DropBox, Gmail Logins Acquired in Security Camera Hack

DropBox, Gmail Logins Acquired in Security Camera Hack

There is always going to be something. The world of IoT is so new that developers can’t possibly have a safe guard in place for every vulnerability that might come along on every product they make, but leaving email and cloud storage account credentials in code is certainly avoidable. It is wholly inadvisable, especially when the login details are going to be shipped inside some seriously unsecure home CCTV devices from one of the best-known names in tech.

That’s exactly what happened with the Motorola Focus 73 security camera. Researchers from Context Information Security said they’d uncovered DropBox, Google Gmail and FTP credentials when probing the device for vulnerabilities. This could have left their employers open to compromise, as well as causing quite a bit of embarrassment for the developers.

“The accounts left in the firmware appeared to be shared developer accounts used to receive motion alerts and video clips for testing. We didn’t access the accounts due to legalities but we had everything we needed to do so. These would be on every camera,” said Neil Briggs, head of research at Context. “You would not expect a development company to use this type of account for this kind of activity and they certainly should not have been left in the final firmware. The most you could do with these accounts would be to cause issues for the developers who are using these accounts for testing.”

He confirmed that the accounts had now been removed from the camera’s firmware, as have a number of other glaring vulnerabilities that allowed them to access DropBox and Gmail accounts in the first place.

As explained in a blog post on Context’s site, the team took advantage of poor encryption or absence of it entirely, on the camera. They discovered it was transmitting a private Wi-Fi security key unencrypted over an open network, using a username of “camera” and password “000000.” The root password for the device was also trivial to crack, at “123456.”

Investigating further, the hackers found the device holding the home network Wi-Fi password in plaintext alongside those account logins. The device’s logs were accessible via an open web interface and held within an encryption key for the remote control messages determining the direction of the camera and FTP credentials for video clip storage. The researchers were able to install their own malicious firmware as uploads weren’t checked for validity. The hackers were able to take almost total control over the camera and were even able to direct its movement.

Context has since contacted Motorola Monitors about the issues.

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

Featured

  • Survey: 54% of Organizations Cite Technical Debt as Top Hurdle to Identity System Modernization

    Modernizing identity systems is proving difficult for organizations due to two key challenges: decades of accumulated Identity and Access Management (IAM) technical debt and the complexity of managing access across multiple identity providers (IDPs). These findings come from the new Strata Identity-commissioned report, State of Multi-Cloud Identity: Insights and Trends for 2025. The report, based on survey data from the Cloud Security Alliance (CSA), highlights trends and challenges in securing cloud environments. The CSA is the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

  • Study: Only 35 Percent of Companies Include Cybersecurity Teams When Implementing AI

    Only 35 percent of cybersecurity professionals or teams are involved in the development of policy governing the use of AI technology in their enterprise, and nearly half (45 percent) report no involvement in the development, onboarding, or implementation of AI solutions, according to the recently released 2024 State of Cybersecurity survey report from ISACA, a global professional association advancing trust in technology. Read Now

  • New Report Series Highlights E-Commerce Threats, Fraud Against Retailers

    Trustwave, a cybersecurity and managed security services provider, recently released a series of reports detailing the threats facing the retail sector, marking the second year of its ongoing research into these critical security issues. Read Now

  • Stay Secure in 2024: Updated Cybersecurity Tips for the Office and at Home

    Cyber criminals get more inventive every year. Cybersecurity threats continue to evolve and are a moving target for business owners in 2024. Companies large and small need to employ cybersecurity best practices throughout their organization. That includes security integrators, manufacturers, and end users. Read Now

Featured Cybersecurity

Webinars

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3