Dropcam Vulnerability Leaves Attached Networks at Risk

Last month, Google made a big huff about its acquisition of the home surveillance company Dropcam, who make the process of setting up 24-hour webcams around one’s home as simple as gluing down a magnet, sticking a device to it, and following a tutorial in an easy-to-use app.


Photo: Dropcam

This is a far cry from the complexity that many other products in the same category require, which can often take hours to set up, and often don’t come equipped with mobile solutions that allow users to view their cameras from anywhere in the world, Wi-Fi connection permitting.

Now according to two security researchers Colby Moore and Patrick Wardle from Synack Labs in Menlo Park, California, the Dropcam architecture is vulnerable to a Heartbleed-based bug that could allow unauthorized accounts to use an SSL injection to gain control of devices attached to the same network.

“If someone has physical access, it’s pretty much game over,” Wardle told DarkReading. “The camera is vulnerable to client-side Heartbleed attacks. You could spoof the Dropcam DNS server, and the camera would beacon out.”

Another interesting part of their presentation claims that hackers could even go as far as injecting fake or replicated video into the Dropcam feed, allowing burglars to trick homeowners into thinking that all’s quiet on the western front, when in fact their couch, TV, and fridge are already halfway loaded out the back door.

The severity of the attack is tempered slightly by the fact that a user must be within Wi-Fi range to actually implement the attack, however if the Internet of Things market takes off the way Google seems to expect it will in the next several years, it may not be more than a few months before these types of networks are available five times or more on every block in the neighborhood.

The duo claims they’ll delve into the specifics of how the attack takes place and what users can do to prevent it at this year’s DEFCON 22 conference, taking place in Las Vegas next month.

The talk, titled Optical surgery; Implanting a Dropcam, should bring ample attention to the issue, which has already been pored over by engineers at the company and should be patched by the time the team has a chance to reveal the nuts and bolts of their operation on stage.

For now, they’ve revealed that the exploit can affect any version of Windows XP or Mac OSX running the Dropcam software, and that as long as the attacker is within range of a compromised camera, any number of malware programs can be easily distributed across an unlimited number of devices while the hole remains open.

Dropcam, now a subsidiary of Google by association when it was snapped up by Nest Labs for a cool $555 million, hopes to get their foot in the door for the upcoming frenzy that should descend on the tech world once the consumer market starts to turn their attention away from old hat like the cloud and tablets, and focus their energy and spending cash on the Internet of Things in the next five years or less.