Newly found safety vulnerabilities in ADT’s Blue (previously LifeShield) residence safety cameras might have been exploited to hijack each audio and video streams.
The vulnerabilities (tracked as CVE-2020-8101) had been recognized within the video doorbell digicam by Bitdefender researchers in February 2020 earlier than they had been ultimately addressed on August 17, 2020.
LifeShield was acquired by Florida-based ADT Inc. in 2019, with Lifeshield’s DIY residence safety options rebranded as Blue as of January 2020. The corporate’s merchandise had a 33.6% market share within the U.S. final 12 months.
The safety points within the doorbell digicam enable an attacker to
- Acquire the administrator password of the digicam by merely figuring out its MAC deal with, which is used to establish a tool uniquely
- Inject instructions regionally to achieve root entry, and
- Entry audio and video feeds utilizing an unprotected RTSP (Actual-Time Streaming Protocol) server
The doorbell is designed to periodically ship heartbeat messages to “cms.lifeshield.com,” containing data such because the MAC deal with, SSID, native IP deal with, and the wi-fi sign power. The server, in return, responds with an authentication message that may be trivially bypassed by crafting a faux request by utilizing the system’s MAC deal with.
“The server appears to disregard the token and checks solely the MAC deal with when sending a response,” the researchers famous, including “the password for the administrator might be obtained by decoding the base64 authorization header obtained on this request.”
Armed with this admin entry to the digicam’s net interface, the attacker can leverage an HTTP interface that is susceptible to command injection and acquire root entry.
Lastly, the researchers additionally discovered that an unsecured RTSP server sans any credentials may very well be exploited to entry the video stream at “rtsp://10.0.0.108:554/img/media.sav” utilizing any media participant comparable to VLC.
Whereas patches have been utilized to the manufacturing servers and all of the 1,500 affected units, with no simple solution to affirm if the digicam customers put in the firmware updates, Bitdefender selected to delay public disclosure by greater than 5 months.
“Clients have safety selections with regards to securing their good properties or small companies,” the researchers mentioned.
“Fastidiously researching IoT distributors for safety replace insurance policies to their merchandise, altering default passwords, separating IoTs into totally different subnetworks, and even commonly checking for firmware updates are solely a handful of sensible and hands-on safety suggestions that anybody can adhere to.”