Expectant parent finds severe security problems in his new baby monitor

An expectant parent security researcher found severe security problems in a baby monitor

UPDATED Remote code execution (RCE) and comms protocol vulnerabilities that would have allowed baby monitors to be hijacked have been discovered and resolved.

On Tuesday, cybersecurity researcher Randy Westergren published his findings on the security posture of the Motorola Halo+, a popular baby monitor.

Westergren, whose day job is as the engineering director of US financial services company Marlette Funding, and his wife were expecting their first child and so went hunting for a suitable monitor, selecting the Motorola Halo+ as their preferred option.

The Motorola Halo+ features an over-the-crib monitor, a handheld unit for parents, and a Wi-Fi-connected mobile application to monitor children, and their environment, in Full HD. The researcher decided the set-up “deserved a closer look”.

Catch up with the latest IoT-related security news

It was a matter of hours before Westergren discovered a pre-authentication RCE security flaw and the means to obtain a full root shell.

Westergren began by examining the device’s listening services and reverse-engineering the monitor’s Android app, Hubble Connected for Motorola Monitors.

Hubble Connected pulls information beyond simply the monitor’s camera feed and presents it in the user’s display. This data includes room temperature, night lights, and the status of the monitor’s light show projector.

By examining system logs alone, it was possible to find the app’s API requests to gather this information, many of which involved services that interacted with Hubble’s cloud platform.

The researcher also examined HTTP-based communication and how the app’s local API operated. Westergren was able to use local API commands to find GET and SET lists, as well as “value” parameters that would accept user input, “potentially leading to RCE if not properly sanitized,” he explained.

Timezone hack

Westergren then created a reboot shell injection payload and performed the ‘set_city_timezone’ action in the device, forcing an immediate restart and obtaining shell access in the process.

In addition, the researcher also came across a bug in the implementation of the IoT messaging standard MQTT. Westergren found that the client was configured to subscribe to #and $SYS/# by default, which reduced access control security levels among Hubble devices.

“A number of command[s] result from various devices,” the researcher noted. “Though I did not attempt this, I think it was very likely that a client could easily control the entire device fleet by publishing arbitrary commands.”

While the product appears under the Motorola Mobility brand, its manufacturing unit was acquired in 2014 by Lenovo.

Westergren said that once the initial report was made to Lenovo’s security team on April 9, they were quick to respond. By April 16, Lenovo had confirmed the issues and work on security fixes was underway.

Lenovo told The Daily Swig that Binatone is the official Motorola licensee for the Motorola Halo+ and was therefore responsible for creating and rolling out patches.

Halo slips

The first set of patches were incomplete, said Westergren. He added that Lenovo warned of further delays, as “we have opened additional requirements to our licensee [Binatone] for this product to resolve this issue, which has added some complexity”.

Both the RCE and MQTT problems have now been patched, in firmware versions 03.50.06 and 03.50.14, respectively.

The baby monitor’s RCE vulnerability has been assigned as CVE-2021-3577, whereas the MQTT credentials issue is now tracked as CVE-2021-3787.

This article was updated on September 16 to clarify that Binatone, not Lenovo, was responsible for creating and rolling out security patches for the Motorola Halo+.

YOU MAY ALSO LIKE Credential leak fears raised following security breach at Travis CI