re: Which is exactly why I build mine out of Raspberries and Bananas

      I don't know. Do you really need an Internet enabled fruit bowl?

      :)

      1. IanRS

        Re: Which is exactly why I build mine out of Raspberries and Bananas

        How else can you view it from your Apple?

        1. Allan George Dyer
          Coat

          Re: Which is exactly why I build mine out of Raspberries and Bananas

          AC, IanRS - you two are a right pear.

      2. Doctor_Wibble

        Re: Which is exactly why I build mine out of Raspberries and Bananas

        It goes with the web-enabled cheese, which has been around for decades!

    2. Anonymous Coward
      Anonymous Coward

      Re: Which is exactly why I build mine out of Raspberries and Bananas

      Runs some flavour of Linux, check.

      1. HieronymusBloggs

        Re: Which is exactly why I build mine out of Raspberries and Bananas

        "Runs some flavour of Linux, check."

        So plain text passwords coming from other operating systems can't be snooped? Valuable security tip, thanks.

    3. Anonymous Coward
      Anonymous Coward

      Re: Which is exactly why I build mine out of Raspberries and Bananas

      You should publish your parts list and build instructions

      1. Anonymous Coward
        Anonymous Coward

        Re: Which is exactly why I build mine out of Raspberries and Bananas

        You should publish your parts list and build instructions

        Bones, a lot of water, minerals, a shocking amount of bacteria, braaainz - it's a long list. Or were you referring to the technology?

        :)

        1. Ken Hagan Gold badge
          Coat

          Re: Which is exactly why I build mine out of Raspberries and Bananas

          What about the build instructions?

          1. Anonymous Coward
            Anonymous Coward

            Re: Which is exactly why I build mine out of Raspberries and Bananas

            What about the build instructions?

            1 - become God. root won't do.

  2. William 3 Bronze badge

    Internet Enabled Mop

    With Bluetooth.

    1. BillG
      WTF?

      Bitdefender

      Bitdefender is keeping quiet on the manufacturer's name until the issue is patched

      I'm very familiar with Bitdefender and this is very unlike them. Probably there is some sort of quid-pro-quo here.

      We all deserve to know who this sloppy manufacturer is.

  3. Pascal Monett Silver badge
    WTF?

    Let me get this straight

    "Every time it starts and at regular intervals, the device sends an UDP message to the authentication server, containing device data, an ID number represented by the MAC address and a 36-character code. However, the cloud server does not verify the code, it trusts the device’s MAC address to perform the authentication."

    They went through all that trouble to include a 36-character code generation program in the camera software, program the server app to recognize and accept it, then they decided not to use it ?

    Could someone please explain the rationale behind that decision ?

    "Here, we spent this much money on creating a somewhat secure dialogue between our server and our products, but nah, let's just accept the MAC address that can be spoofed and consider everything okay."

    "Brilliant ! We can call it a day."

    This is why IoT security is hopeless. Even when they make a half-hearted attempt at it, they just bungle it royally.

    1. Anonymous Coward
      Anonymous Coward

      Re: Let me get this straight

      Could someone please explain the rationale behind that decision ?

      Most likely is that someone specified it as a part of protocol and it was implemented on the camera's firmware correctly, however they were running short of money and/or time when developing the server software and some PHB decide that they should drop the authentication algorithms - too expensive to develop and "they do anything useful anyway".

      Seen it before. Sadly.

      1. Anonymous Coward
        Anonymous Coward

        Re: Let me get this straight

        I hope the upcoming fix includes firing the PHB and some developers... it looks many there lack basic skills to develop and deliver proper software. But that's something I have to fight every day, some developers always looks for shortcuts, unable to look beyond their nose and look at the big picture.

    2. Stuart 22

      Re: Let me get this straight

      This also means that the device becomes slightly useless when the manufacturer decides to turn the server off. When? 10 years or 10 months?

      Is it written into the guarantee? I mean people like Google would never pull a trick like that with a home device ...

    3. Mark 85
      Devil

      Re: Let me get this straight

      Bandwidth costs money. Those extra characters times all the many zillions of these want to sell would impact the bottom line and bonuses. Or... someone cut the development/implementation budget.

    4. Anonymous Coward
      FAIL

      Re: Let me get this straight

      Seems like they thought they'd try and wing it … the "fake it until you make it" and unfortunately, they didn't "make it" before being found out.

      They've gone to the trouble of implementing a TLS client in the device, surely it's not hard for them to have the device generate a PEM private key in the factory, sign a CSR with it, submit that to a protected system on the same in-factory private network which signs it and hands back a PEM certificate for the device to store.

      Upshot: private key never leaves the device and is not stored anywhere else.

      Then it can either use dTLS to encrypt the UDP traffic, or it uses regular TLS to negotiate a temporary shared key that it'll use for the next few hours' UDP traffic.

      It isn't rocket science. It's taken me about 3 days to prototype a system that pretty much does the above (minus the dTLS/UDP stuff) using free software tools.

      1. You aint sin me, roit

        "It isn't rocket science. "

        No, it isn't rocket science.

        However it does cost money, it does take time, and it is something that early IoT developers conveniently forgot to implement.

        What's more, if you want to do it properly (like Visa and Mastercard insist smartcard manufacturers do) then you need an HSM housed in a secured manufacturing environment. Employees would need to be vetted, and maybe even searched ("airlock" type doors incorporate weighing sensors to tell if you go out heavier than you went in...). There are physical and logical security measures that need to be implemented...

        This all costs a lot of money, involves a lot of attention to detail, and isn't quick to set up (let alone retro-fit). It also necessitates an independent certification authority who will come in and assess your security measures.

        You might even want to insist on Common Criteria type certification!

        The costs spiral upwards... out of proportion for most IoT objects.

        And that is why we can't have security - not because it's difficult but because it's expensive.

        1. Anonymous Coward
          Anonymous Coward

          Re: "It isn't rocket science. "

          However it does cost money, it does take time, and it is something that early IoT developers conveniently forgot to implement.

          What's more, if you want to do it properly (like Visa and Mastercard insist smartcard manufacturers do) then you need an HSM housed in a secured manufacturing environment.

          Indeed, if you want to do it "properly", to financial investment standards, then yes, things are more expensive. If they did decide to do it that thoroughly, I'd be impressed.

          It needs to be "good enough". Securely generated asymmetric keys would be "good enough". Algorithms like Diffie Hellman provide ways to make something that is "good enough".

          What they did is not "good enough". It wasn't even trying.

          1. You aint sin me, roit

            Re: "It isn't rocket science. "

            I'm not expecting financial standards, but the idea of generating keys on a device takes time and affects the production line (you might not think it's significant, but if you are mass-producing widgets then it is).

            Then you have to generate a certificate - this will be worse than useless unless it is done securely, with an adequate certification key. Again that costs money.

            In order to safeguard the keys then you might have to consider incorporating a secure element. The costs start to mount...

            The whole idea of "Oh, I can lash this up in minutes" is why we are in this mess to start with! The whole system is no more secure than its weakest link.

    5. Hero Protagonist

      Re: Let me get this straight

      Agile methodology, and verification of the 36-character code was slated for the next sprint. But since every sprint output is shippable (supposedly) and they were behind schedule, some PHB decided to go with what they had

  4. imanidiot Silver badge

    Why do you need a camera in your kids bedroom?

    What is wrong with the good old radio based, audio only, baby monitor and using your eyeballs every now and then? Do you really NEED to be able to spy on your own kids from across the world? A trustworthy babysitter might be a better investment...

    1. Warm Braw

      Re: Why do you need a camera in your kids bedroom?

      A trustworthy babysitter might be a better investment.

      Sadly, people are increasingly suspicious of other people (who, on the whole, are no less reliable than they have ever been) and increasingly trusting of technology (which, on the whole, becomes more dangerous every year). Great for the CCTV industry, but toxic to society.

      1. sisk

        Re: Why do you need a camera in your kids bedroom?

        I strongly suspect anyone using a CCTV in place of a babysitter for any kid young enough to warrant a babysitter, at least 'round these parts, would find themselves on the wrong end of a DCF investigation. They don't take kindly to parents who do things like leave young kids alone all day.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why do you need a camera in your kids bedroom?

      "What is wrong with the good old radio based, audio only, baby monitor"

      ... where's the security there? We used these when our kids were babies and remember once when one of them seemed to be crying a lotn onthe monitor but everytime we went into his room he seemed ok. It was only when listening to the monitor when we heard someone else going to comfort the cryting baby that we realized that someone else nearby must have been usign ther same radio channel for their baby monitor!

      1. Anonymous Coward
        Anonymous Coward

        Re: Why do you need a camera in your kids bedroom?

        @AC: We got a nice Philips set from my parents for the first baby. The set only has two units -- one base which typically acts as a sender and one smaller receiver. They use DECT communication and were paired in factory. For home use, at that price level, I don't think it gets better than that.

    3. Velv

      Re: Why do you need a camera in your kids bedroom?

      So that Moms can still go down the pub/club with their mates without the need of granny or babysitter.

      (I was going to put the joke icon, but sadly this occurs more often than it should)

  5. Anonymous Coward
    Anonymous Coward

    Another one with an external account: no thanks

    Let's start with the basics: anything that requires an account on a 3rd party facility for control is handing that control to the company running the facility. I understand the need to bypass NAT, but it's the precise reason why I would not use that service/device/tool/toaster - no way.

    Unfortunately, the average home user does not get that. Actually, most companies don't see the problem with that approach either. Heck, even the Rimova electronic tag suitcases seem to need an external account, and I don't like being tracked.

    1. Adam 52 Silver badge

      Re: Another one with an external account: no thanks

      Unfortunately unless some form of open IoT server becomes defacto standard, and there's no sign of that happening, we're stuck with this.

      Eventually we'll all have to give in, there will be a must-have device that needs a central server, just like we have with Google Play Services, Windows Update and whatever the Apple equivalent is.

  6. Scroticus Canis
    Gimp

    Internet of S**t needs a copyright/trademark - IoS

    Think El reg should copyright the phrase and its acronym 'IoS' to distinguish it from the similar trademarked iOS.

    Oh wait ....

  7. TheProf
    Joke

    Weird people

    I saw the bedroom of my friend's children recently and I wonder what kind of weirdo likes looking at toy strewn floors and beds that look like a smashed meringue.

    1. tiggity Silver badge

      Re: Weird people

      Beds that look crap manage to win the Turner Prize so someone obviously likes them

      1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      "beds that look like a smashed meringue"

      Makes a change from breakfast that looks like a smashed avocado I guess…

      1. pɹɐʍoɔ snoɯʎuouɐ

        Re: "beds that look like a smashed meringue"

        or a punched lasagne .....

  8. Bob Grahame

    Hmm, should I be worried...?

    I think I can guess the device and manufacturer from the feature and behaviour descriptions. They make another Io[T|S] gadget that isn't anything like as easy to DIY with a Raspberry and a few cheap components, which I own. What is the chances the same core "authentication" code is in there? It, like this, phones home to their servers for management, and set up by an App in a very similar way.

  9. Anonymous South African Coward Bronze badge

    How long before this get pwned and used in another DDoS against Krebs?

  10. Tim Jenkins

    Just a thought...

    If you don't want to identify the make and model of a flawed IoT device, best not copy and paste the feature list from the manufacturers website. Or was that not an accident?

    1. Velv

      Re: Just a thought...

      The BitDefender article linked also has the screenshot straight off iTunes in case you had trouble verifying.

  11. mrslappy

    Excellent Case Study

    This implementation would form an excellent case study for the Security module of a Computer Science course. Challenge the students to explain how they would have fixed it (or built it properly in the first place)

  12. paulmedynski

    Full Disclosure

    "Bitdefender is keeping quiet on the manufacturer's name until the issue is patched."

    WTF? We the people _need_ folks like Bitdefender to disclose this nonsense immediately. I want to know which manufacturers to avoid - this one clearly deserves to be shamed into receivership.

    IoS, indeed!

    1. Anonymous Coward
      Anonymous Coward

      Re: Full Disclosure

      It looks like it's the EDIMAX IC-7113W

      1. Anonymous Coward
        Anonymous Coward

        Re: Full Disclosure

        Or one of the D-Link EyeOn range

  13. EveryTime

    I've went to two IoT-related conferences over the past three weeks. Security was the primary topic. Not just a topic, it's front and center.

    But the people rushing stuff to market aren't the ones attending. They are rushing to market, not carefully designing systems. Perhaps they are planning to fix thing later, although "how does that help sales?"

    My guess is that these devices do have the code to do reasonable security. The development base they started from probably includes it. They just didn't bother to enable it, or even to use the security features that were enabled by default.

  14. Herby

    All the cameras want to be proprietary to make $$$

    I've got a nice internet camera that works quite well, but only when you go through THEIR SERVER. Someone didn't tell the vendor what business they were in (selling cameras) not in setting up servers. Sure I can get nice few frames/sec video, and some low grade audio, but why can't I get it directly and control whole thing myself.

    No, I need a silly proprietary plugin that isn't available for Firefox (I use Linux at home) and even though I tried couldn't get to work. You would think that they would want to save customer support calls by making it work on a garden variety browser out of the box without any add-ons. Nope you need specialized stuff that isn't available for all platforms.

    Who knows, I may have the camera in question. It does have some weird setup stuff.

  15. Anonymous Coward
    Facepalm

    Surveillance cam and Wi-Fi network

    "surveillance cam .. creates its own unsecured Wi-Fi network so a management app running on a nearby smartphone can connect to it. Then the app tells the camera how to connect to the home's wireless network so it can reach the internet"

    Are the people who designed this total retards, sorry, for any precious snowflakes that should be 'special needs'.

    1. pɹɐʍoɔ snoɯʎuouɐ

      Re: Surveillance cam and Wi-Fi network

      sorry, for any precious snowflakes that should be 'special needs'.

      I would not give those Social justice TERRORISTS th satisfaction of an apology....

      Thats what they want, for you to apologise for everything.... those snowflakes are not worth the steam off your piss

  16. Anonymous Coward
    Anonymous Coward

    Did anyone record the blond getting banged?

    Why hack into IoT home Cctv if you can't watch a MILF spinner getting banged?

    FORGET THE KIDS ROOMS

  17. Anonymous Coward
    Anonymous Coward

    Did anyone record the blond getting banged?

    Why hack into IoT home Cctv if you can't watch a MILF spinner!

  18. Anonymous Coward
    Anonymous Coward

    Download the app

    https://play.google.com/store/apps/details?id=com.edimax.Viewer&hl=en

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like