Baby monitors serve an important purpose in securing and monitoring our loved ones. An estimated 52k user accounts and video baby monitors are affected by a number of critical security vulnerabilities in “miSafes” video monitor products.

Earlier this month, we published our first article of our Internet of Things series, “IoD – Internet of Dildos“. As promised, we expanded our research and would like to present you with the first results of our “IoB – Internet of Babies” research.

Baby monitors serve an important purpose in securing and monitoring our loved ones. Unfortunately, the investigated device “Mi-Cam” from miSafes (and potentially further devices) is affected by a number of critical security vulnerabilities which raise serious security and privacy concerns. An attacker is able to access and interact with arbitrary video baby monitors and hijack other user accounts. Based on observed user identifier values extracted from the cloud API and Google Play store data, an estimated total number over 52000 user accounts and video baby monitors are affected (implying a 1:1 distribution of user accounts to video baby monitors). Even worse, neither the vendor nor the CNCERT/CC could be reached for the coordination for our responsible disclosure process. Hence the issues are (up until the publication of this article) not patched and our recommendation is to keep the video baby monitors offline until further notice.

Interested in the topic “Internet of Things” and the current challenges of IT security, privacy and cybercrime in this area? Visit us at the „Global Cybercrime Trends and Countermeasures” conference on 22nd February 2018 in Vienna, Austria.

Baby monitors – trading privacy for convenience?

Video baby monitors are supposed to secure and monitor our children and serve a justifiable and important purpose in a significant amount of family households. The latest trend to internet connected devices has also influenced the range of functions of traditional baby monitor products manufactured by established producers. Next to traditional producers of baby monitors, the new IoT trend brought also a wave of new producers and their baby monitor products to the global market. This resulted in a wide spectrum of possible candidates in every price segment to choose from. The rise of new competitors in the product group of baby monitor devices brought a few (at first sight) positive effects for the customers: price dumping, special offers and feature upgrades.

The introduction of new features such as internet connectivity naturally resulted in new security related concerns and possible security problems originating from those newly introduced features. Those issues involved both new-to-market producers as well as long-established ones and should be a major concern for consumers such as parents and family households.

The results of the analysis of such products can be found in the following chapters of this blog post and are the foundations for a Master thesis written by Mathias Frank in cooperation with SEC Consult Vulnerability Lab and University of Applied Sciences Technikum Wien.

“Mi-Cam” by miSafes

Mi-Cam is a remote video monitor device sold by the Hong Kong based company miSafes, which sells multiple internet connected devices to monitor children, environments (such as home or shops or offices) and pets. The variety of products in their portfolio would indicate that miSafes has established knowledge in the distribution of internet connected monitoring devices.

The video baby monitor and the use of the mobile application offer the following features to the consumers:

HD (720p) video and audio monitoring

Two-way audio transmission

SD Card recording on the baby monitor

Sound and motion alerts which trigger notifications in the mobile application

One-Click setup of the baby monitor using a sound sequence

Managing of multiple baby monitors

Invite multiple users in a “family” in order to access one or multiple baby monitors

Access via mobile app on Apple iOS and Google Android phones

Network communication

The usage of the Android application and baby monitor leads to numerous HTTPS requests and responses to a cloud service. All requests are sent to hosts resolving to the domain ipcam.qiwocloud2.com and are hosted on Amazon AWS. The communication is based on a RESTful API using HTTPS POST requests and JSON objects as data format and serve a wide variety of support functions. Support functions such as authenticating the user and setting or getting configuration on either of both devices.

The analysis of observed HTTPS traffic between the baby monitor and the cloud service indicates the usage of a client SSL certificate authentication on the baby monitor.

Without supplying a valid client certificate, it is not possible to observe and intercept the HTTPS communication of the baby monitor. But by extracting the client SSL certificate (which is identical on every baby monitor world-wide!) and static private key enabled by an identified vulnerability, HTTPS traffic originating from the baby monitor can be observed and intercepted. Similar problems with static encryption keys/certificates used by multiple devices have been found by SEC Consult in the past in the House of Keys research and followup the review 9 months afterwards.



-----BEGIN CERTIFICATE-----

MIIDAzCCAmygAwIBAgIBDzANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJjbjES

MBAGA1UECAwJZ3Vhbmdkb25nMREwDwYDVQQHDAhzaGVuemhlbjENMAsGA1UECgwE

cWl3bzENMAsGA1UECwwEc2RjcDEXMBUGA1UEAwwOcWl3b2Nsb3VkMS5jb20wHhcN

MTUwNTI1MDkzMzU4WhcNMzgwMTIwMDkzMzU4WjCB0TELMAkGA1UEBhMCQ04xEzAR

BgNVBAgMCkd1YW5nIERvbmcxEjAQBgNVBAcMCVNoZW4gWmhlbjETMBEGA1UECgwK

UUlXTyBHcm91cDENMAsGA1UECwwEUWl3bzERMA8GA1UEAwwIcWl3by5jb20xHDAa

BgkqhkiG9w0BCQEWDWNlcnRAcWl3by5jb20xRDBCBgkqhkiG9w0BCQIMNXsicHJv

ZHVjdFR5cGUiOiJxaXdvX2lwY2FtIiwiYmF0Y2hOdW1iZXIiOiIyMDE1MDUyNSJ9

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDW8KwHzU5aNgDQwXEmKBrXrEY/

TKbwK3r4XKUlH2eUM0UmVBpnHzz9JQy0WSNs28CSpQlqwOTrODw4QS7PJcXrpqgA

V2E85DSx4RG/NAwD0bZdBIUEUHJfuTmSQ+Hwn8gXivjPBXjQb1oJ9BNu+SGLx8p+

MQTbj6/YIkjKV1qcKQIDAQABo1AwTjAdBgNVHQ4EFgQUHaGks8jt/3onjRiasDwP

MJxzOTQwHwYDVR0jBBgwFoAUpnSBwb/95nsc7+xVvn76i82QYMMwDAYDVR0TBAUw

AwEB/zANBgkqhkiG9w0BAQUFAAOBgQBB8fPH2WoIVr75Ik4QWwK37ANClpapfKUe

oTjvWOehYjBB+AndkVi6yFPwUj54vwdO3XBxYaxsGwuK4UsF8XwYWCA5aprmQqka

LjJvJAeCdvEWRA0WNTg8yGD4l2i+OsUgmK4kxS5BWuPje18y3Cbq/DHqeQiwoKFj

1zGuTI6+Kg==

-----END CERTIFICATE-----



As one can see, the client certificate used for all Mi-Cam devices is valid for quite a long time and has been issued by Qiwo.



Signature Algorithm: sha1WithRSAEncryption

Issuer: C=cn, ST=guangdong, L=shenzhen, O=qiwo, OU=sdcp, CN=qiwocloud1.com

Validity

Not Before: May 25 09:33:58 2015 GMT

Not After : Jan 20 09:33:58 2038 GMT

Subject: C=CN, ST=Guang Dong, L=Shen Zhen, O=QIWO Group, OU=Qiwo, CN=qiwo.com/emailAddress=cert@qiwo.com/unstructuredName={"productType":"qiwo_ipcam","batchNumber":"20150525"}

SHA1 Fingerprint= DF:E0:C0:30:B9:0D:7D:F1:43:F8:FB:EE:19:8A:08:3A:3E:11:41:25

SHA256 Fingerprint= 79:9F:92:BD:D2:DD:06:3F:B9:93:55:F5:ED:EA:DC:D4:E8:7D:70:AF:D0:A9:92:48:A5:D7:E4:98:F6:F6:F1:E1



Kalay Platform

The observed network traffic indicated no common audio and video transmission protocols. Nevertheless, the usage of a proprietary protocol with obfuscated stream characteristics used for transmitting audio and video stream was identified. We were able to deobfuscate the network traffic between the Mi-Cam and the cloud and could also automate decoding and extracting video feeds from captured traffic (pcap). We will publish further details in an own blog post on this topic in the future once the research is completed.

Further analysis of the firmware and network traffic of the video baby monitor pointed to an IoT ecosystem called “Kalay Platform”. The Kalay Platform is an IoT cloud connection platform and operated as a product of the Taiwanese based company ThroughTek Co., Ltd and was already mentioned by Brian Krebs regarding other security vulnerabilities (Foscam) in 2016. At the time of writing this blog post, ThroughTek states on their website to have over 300 million monthly connections. Interesting to mention is also that ThroughTek received the ISO27001 certification in October 2017 which includes the Kalay platform.

Affiliation to QiWo and Qihoo 360

The analysis of the network communication and numerous additional information such as domain registrants, indicated the involvement of a third party which was not publicy described or advertised. The third party in question is the Shenzhen based company Shenzhen QiWo Smartlink Technology Co., Ltd. which advertises a range of internet connected devices at their website qiwo.mobi including a camera designed for monitoring children. Various leads discovered during the analysis of the Mi-Cam and the fact that both qiwo.mobi and misafes.com only differentiate in domain name and used language but feature almost identical products, indicated a connection between both vendors. Further research has shown that the wording MISAFES is a registered trademark (serial number: 86621737) in several categories and currently owned by the entity SHENZHEN QIWO SMARTLINK TECHNOLOGY COMPANY LIMITED. This leads to the assumption that miSafes is a subsidiary company of Shenzhen QiWo Smartlink Technology Co., Ltd., with the purpose of sales and distribution of its products in the western market.

Shenzhen QiWo Smartlink Technology Co., Ltd. is according to its CEO Fengko Gao, a joint venture with the Shenzhen based large internet security company Qihoo 360 Technology Co. Ltd., which is well-known for their antivirus and browser products.

Besides miSafes several other vendors (such as Qihoo 360) sell the same or a very similar looking version of the video baby monitor on the amazon.com website. The following images display the variety of products, that have not been reviewed (yet) but based on the affiliation it stands to reason that the identified security issues also affect those other vendors. Image sources: Amazon.com

Vulnerabilities

The following vulnerabilities describe issues of the Android application & cloud service and the video baby monitor and its hardware. During our investigation the main focus was to analyse the communication between the app, the video baby monitor and the cloud infrastructures but not the applications (Android, iOS) themselves.

Broken Session Management & Insecure Direct Object References Missing Password Change Verification Code Invalidation Available Serial Interface Weak Default Credentials Enumeration of user accounts Outdated and Vulnerable Software

SEC Consult is following a responsible disclosure approach and since no fix for the discovered vulnerabilities is available, no material containing detailed information about the vulnerabilities will be released to the public.

Further information on the issues can also be found in our technical advisory.

1) Broken Session Management & Insecure Direct Object References

The usage of the Android Application and the interaction with the video baby monitor involves several different API calls to a central cloud service. A number of critical API calls can be accessed by an attacker with arbitrary session tokens because of broken session management. The following video is going to demonstrate how an attacker can access and interact (e.g. use the two-way audio function) with arbitrary video baby monitors by just modifying a single HTTP request. This allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID.

In order to perform this attack, the client SSL certificate is not needed, only the app and an intercepting proxy server:

By loading the video, you agree to YouTube's privacy policy.

Learn more Load video Always unblock YouTube

2) Missing Password Change Verification Code Invalidation

The password forget functionality sends a 6-digit validation key (valid for 30 minutes) to the supplied email address in order to set a new password. An attacker is able to bypass this protection with a brute-force attack and can easily take over any existing account.

3) Available Serial Interface

The Printed Circuit Board (PCB) of the video baby monitor holds an unlabeled Universal asynchronous receiver/transmitter (UART) interface, which enables an attacker to get hardware level access to the device and for instance extract the firmware for further analysis. SEC Consult identified further security issues such as outdated software or weak passwords by analyzing the firmware using IoT Inspector.

The following images display the inner of the video baby monitor, its PCB and the UART interface:

Front Side

UART – An available UART interface with identified pin layout by measuring with a digital multimeter.

– GND – Ground Pin

– RX – Receiver Pin

– TX – Transmitter Pin

– VCC – 3,3 Volt at the common collector

SPI FLASH – Serial Peripheral Interface (SPI) NAND flash memory. Model Mactronix MX25L12835F.

SD-Card Slot – micro SD card slot

Microphone Connector – 2 pin audio connector for the microphone placed in the front side case.

Speaker Connector – 2 pin audio connector for the speaker placed in the back side case.

Power IC – Power management integrated circuits (Power IC or PMIC). Model Sonix SNAP01A

Camera – OmniVision OV9715 720p

LED Indicator – LED Indicator module

Back side

RF Antenna – Radio Frequency (RF) antenna connector

RF – Realtek RTL8188EUS wireless chip

SOC – Sonix SN9836AFG SoC according to the label, with a ARM926EJ-S rev 5 processor and 37 megabyte memory

Micro USB – Micro USB female connector

Pairing Button – Physical button for starting the pairing process.

UART Interface

In order to access the interface, pin breakouts were soldered onto the PCB as seen in the image below, and a serial to USB converter was used to connect to the interface.

4) Weak Default Credentials

By analysing the extracted firmware or by simply perfoming a brute force attack on the live system it is possible to identify the following very weak 4-digit default credentials for the root user account used by the video baby monitor:

root:<redacted>

5) Enumeration of user accounts

An API call can be used to leak information about the existence of supplied user accounts (email address). An attacker can enumerate email addresses and use the gained information to overtake identified user accounts as described above in the vulnerability “Missing Password Change Verification Code Invalidation”.

By performing automated firmware analysis using IoT Inspector on the extracted firmware of the video baby monitor, several software components affected by publicly known vulnerabilities have been identified. The specific outdated software versions can be found in our security advisory.

Vendor Communication & Final words

A glimpse into the future

This research was done as a part of a master thesis with the goal to review the security of internet-connected baby monitor devices. A future blog post is going to cover further vulnerabilities identified in the Kalay Platform which potentially affect millions of devices. Next to this we expect to publish future blog posts with additional security issues in various other baby monitors and similar devices with the aim to monitor children. Stay tuned!

This research was done by Mathias Frank on behalf of SEC Consult Vulnerability Lab and University of Applied Sciences Technikum Wien.



SEC Consult is always searching for talented security professionals to join the team. More information can be found here.

STAY UPDATED – FOLLOW US