Another cloud config slip-up

Vulnerabilities in IoT-enabled home video surveillance systems from Guardzilla meant that users were able to spy on each other.

Security researchers discovered that all models of the same device share the same Amazon S3 credential to store saved video data. Because of this design, all users of the Guardzilla All-In-One Video Security System – which is designed for indoor video surveillance – can access each other’s saved home video data.

Not good.

The flaw was apparent after researchers examined the firmware for the GZ501W model of Guardzilla’s technology. Exploitation would be simple, as an advisory by the researchers explains.

Embedded S3 credentials have unlimited access to all S3 buckets provisioned for that account. This was determined through static analysis of the firmware shipping with the device. Once the firmware was extracted and the root password “GMANCIPC” was cracked, the Amazon S3 access key was recovered.

The security snafu was uncovered by researchers at 0DayAllDay, who went public with a co-ordinated disclosure of their findings through Rapid7 on Thursday (27 December). Only the GZ501W model was tested. It is not known if other models are also affected.

In addition to the shared credential slip up, researchers discovered that the device shipped with an outdated version of OpenSSL (version 1.0.1g). Lastly network and binary analysis revealed “several unusual connections and mentions of foreign IP addresses, and an open port TCP/23 was found which was not documented”. This odd behaviour may point to a backdoor on the device, but this has remains unconfirmed.

The main shared credential on all devices problem is an example of CWE-798: use of hard-coded credentials – a well-understood security risk.

The Daily Swig has approached Guardzilla for comment.