RSAC 2020: Smart Baby Monitor Vulnerable to Remote Hackers

Don’t buy this, or anything that can’t satisfy the most basic of security requirements…:

[…] The most severe flaw stems from an issue with the baby monitor’s implementation of the MQTT communication protocol, which is often used by IoT and machine-to-machine applications. Configuration issues with MQTT protocols have also plagued other IoT device makers. Over the past year, improper configuration of MQTT has opened the doors to various vulnerabilities including bugs in smart deadbolts and just this week researchers at RSAC shared details of a vulnerability in a connected vacuum cleaner.

In the context of the vulnerable iBaby Monitor, the MQTT protocol used between the baby monitor and the corresponding mobile app was leaking camera ID numbers, user ID numbers, camera status (online or offline) data and in some cases user credentials. While the data is encrypted using AES256, the key and initialization vector (a fixed-size input for payload encryption) are easily predictable and are all hardcoded for all messages, Balan said.

ibaby monitor

An attacker would be able to monitor this data remotely when a user configures a camera, ultimately giving them the ability to stream video, take screenshots, record video and play music using obtained credentials.

“They used MQTT in the wrong way, so if you subscribe to iBaby, you will get spammed with notifications of the devices registered – including the device ID of each device,” said Balan. “In some cases, the user device password is also broadcast.”



Original article here