Twenty Year Anniversary

miSafes Mi-Cam Device Hijacking

miSafes Mi-Cam Device Hijacking
Posted Feb 21, 2018
Authored by Mathias Frank | Site sec-consult.com

miSafes Mi-Cam remote video monitors suffer from broken session management, insecure direct object reference, password handling issues, and various other vulnerabilities.

tags | advisory, remote, vulnerability
MD5 | f0202ce5d47ca2fd6e32d3c4ab466eec

miSafes Mi-Cam Device Hijacking

Change Mirror Download
We have published an accompanying blog post to this technical advisory with
further information:

https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html


SEC Consult Vulnerability Lab Security Advisory < 20180221-0 >
=======================================================================
title: Hijacking of arbitrary video baby monitors
product: miSafes Mi-Cam remote video monitor
vulnerable version: Android application v1.2.0, iOS v1.0.5
Firmware v1.0.38
fixed version: -
CVE number: -
impact: critical
homepage: http://www.misafes.com/mi-cam
found: 2017-11-30
by: Mathias Frank (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal
Moscow - Munich - Kuala Lumpur - Singapore
Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Mi-CamHD, Wi-Fi remote video monitor for everyone; 720P HD quality video, easy
set up & use, two-way talk and supports free local video recording, all can be
use by our user friendly Mi-Cam app."

Source: http://www.misafes.com/mi-cam


Business recommendation:
------------------------
SEC Consult recommends not to use this device until a thorough security review
has been performed by security professionals and all identified issues have
been resolved! Although cloud-connected hardware may have an advantage regarding
usability and convenience for users, if security is lacking those products pose
a great risk for all customers.

Furthermore, it seems there exist similar products from other vendors, e.g.
"Qihoo 360 Smart Home Camera", that look exactly the same and may also be
affected but SEC Consult could not verify this. The cloud component hosted by
"qiwocloud2.com" may be used by other products as well. Additional information
regarding other vendors are described in our blog post linked at the top of this
advisory.


Vulnerability overview/description:
-----------------------------------
The usage of the Mi-Cam video baby monitor and its Android (or iOS) application,
involves numerous requests to a cloud infrastructure available at
ipcam.qiwocloud2.com with the aim of communicating with the video baby monitor or
respective Android application.

The Android application has at least 50000-100000 installations according to
Google Play Store with potentially as many iOS users as well.

SEC Consult has identified multiple critical security issues within this product.


1) Broken Session Management & Insecure Direct Object References
The usage of the Android application "Mi-Cam" and the interaction with the
video baby monitor involves several different API calls. A number of critical API
calls can be accessed by an attacker with arbitrary session tokens because of
broken session management.

This allows an attacker to retrieve information about the supplied account
and its connected video baby monitors. Information retrieved by this feature
is sufficient to view and interact with all connected video baby monitors for
the supplied UID.


2) Missing Password Change Verification Code Invalidation
The password forget functionality sends a 6-digit validation key which is valid
for 30 minutes to the supplied email address in order to set a new password.
Multiple codes can be requested though while previously delivered codes do not get
invalidated and anyone of them can be used as a valid key. This can easily
be brute-forced to take over other accounts.


3) Available Serial Interface
The PCB of the video baby monitor holds an unlabeled UART interface where an
attacker is able to get hardware level access to the device and for instance
extract the firmware for further analysis. SEC Consult identified further security
issues such as outdated software (issue 6) or weak passwords (issue 4) by
analyzing the firmware using IoT Inspector (https://www.iot-inspector.com).


4) Weak Default Credentials
The "root" user available on the video baby monitor uses very weak default
credentials with only 4 digits.


5) Enumeration of user accounts
The password reset functionality leaks information about the existence of
supplied user accounts which can aid in further (brute-force) attacks.


6) Outdated and Vulnerable Software
Several software components which are affected by publicly known
vulnerabilities were identified in the firmware of the video baby monitor.


Proof of concept:
-----------------
As the vendor could not be reached in order to get the issues fixed we will omit
detailed proof of concept information in this advisory.


1) Broken Session Management & Insecure Direct Object References
Several functionalities are vulnerable because session tokens are not checked
properly and can be used without any valid user account.

Excerpt of API calls:
- /family/get_list
- /family/get_group_list
- /family/invite_join
- /family/change_name
- /family/unbind

Sending or respectively intercepting the following request and supplying an
arbitrary consecutively numbered UID, allows an attacker to retrieve information
about the supplied account and its connected video baby monitors. Information
retrieved by this feature is sufficient to view and interact with all connected
video baby monitors for the supplied UID.

<HTTP POST request PoC removed>


2) Missing Password Change Verification Code Invalidation
By sending the following request to "/user/request_email_code", a validation key
can be requested:

<HTTP POST request PoC removed>

This request can be sent multiple times in order to increase the possibility
for a successful brute-force attack on the validation key. Each requested
validation key is valid for 30 minutes and can be used to reset the password.
During the period of the assessment, the following two sender addresses could
be observed:

- passwords@misafes.com
- misafes@ug-smart.com


3) Available Serial Interface
Unlabeled and grouped through-hole pins located on the PCB of the video baby
monitor can be used to connect to a UART interface. This leads to access to
the boot loader and extraction of the firmware for further analysis.

Further information regarding the hardware including screenshots can be found
at our blog post:
https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html


4) Weak Default Credentials
By analysing the extracted firmware or by simply perfoming a brute force attack,
it is possible to identify the following very weak 4-digit default credentials
used by the video baby monitor:

root:<redacted>


5) Enumeration of user accounts
By sending the following request to "/user/request_email_code", it is possible
to gain information about the existence of registered user accounts by observing
the response:

<HTTP POST request PoC removed>

The HTTP response contains information of either the existence or non-existence
of the supplied email address.

<HTTP server response removed>

This behavior can also be observed using the "/user/check_username" request.


6) Outdated and Vulnerable Software
The following publicly known vulnerable software componenents were identified
in the firmware of the video baby monitor by using IoT Inspector:

- BusyBox 1.22.1 - multiple CVE
- hostapd 0.8.x - CVE-2015-8041
- OpenSSL 1.0.1j - multiple CVE
- Linux Kernel 2.6.35 - multiple CVE


Vulnerable / tested versions:
-----------------------------
During our investigation the main focus was to analyse the communication between
the app, the video baby monitor and the cloud infrastructures but not the
applications (Android, iOS) themselves.

Android Application:
- Mi-Cam v1.2.0 (most up to date version in November 2017)

Video baby monitor:
- Firmware 1.0.38 (most up to date version in November 2017)

It is assumed that the iOS app v1.0.5 is affected as well, as the vulnerabilities
are within the server-side API.


Vendor contact timeline:
------------------------
2017-12-06: Contacting vendor through contact@misafes.com
2018-01-03: Resending initial contact approach
2018-01-29: Resending initial contact approach
2018-02-07: Attempting to contact China CNCERT/CC (PGP encrypted), received
"550 Mail content denied" from their mailserver,
resending unencrypted without attachments, same error message
2018-02-07: Contacting CERT/CC, asking for coordination support
2018-02-12: Asking CERT/CC again
2018-02-12: CERT/CC has decided not to coordinate or publish this vulnerability
2018-02-21: Public release of security advisory


Solution:
---------
The vendor could not be reached and there is no update available.


Workaround:
-----------
It is highly recommended not to use this product as there is no workaround
available.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal
Moscow - Munich - Kuala Lumpur - Singapore
Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Mathias Frank / @2018

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    7 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    40 Files
  • 23
    May 23rd
    64 Files
  • 24
    May 24th
    55 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close