This post is also available in: עברית (Hebrew)
A smart security system was found vulnerable for access to uploaded video recordings.
Researchers found that Guardzilla’s top-selling indoor wireless security system contains a set of hardcoded keys that can be easily extracted, because it uses an old algorithm which is today easily cracked.
Guardzilla doesn’t say how many devices it’s sold or how many customers it has, but these involve several major U.S. retailers, including Amazon, Best Buy, Target, Walmart and Staples.
Each device uses the same set of keys to upload video recordings to the company’s Amazon Web Services’ storage servers. Anyone can use these keys to log in and gain full access to the company’s cloud storage — and customer data uploaded from the device, according to techcrunch.com.
“We’ve tried several avenues to get in touch with Guardzilla, but they have not acknowledged the report,” said Tod Beardsley, Rapid7’s research director, who helped coordinate the release of the researchers’ findings.
The team of five researchers said in their report that it took two off-the-shelf consumer graphics cards just three hours to decrypt the eight-letter password protecting the affected Guardzilla device’s firmware that ships with each device. Because the keys were buried in the code, anyone with a Guardzilla device could obtain the keys and gain unfettered access to the company’s 13 storage buckets hosted on Amazon’s servers. The researchers tested the keys but did not use them to access the buckets, they said, to prevent unintentional access to Guardzilla customer data.
Fixing the vulnerability not only requires the keys to be changed on the server, but also a software patch to be rolled out on each affected device.
“They could update the keys and update the firmware, but that just means they’ll be rediscovered again by the same techniques,” said Beardsley. “The only way I can think of to fix this completely is to change the keys, stand up a proxying service and update the firmware to use this proxying service with unique-per-device accounts.”
Guardzilla were given three months to fix the security lapse and roll out new firmware to affected devices after the researchers privately reached out, but the company neither acknowledged nor patched the issue, prompting the researchers to go public with their findings.
The security researchers found two more vulnerabilities — including several known bugs affecting the device’s continued use of a since-deprecated Open SSL encryption library from more than two years ago. The researchers also discovered “large amounts” of traffic sent from an open port on the device to Guardzilla’s Amazon server, but could not explain why.