Dropcam, the popular video monitoring camera, bills itself as “super simple security.” But a pair of researchers plan to show at the Defcon hacking conference later this week how a Dropcam could be a weak point.
Patrick Wardle and Colby Moore, both of whom work for security firm Synack, tore apart a $200 Dropcam and figured out how its software works.
They found several vulnerabilities, none of which granted the holy grail of remote online access, but say their examination portends security problems because of the increasing pervasiveness of Internet-connected embedded devices, often referred to as the “Internet of things.”
Google already has a strong stake in the Internet of things and devices for home automation. It owns Nest Communications, which makes Internet-connected thermostats and smoke detectors. Nest acquired Dropcam in June.
Embedded devices usually don’t run security software, and it’s very difficult “for consumers to vet the integrity of the devices,” said Moore, a security research engineer, in a phone interview.
“People don’t realize they are basically mini-computers,” he said.
Dropcam sells subscription plans for online video storage. When someone wants to view the video, the service verifies a digital certificate shipped on a Dropcam in order to grant access.
Moore and Wardle plucked the private and public SSL (Secure Sockets Layer) certificates from the Dropcam they analyzed. With those in hand, it would be possible for them to view videos a person has stored or upload their own videos that would appear to have come from a specific Dropcam.
“It would allow an attacker to basically hijack or take over the video stream,” Wardle said.
In an email statement, a Nest spokeswoman said such an attack would require physical access to a Dropcam.
“The Synack folks were not able to remotely compromise any of our cameras—only ones they had physical access to,” wrote spokeswoman Kate Brinks. “This is not a unique problem.”
But it’s not far fetched that an attacker could buy a Dropcam and give it as a gift to someone, essentially a Trojan horse attack that opens up their video to monitoring.