Barracuda Networks calls for internet of things devices to be subject to regular security review after researchers detail the application vulnerabilities of an internet-connected security camera

Businesses and consumers have a right to know the security posture of devices connected to the internet making up the internet of things(IoT) – and manufacturers should be held accountable.

That is the view of security researchers at Barracuda Networks who examined an internet-connected security camera to illustrate the growing security threat of IoT credential compromise.

The study shows that vulnerabilities in the web and mobile applications of IoT devices can be exploited to steal credentials and compromise the associated devices.

Without any direct connection to the device itself, the team was able to identify multiple vulnerabilities in the camera’s web app and mobile app ecosystem.   

This threat could affect other types of IoT devices, the researchers said, because it takes advantage of the way the device communicates with the cloud.

For this reasons, Barracuda believes IoT products should be scored constantly and their security posture be published in the same way as motor vehicle safety ratings are, to enable businesses and consumers to make informed decisions when choosing products.

The researchers note that although improvements have been made in response to concerns about the security risks of IoT devices, vulnerabilities remain.

In particular, the Barracuda Labs team highlighted the threat of IoT credential compromise by showing that attackers could use vulnerabilities in the web applications and mobile applications used by certain IoT devices to acquire credentials, which can then be used to view the video feed, set/receive/delete alarms, remove saved video clips from cloud storage, and read account information.

Attackers can also use the credentials to push their own firmware update to the device, changing its functionality and using the compromised device to attack other devices on the same network.

The main vulnerabilities identified by the researchers included:

  • Mobile app ignored server certificate validity.
  • Cross-site scripting (XSS) attacks were possible in the web app.
  • File directory traversal was possible in a cloud server.
  • User controls device update link.
  • Device updates are not signed.
  • Device ignores server certificate validity.

If an attacker can intercept traffic to the mobile app by using a compromised or hostile network, they can easily acquire the user password, the researchers warned.

When a victim connects to a compromised/hostile network with a mobile phone, the connected camera app will try to connect to the supplier’s servers over https. The hostile/compromised network will route the connection to the attacker’s server, which will use its own SSL certificate to proxy the communication to the supplier’s server. The attacker’s server now holds an unsaltedMD5 hash of the user password. The attacker can also tamper with the communication between the supplier’s server and the app.

Acquiring credentials from the web app relies on functionality that allows users to share device access to the connected camera with other users. To share a device, the receiver needs to have a valid account with the IoT supplier, and the sender needs to know the receiver’s username, which happens to be an email address. The attacker will then embed an XSS exploit in a device name and then share that device with the victim.

Once the victim logs into his account using the web app, the XSS exploit will execute and share the access token (which is stored as a variable on the web app) with the attacker. With that access token, the attacker can access the victim’s account and all its registered devices.