×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IZON IP Cameras Riddled With Security Flaws

timothy posted about 6 months ago | from the whose-izon-you? dept.

Security 55

An anonymous reader writes "With recent action by the FTC against TRENDnet, the 'Internet of Things' has taken a sharp turn in the eyes of the public and government with regard to security. This week, Duo Security employee Mark Stanislav presented security research he did on the IZON IP camera from Stem Innovation. Through his testing, Mark found hardcoded credentials for Linux accounts (accessible by Telnet; Yes, — really), an undocumented web interface allowing for viewing a camera's stream (also with hardcoded credentials, user/user), and a variety of other failings including a lack of cryptography in most of the camera's functionality, including when uploading videos to Amazon Web Services's S3 storage." According to the above-linked article, "Contacted by The Security Ledger, Stem Innovation CTO Matt McBeth said that the IZON firmware, server system and iOS applications tested by Stanislav have since been updated, and that the research contains “inaccurate and misleading information.” Stem did not provide specific information about any inaccuracies."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

55 comments

Redskinsâ(TM) Kike Owner Refuses To Change Te (-1)

Anonymous Coward | about 6 months ago | (#45228599)

WASHINGTONâ"Denying widespread claims that the franchise is being offensive or disrespectful, the Washington Redskinsâ(TM) kike owner announced Monday that he remains steadfast in his refusal to change the teamâ(TM)s derogatory name. âoeThe Redskins represent 81 years of great history and tradition, and itâ(TM)s a source of pride for our fans,â said the hook-nosed kike, stressing that the teamâ(TM)s insulting moniker is "absolutely not a racial slur by any means." "'Washington Redskins' is much more than just a name. It stands for strength, courage, and respectâ"the very values that are so intrinsic to Native American culture." The shifty-eyed hebe went on to assure fans that he will do âoeeverything in his powerâ to preserve the teamâ(TM)s proud heritage.

Izon (1)

shentino (1139071) | about 6 months ago | (#45228613)

Who cares about izon?

You really need to worry more about dogs named Skippy.

Re:Izon (0)

mspohr (589790) | about 6 months ago | (#45229915)

This camera is also only for Apple pad/pod/phone users and these people don't really worry about security. They are happy with security by obscurity.

Re:Izon (1)

shentino (1139071) | about 6 months ago | (#45229999)

No cookie for you.

You completely missed my reference to Cube 2.

Re:Izon (1)

mspohr (589790) | about 6 months ago | (#45230271)

I am sorry. I don't play games so I'm not familiar with Cube 2 (I assume now that Skippy is a character in that game).
So yes, I completely missed it... no cookies.

Product X has security flaw... (-1, Troll)

Anonymous Coward | about 6 months ago | (#45228643)

...so do a lot of things - who gives a shit!

Do we really need a new story for each one of these?

Re:Product X has security flaw... (2)

CanHasDIY (1672858) | about 6 months ago | (#45228681)

...so do a lot of things - who gives a shit!

People that like to be able to watch what goes on inside their homes when they're gone, but don't want every spook and perv on the planet to be able to as well?

Do we really need a new story for each one of these?

How else would you know about it?

Man, it seems the trolls are running out of material these days.

Re:Product X has security flaw... (2)

cusco (717999) | about 6 months ago | (#45228971)

This is just a consumer-grade device, I'm more worried about actual supposedly "professional grade" security cameras. For example the IQInvison cameras all have the hard-coded username/password of root/system and YOU CAN'T CHANGE IT. Several cameras can only take 6-8 character lower case alpha-numeric passwords. Many of them have root or system as their only user. Only Axis and Pelco seem to have a clue that a security device should actually be secure.

Re:Product X has security flaw... (1)

thunderclap (972782) | about 6 months ago | (#45229701)

Well if they actually did have security then you couldn't troll google looking for active webcams like this one http://susandennis.axiscam.net/view/viewer_index.shtml?id=1304 [axiscam.net]

Re:Product X has security flaw... (1)

cusco (717999) | about 6 months ago | (#45229763)

That's an Axis camera, they could have required a login to view the image, it's just a check box. At least the Setup password appears to be something not-default, which is not surprising because Axis cameras require the user to create a password on first login (unlike a **LOT** of other cameras.) Considering the domain listed it's likely that it's actually intended to be viewable by anyone.

Damn that's ugly furniture.

Re:Product X has security flaw... (1)

mlts (1038732) | about 6 months ago | (#45229897)

To boot, it isn't hard to make decent security. I was using NetBotz over ten years ago and never have heard of any security problems with their design.

Re:Product X has security flaw... (1)

CohibaVancouver (864662) | about 6 months ago | (#45230891)

People that like to be able to watch what goes on inside their homes when they're gone

Hard to believe that for thousands of years people went out without having the ability to watch what was going on inside their homes when they were gone. How ever did they manage?

Re:Product X has security flaw... (1)

GTRacer (234395) | about 6 months ago | (#45233405)

Really? We didn't have x a millennia ago but we do now and we should avoid it because reasons?

I won't bother pointing out loads of nice things we didn't have before that, having now, has made us a lot happier,safer, more productive or just plain given us new experiences. Even so, I wouldn't mind having something like this so that when the motion alert popped on my phone I could eyeball the screen to see if it was the cat, the kids coming home or that spree burglar who's been making short work of the neighborhood near us.

Oh, and that guy was partially caught on one homeowner's outdoor cams so cops have a good description of his truck (assuming it's not a one-off hotwire) and I think a profile of him too.

Re:Product X has security flaw... (1)

CanHasDIY (1672858) | about 6 months ago | (#45233717)

People that like to be able to watch what goes on inside their homes when they're gone

Hard to believe that for thousands of years people went out without having the ability to watch what was going on inside their homes when they were gone. How ever did they manage?

Dogs.

Re:Product X has security flaw... (0)

Anonymous Coward | about 6 months ago | (#45228691)

I would argue that this is an especially egregious flaw in something likely to be used in a security context, and perhaps by people unaware of these backdoors. So, in this instance, yes, I think it's a public service. How many people make their purchases based on their local geek's recommendations?

Re:Product X has security flaw... (1)

icebike (68054) | about 6 months ago | (#45229285)

People should know about these backdoors, no question.

On the other hand, the first linked story about the FTC crackdown on TrendNet makes no sense what so ever, when another branch of the government makes it their business to crack every possible privacy protection of anyone in the world.

Re:Product X has security flaw... (1)

nospam007 (722110) | about 6 months ago | (#45229501)

"I would argue that this is an especially egregious flaw in something likely to be used in a security context, and perhaps by people unaware of these backdoors. So, in this instance, yes, I think it's a public service."

In TV shows and movies the local 'hacker' can get to these cameras in about 3.2 seconds and now we know why.

Re:Product X has security flaw... (1)

Dunbal (464142) | about 6 months ago | (#45229003)

A back door is not a security flaw. It's there by design not by accident.

Re:Product X has security flaw... (1)

wonkey_monkey (2592601) | about 6 months ago | (#45229045)

What if you accidentally forget to disable it before the device you were developing for ends up on sale?

Re:Product X has security flaw... (0)

Anonymous Coward | about 6 months ago | (#45229183)

IANAL, but doesn't that usually fall under negligence?

Re:Product X has security flaw... (1)

Dunbal (464142) | about 6 months ago | (#45230523)

Why would you have a back door in development? All you have to do is have the "front door" unlocked...and you lock it down before shipping.

Re:Product X has security flaw... (3, Interesting)

icebike (68054) | about 6 months ago | (#45229345)

A back door is not a security flaw. It's there by design not by accident.

A backdoor is a security flaw if
a) the owners are not told that it is there (or)
b) the owners can not turn it off (or)
c) if the FTC says it is.

There are (deliberately vague) promises about security made on the IZON site.

IZON lets you watch & listen from anywhere, with secure access to the IZON video stream.

To not reveal a backdoor account has already been found by the FTC (see first link) as a violation which
gets you 20 years worth of monitoring: Per the FTC in the TrendNet case:

The company also is required to obtain third-party assessments of its security programs every two years for the next 20 years.

Farmed Out Too Much Code? (4, Interesting)

cmholm (69081) | about 6 months ago | (#45228679)

I'll be generous and guess that IZON farmed out too much of their software development to ... wherever. Perhaps the company's principals are more hardware oriented, but it's interesting that they're now advertising for an iOS team lead.

Re:Farmed Out Too Much Code? (-1, Troll)

Anonymous Coward | about 6 months ago | (#45228867)

Bingo! Some curry nigger in Mumbai named Raj Patel is probably responsible.

Re:Farmed Out Too Much Code? (2)

fuzzyfuzzyfungus (1223518) | about 6 months ago | (#45229009)

To assume that they had any more involvement with the hardware than they did with the software is fairly charitable... At least random Chinese OEMs know how to build webcams and cheap 'n cheerful ARM SoCs, so that aspect of the plan probably went OK.

Re:Farmed Out Too Much Code? (-1)

Anonymous Coward | about 6 months ago | (#45229145)

The cameras use Linux. Of course it's insecure. Only heavily-audited, closed-source systems should be trusted for running security systems. Not these spy cams using Linux.

Obvious, and products are always like this. (4, Interesting)

LikwidCirkel (1542097) | about 6 months ago | (#45228763)

Here's what happens... The company gets a Linux SDK from some chip vendor which works on some reference platform. This is intended for development and evaluation purposes and has many interfaces exposed, which is generally what you want for development. The producer then hires some cheap amateurish programmers to write some application code on top of the SDK to make the product do stuff. The stock kernel and filesystem is deployed as-is. No security audit is done, no unnecessary services are closed, and few things are removed from the stock SDK filesystem. It will never get fixed for any or all of the following reasons: 1) No one at the company has enough experience to lock down/strip down Linux - they just know how to write applications on-top. 2) There are deadlines and the management has a "it works, ship it!" mentality. 3) Some developer/engineer might know how to do things properly, but is so swamped with deadlines and babysitting all the juniors that it can't happen.

Re:Obvious, and products are always like this. (1)

LikwidCirkel (1542097) | about 6 months ago | (#45228783)

damn... forgot the explicit line breaks.

Re:Obvious, and products are always like this. (5, Funny)

Anonymous Coward | about 6 months ago | (#45228897)

It's readable. Post it!

Re:Obvious, and products are always like this. (0)

Anonymous Coward | about 6 months ago | (#45228947)

The company gets a Linux SDK from some chip vendor which works on some reference platform.

Yup. This is just the usual "Cheap clueless company with a cheap Chinese reference platform".

Re:Obvious, and products are always like this. (2)

fuzzyfuzzyfungus (1223518) | about 6 months ago | (#45229033)

How can you call them 'clueless', you monster? The CAD monkey who designed the not-a-plastic-rectangle case to enclose the cheap Chinese reference platform, as well as the photoshop kid and the copywriter who put together the box, which appears to be in largely-not-mispelled English, clearly know something!

Re:Obvious, and products are always like this. (0)

Anonymous Coward | about 6 months ago | (#45229095)

1) No one at the company has enough experience to lock down/strip down Linux - they just know how to write applications on-top.

Beeing unable to lockdown a firmware, and be stupid enough to HARDCODE user/user as credentials are two very different things. At least two people at that company should be fired, the lead "developer" (for the lack of a better word), and his boss who signed that crap off.

Re:Obvious, and products are always like this. (-1)

Anonymous Coward | about 6 months ago | (#45229187)

The "lead developer" was a contracted curry nigger from Mumbai named Raj.

Re:Obvious, and products are always like this. (0)

Anonymous Coward | about 6 months ago | (#45229193)

There is no reason that the user/user credentials could not have come from the stock SDK. They also might have been added for internal developers to "make things easier". There's nothing really wrong with this, as long as you maintain development versus deployment builds.

Re:Obvious, and products are always like this. (0)

Anonymous Coward | about 6 months ago | (#45229237)

What's a deployment build?

- IZON developer

Re:Obvious, and products are always like this. (2)

icebike (68054) | about 6 months ago | (#45229421)

To this, you have to add the distinct possibility that the intent was to leave a back door on purpose so that the tech support staff did not have to issue an RMA for users that simply forgot their password.

(Yes, a simple hardware reset switch would do, but that can actually be harder to do as you have to support a wipe-able storage for that).

Re:Obvious, and products are always like this. (1)

adolf (21054) | about 6 months ago | (#45229833)

(Yes, a simple hardware reset switch would do, but that can actually be harder to do as you have to support a wipe-able storage for that).

You're overthinking this. The reset switch in any bit of modern consumer goods just signals the software (usually with a GPIO pin or similar) that it has been pushed. The software then behaves however it is programmed to behave based on this condition.

Simple hardware reset switches went away when battery-backed CMOS RAM got replaced with flash EEPROM for storage of configuration details.

Re:Obvious, and products are always like this. (1)

bill_mcgonigle (4333) | about 6 months ago | (#45230091)

They are always like this - especially if the vendors can keep the source secret. I've taken to running VLAN's at home - mostly WNDR3800 refurbs ($50 w/ Prime) [amazon.com] running OpenWRT and GS-108T switches [amazon.com] (poor GUI, but linux inside), feeding to a pfSense instance. Anything that's not all open source goes on an isolated VLAN that can't get traffic to or from anywhere without an explicit rule. pfSense makes it pretty easy to set up a VPN to get to data on the inside, so outside ports don't need to be open.

I set it up as best-practices, but with Bull Run, D-Link, this, and other similar stories, it seems like an even better idea in retrospect. If I were the NSA, I'd want a backdoor in Roku.

Got one... (1)

aaarrrgggh (9205) | about 6 months ago | (#45228807)

Anybody that would think these systems offer any level of security is only kidding themselves. They are a simple convenience to avoid needing to set up a VPN for trivial data. I wish I could find a better solution, but for a camera that sits in the window looking at the street not especially worried.

Many IP cams do this sort of thing, RTSP OmVif (0)

Anonymous Coward | about 6 months ago | (#45228845)

RTSP is an access method that serveral cameras either leave open (no user/password, LevelOne PT 1060) or make optional. Check yours. Then there is Dahus which has similar telnet flaws as this IZON, and Dahua's OnVif is wide open after a reset (admin/admin is the default user/password after a reset, and users don't even know there is an onvif access method to these Dahuas). Since OnVif is over port 9988 the router needs to have the open so at least that's one mitigation, but RTSP at port 554 is often opened.

And so what? (0)

buttfuckinpimpnugget (662332) | about 6 months ago | (#45229023)

Yeah, it's sloppy and these guy's suck, but who would ever know? Why would anyone put a device like this on a network that anybody but them could access? All my shitty linux devices are protected by OpenBSD firewalls.

I worked at Stem Innovation on IZON (5, Insightful)

Anonymous Coward | about 6 months ago | (#45229401)

Until the really awfully managed company decided to outsource all of the software development to contractors. This was after wiping out the team in place before I joined. They are a very unstable company, which really favors knee-jerk decision making. I'm not surprised by any of this, the company is run by the idiot kid of a rich guy who doesn't know the first thing about tech. The hardware was well designed by the CTO, who apparently isn't able to steer the technology decisions of the company. Unfortunate. He's a good guy. But the company is ultimately helmed by the CEO, and he's a fat fucking moron.

If he lost weight (0)

Anonymous Coward | about 6 months ago | (#45230343)

would he be a skinny fucking moron?

Re:If he lost weight (0)

Anonymous Coward | about 6 months ago | (#45230367)

He'd have to lose a LOT of weight

What Web Interface? (0)

Anonymous Coward | about 6 months ago | (#45231043)

I'm logged in via Telnet. root@izon #
But, when I go to port 80 or port 8080 I am not prompted for anything. Port 80 is just a base page referencing the IOS app. Port 8080 does not respond.
Any ideas on the URL for web access?

Google keywords? (0)

Anonymous Coward | about 6 months ago | (#45231563)

So... who's going to post a google search that will find these compromised cameras?

On the one hand, NSA said do this.......... (1)

trevc (1471197) | about 6 months ago | (#45237929)

So the NSA forces them to put in a back door then the FTC fines them for putting in a back door. No wonder nobody wants to do do business in this country anymore.

So many things wrong with article (0)

Anonymous Coward | about 6 months ago | (#45239871)

So many things wrong with article...

I've looked at the security of many IOT devices and this is what I have to say about the Izon.

1st) the only thing that is right on the money in the article is that they are idiots for putting the Root password for telnet in the app where anyone can strings | grep for it, just dumb.

But besides that idiotic move is the Izon really as bad as the article says, comparing it to a trend-net camera?

The main difference is that the Izon does not live on the internet like most other embedded devices, there is no port forwarding, so the security risk is much different. And while there are security issues with the camera they are no different than your router or any other device on your network, if an attacker gains access to your network you have other problems.

Comparing the security of an izon to a trendnet, forscam, tp-link, sony, sparkland is unfair, since they need to live on the internet via port forwarding making them targets to search engines like shodan and default passwords.

I do however think they should fix the default password issues, but really it not any more dangerous than admin admin on your router or other internal device on your network.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...