Eleven manufacturers have been flagged for having a privacy flaw in their security and doorbell cameras. What’s most interesting is who found these flaws. It wasn’t a high-priced expert. The “systemic design flaws” were discovered by Blake Janes, a Florida Tech computer science student. You may think you’re removing a shared account, but this flaw allows the account and video feed access to remain.
Janes and two of the university’s top institute for cybersecurity research faculty members, Terrence O’Connor and Heather Crawford, shared the discovery in the “Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices” paper.
After Janes’s discovery, he informed Ring, Nest, SimpliSafe and other manufacturers about the vulnerability. He didn’t just deliver the bad news, as he also offered solutions to fix the issue that he discovered.
He was awarded $3,133 in a “bug bounty” from Google for finding the flaw in the company’s Nest devices. Samsung has been communicating with him about his solutions to the problem.
There are situations when two people share access to an IoT security camera, then decide to no longer share access. This could occur if someone moves out or had only been visiting. The person who retains the camera removes the other person’s access. But this is never relayed to the device the other person uses to access the video feed, such as their smartphone. This leaves that person with access still to the camera as well as the owner’s device, even if the password has been changed.
That’s particularly frightening, isn’t it? Janes and the others on the team found this privacy flaw happens because the decisions of who has access to security and doorbell cameras are taking place in the cloud and not locally on the cameras or devices. Manufacturers use this process because it allows a camera to transmit data without having to connect directly with both smartphones. Additionally, it removes the need to repeatedly request access.
“Our analysis identified a systemic feature in device authentication and access control schemes for shared Internet of things ecosystems,” detailed the paper. “Our study suggests there is a long road ahead for vendors to implement the security and privacy of IoT-produced content.”
Are You One of the Victims?
You may be subject to this privacy flaw found on security and doorbell cameras if you’ve ever had a shared account on one of the following cameras: Blink Camera, Canary Camera, D-Link Camera, Geeni Mini Camera, Doorbell and Pan/Tilt Camera, Merkury Camera, Momentum Axel Camera, Nest Camera Current and Doorbell Current, NightOwl Doorbell, Ring Pro Doorbell Current and Standard Doorbell Current, SimpliSafe Camera and Doorbell, and TP-Link Kasa Camera.
Most importantly, if you had a shared account for any camera, especially one of the above cameras, you need to be sure to keep the firmware updated. Despite the flaw happening even after passwords have been changed, still change your password anyway and put the camera through a power cycle. Hopefully, the manufacturers will be fixing this issue as soon as they can.
Learn about another vulnerability in Ring Doorbell cameras that allowed hackers to supply fake images.