Privacy flaws in security and doorbell cameras discovered by Florida Tech Student

May 26, 2020

Ring, Nest, SimpliSafe and eight other manufacturers of internet-connected doorbell and security cameras have been alerted to "systemic design flaws" discovered by Florida Tech computer science student Blake Janes that allows a shared account that appears to have been removed to actually remain in place with continued access to the video feed.

Janes discovered the mechanism for removing user accounts does not work as intended on many camera systems because it does not remove active user accounts. This could allow potential "malicious actors" to exploit the flaw to retain access to the camera system indefinitely, covertly recording audio and video in a substantial invasion of privacy or instances of electronic stalking.

The findings were presented in the paper, "Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices," by Janes and two Florida Tech faculty members from the university's top institute for cybersecurity research, L3Harris Institute for Assured Information, Terrence O'Connor, program chair of cybersecurity, and Heather Crawford, assistant professor in computer engineering and sciences.

Janes' work informed vendors about the vulnerabilities and offered several strategies to remediate the underlying problem. In recognizing the importance of the work, Google awarded him a $3,133 "bug bounty" for identifying a flaw in the Nest series of devices. Other vendors, including Samsung, have been communicating with Janes about recommended solutions to fix the vulnerability.

The flaw is concerning in cases where, for example, two partners are sharing a residence and then divorce. Each has smartphone apps that access the same camera. Person A removes Person B's access to the camera, but that is never relayed to Person B's device. So Person B still has access even though it has been revoked on the camera and Person A's smartphone and the account password has been changed.

The Florida Tech team found that this happens largely because the decisions about whether to grant access are done in the cloud and not locally on either the camera or the smartphones involved. This approach is preferred by manufacturers because it allows for the cameras to transmit data in a way that every camera does not need to connect to every smartphone directly.

Additionally, manufacturers designed their systems so users would not have to repeatedly respond to access requests, which could become annoying and lead them to turn off that security check, were it in place, or abandon the camera altogether.

And the security is further complicated by the fact that the potential malicious actor does not need advanced hacking tools to achieve this invasion, as the attack is achievable from the existing companion applications of the devices.

"Our analysis identified a systemic failure in device authentication and access control schemes for shared Internet of Things ecosystems," the paper concluded. "Our study suggests there is a long road ahead for vendors to implement the security and privacy of IoT produced content."

The devices where flaws were found are: Blink Camera, Canary Camera, D-Link Camera, Geeni Mini Camera, Doorbell and Pan/Tilt Camera, Merkury Camera, Momentum Axel Camera, Nest Camera Current and Doorbell Current, NightOwl Doorbell, Ring Pro Doorbell Current and Standard Doorbell Current, SimpliSafe Camera and Doorbell, and TP-Link Kasa Camera.

Though fixes will originate with the manufacturers, if you have one of the aforementioned cameras, it is important to update to the current firmware. Additionally, customers concerned about their privacy after removing additional users should always change their passwords and power cycle their cameras.

The paper is available under the Publications section at https://research.fit.edu/iot/.
-end-


Florida Institute of Technology

Related Smartphone Articles from Brightsurf:

Mobile smartphone technology is associated with better clinical outcomes for OHCA
Mobile smartphone technology can accelerate first responder dispatch and may be instrumental to improving out?of?hospital cardiac arrest (OCHA) survival.

New tool can diagnose strokes with a smartphone
A new tool created by researchers at Penn State and Houston Methodist Hospital could diagnose a stroke based on abnormalities in a patient's speech ability and facial muscular movements, and with the accuracy of an emergency room physician -- all within minutes from an interaction with a smartphone.

App analyzes coronavirus genome on a smartphone
A team led by Garvan's Dr Ira Deveson developed the app 'Genopo' that can analyse the coronavirus genome on a portable Android device.

Smartphone accelerometers could help in resistance workouts and rehabilitation protocols
Smartphone accelerometers are effective tools to measure key time-under-tension indicators of muscle training -- and could help in resistance-based workouts and rehabilitation protocols.

Parents' smartphone use does not harm parent/child relationships
Contrary to popular views, parental smartphone use is rarely associated with poor parenting, and more often than not, tends to be associated with warm and attached parenting.

The effects of smartphone use on parenting
Parents may worry that spending time on their smartphones has a negative impact on their relationships with their children.

Inexpensive retinal diagnostics via smartphone
Retinal damage due to diabetes is now considered the most common cause of blindness in working-age adults.

Nanosensor can alert a smartphone when plants are stressed
MIT engineers can closely track how plants respond to stresses such as injury, infection, and light damage using sensors made of carbon nanotubes.

Smartphone apps not accurate enough to spot all skin cancers
Smartphone apps that assess the risk of suspicious moles cannot be relied upon to detect all cases of skin cancer, finds a review of the evidence published by The BMJ today.

Detecting mental and physical stress via smartphone
The team led by Professor Enrico Caiani of the Department of Electronics, Information and Bioengineering at Politecnico di Milano, Italy, has shown that it is possible to use our smartphones without any other peripherals or wearables to accurately extract vital parameters, such as heart beat rate and stress level.

Read More: Smartphone News and Smartphone Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.