2 min read

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Silviu STAHIE

December 21, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Bitdefender's security researchers have identified several vulnerabilities in the Abode IOTA Smart Camera that would permit attackers to inject their own media into the timeline, obtain the devices' geographical location, and more.

It's difficult to argue against the usefulness of security cameras, but customers have to be aware they also introduce a bullseye into their smart home. The IoT ecosystem is chock full of vulnerable devices, and criminals have slowly shifted their interests towards this ever-growing industry. More and more people buy IoT devices but don't always protect them, keep them up to date or even bother to check if the manufacturer still provides support.

Smart security cameras are all the more dangerous because they offer unique insight into people's lives when compromised. They're also prime targets for attackers looking for vulnerable IoT devices.

Hardcoding credentials is a no-no

The Abode IOTA Smart Camera uses the XMPP protocol with authentication to communicate with the cloud, which in itself is unusual. XMPP is rarely used for this, and the reason the manufacturer chose this protocol is unclear.

"To configure them from a blank state, the devices connect to the setup.goabode.com XMPP service to receive the configuration parameters," say the Bitdefender researchers. "Those parameters include the XMPP credentials to use after configuration."

"The XMPP credentials are the MAC address of the device (that forms the username) and a random password. However, because the device does not know this password before it's configured, to connect to the setup server it uses a hardcoded one."

Furthermore, while the XMPP connection uses TLS (encryption), the device doesn't check the validity of the certificates, which only means that man-in-the-middle attacks are possible, allowing attackers to inject arbitrary commands and take control of the device. The firmware upgrades share the same vulnerability.

Making matters worse, while the image upload process uses HTTPS, the file is uploaded without authentication.

"The reporting ID is then used by the API to identify the account the media belongs to. If an attacker knows the reporting ID, together with the MAC address associated with it, they can upload any media to this API, and it will appear in the timeline of the device," the researchers add. Obtaining the ID is also a trivial matter.

Finally, it turns out that the device sends other information besides the ID, including the device's geographical coordinates.

Bitdefender initially contacted the vendor on May 19, 2020, but the manufacturer pushed the update for the affected devices to customers on Dec. 7, 2021.

You can check out the "Vulnerabilities Identified in the Abode IOTA Smart Camera: Fake Image Injection into Timeline" whitepaper for a full breakdown of the device and its security issues:

Download the research whitepaper

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds
Silviu STAHIE

December 21, 2021

2 min read
Amazon Doesn’t Want to Say How Many Police Requests for Ring Footage Were Granted Amazon Doesn’t Want to Say How Many Police Requests for Ring Footage Were Granted
Silviu STAHIE

June 15, 2021

1 min read
TikTok Tells Users It Will Collect Biometric Data TikTok Tells Users It Will Collect Biometric Data
Silviu STAHIE

June 06, 2021

1 min read