DropBox, Gmail Logins Acquired in Security Camera Hack

DropBox, Gmail Logins Acquired in Security Camera Hack

  • By Sydny Shepard
  • Feb 03, 2016

There is always going to be something. The world of IoT is so new that developers can’t possibly have a safe guard in place for every vulnerability that might come along on every product they make, but leaving email and cloud storage account credentials in code is certainly avoidable. It is wholly inadvisable, especially when the login details are going to be shipped inside some seriously unsecure home CCTV devices from one of the best-known names in tech.

That’s exactly what happened with the Motorola Focus 73 security camera. Researchers from Context Information Security said they’d uncovered DropBox, Google Gmail and FTP credentials when probing the device for vulnerabilities. This could have left their employers open to compromise, as well as causing quite a bit of embarrassment for the developers.

“The accounts left in the firmware appeared to be shared developer accounts used to receive motion alerts and video clips for testing. We didn’t access the accounts due to legalities but we had everything we needed to do so. These would be on every camera,” said Neil Briggs, head of research at Context. “You would not expect a development company to use this type of account for this kind of activity and they certainly should not have been left in the final firmware. The most you could do with these accounts would be to cause issues for the developers who are using these accounts for testing.”

He confirmed that the accounts had now been removed from the camera’s firmware, as have a number of other glaring vulnerabilities that allowed them to access DropBox and Gmail accounts in the first place.

As explained in a blog post on Context’s site, the team took advantage of poor encryption or absence of it entirely, on the camera. They discovered it was transmitting a private Wi-Fi security key unencrypted over an open network, using a username of “camera” and password “000000.” The root password for the device was also trivial to crack, at “123456.”

Investigating further, the hackers found the device holding the home network Wi-Fi password in plaintext alongside those account logins. The device’s logs were accessible via an open web interface and held within an encryption key for the remote control messages determining the direction of the camera and FTP credentials for video clip storage. The researchers were able to install their own malicious firmware as uploads weren’t checked for validity. The hackers were able to take almost total control over the camera and were even able to direct its movement.

Context has since contacted Motorola Monitors about the issues.

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

Featured

  • 66 Percent of Cybersecurity Pros Say Job Stress is Growing

    Sixty-six percent of cybersecurity professionals say their role is more stressful now than it was five years ago, according to the newly released 2024 State of Cybersecurity survey report from ISACA, a global professional association advancing trust in technology. Read Now

  • Live from GSX 2024: Post-Show Recap

    Another great edition of GSX is in the books! We’d like to thank our great partners for this years event, NAPCO, LVT, Eagle Eye Networks and Hirsch, for working with us and allowing us to highlight some of the great solutions the companies were showcasing during the crowded show. Read Now

    • Industry Events
    • GSX

  • Research: Cybersecurity Success Hinges on Full Organizational Support

    Cybersecurity is the top technology priority for the vast majority of organizations, but moving from aspiration to reality requires a top-to-bottom commitment that many companies have yet to make, according to new research released today by CompTIA, the nonprofit association for the technology industry and workforce. Read Now

  • Live from GSX 2024: Day 3 Recap

    And GSX 2024 in Orlando, is officially in the books! I’d like to extend a hearty congratulations and a sincere thank-you to our partners in this year’s Live From program—NAPCO, Eagle Eye Networks, Hirsch, and LVT. Even though the show’s over, keep an eye on our GSX 2024 Live landing page for continued news and developments related to this year’s vast array of exhibitors and products. And if you’d like to learn more about our Live From program, please drop us a line—we’d love to work with you in Las Vegas at ISC West 2025. Read Now

    • Industry Events
    • GSX
Most   Popular

Featured Cybersecurity

Webinars

New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3