Swann security cameras vulnerable to spying hack

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

Researchers have unearthed a security flaw in a Swann security camera that allows attackers to spy on the video and audio feed of anyone’s camera.

Swann security cameras spying

Swann SWWHD-Intcam is battery-powered, connected to and configured from a dedicated app, and it can stream video either directly over the local network or via a cloud service, which is provided by Israeli company OzVision.

The research

Swann security cameras are often used in business offices and homes, so the idea that someone can easily spy on random people’s private moments is unsettling.

Researchers Andrew Tierney, Chris Wade and Ken Munro from Pen Test Partners, University of Surrey professor Alan Woodward, BBC hacker in residence Scott Helme, and independent researcher Vangelis Stykas were all intrigued by a recent BBC report that showed how a Swann home security camera sent footage from inside a family’s home to the wrong person’s app.

But they weren’t convinced by the company’s explanation on how this was possible and decided to see for themselves where the problem lies – and whether they can uncover others. So, they banded together to do some testing.

They discovered that they can easily switch video feeds from one camera to another through the cloud service, because the web based API uses the camera’s serial number as the identifier to connect to it.

“The API would check that you were authenticated to make the request but [it would] not [check whether you were] authorised to view that particular camera,” Helme explained.

The attacker needs to know the serial number of a camera whose feed he wants to access, but that’s also not a problem.

“The serial is of the form swn then 9 hex chars [swnxxxxxxxxx]. That’s a big keyspace, but not THAT big. Vangelis took a look at the API and realised that it allowed enumeration. We believe the keyspace could be fully enumerated in as little as 3 days, given a distributed set of concurrent requests to the API,” Tierney noted.

So, a targeted attack might not be possible (immediately or quickly), but accessing arbitrary cameras is.

Other discoveries

The researchers also found that, contrary to what is stated in the camera’s manual, factory resetting the camera will not remove the SSID and PSK (pre-shared key) of the wireless network it was connected to. If you were to sell the camera to someone at a later date, the person would be able to extract that piece of info and use it to access your Wi-Fi.

Another discovery was a root FTP shell on the device that can be accessed via a preset root password. “From here, one could probably push rogue firmware and create a persistent shell,” Tierney noted.

What now?

The researchers praised Swann’s reaction to the findings and their willingness to cooperate to push out fixes as soon as possible.

“The serial switching issue has been fixed. More recent firmware will resolve the factory reset/PSK persisting issue. Coming firmware will resolve the root password issue,” Tierney shared, and advised users to update their mobile app and firmware in their Swann cameras to the latest version.

They were less pleased with OzVision’s response. “We suspect they knew about this issue for about 9 months, only fixed it when pressured by Swann and we are confident the vulnerability was present in at least one other major camera brand to which they provide a cloud service,” he added.