3 min read

Device in New IoT Partnership Passes Cybersecurity Stress Test with Flying Colors

Silviu STAHIE

October 07, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Device in New IoT Partnership Passes Cybersecurity Stress Test with Flying Colors

For more than a decade, Bitdefender has extensively researched vulnerabilities that affect intelligent devices and released reports to help customers understand risks in the connected home and drive security awareness in the vendor space.

This article, part of a series developed in partnership with Tom's Guide, aims to shed light on the security of the world's best-sellers in IoT. Tom's Guide contacted the research team at Bitdefender and asked us to look at several popular devices, including the Maximus Answer DualCam Video Doorbell. More information is available in this article published on our partner's website.

Bitdefender's researchers scrutinized the Maximus Answer DualCam Video Doorbell and found that it's actually pretty secure. And that's something that we can rarely say about the devices we investigate.

Video doorbells capture a lot of valuable and sometimes private data, so it's easy to see why it would be a prime target for attackers. Bitdefender looked at other similar devices, including a version of Amazon's Ring doorbell, and the picture wasn't pretty.

One of the problems with modern IoT devices is that companies rush them out the factory door, security be damned. Manufacturers flood the market with poor-security IoT devices, and people are all too happy to buy them with little to no regard for their privacy.

Everything but the kitchen sink

The Maximus Answer DualCam Video Doorbell is a two-camera IoT device with night vision capabilities and a 180-degree view, letting users monitor both the people who come to the door and any packages they leave.

Assume you're a hacker aiming to compromise this camera. You will have a tough time. First of all, most of the communication takes place through OpenVPN, which is secure against tampering and eavesdropping.

But while you're tampering with the device, you notice that the server certificate is not verified. In theory, an attacker could impersonate the server, but that's not possible without the ta.key file (to authenticate TLS connections) and some way to convince the camera to connect to another server.

Since the camera doesn't verify the server certificate, an attacker could, technically, intercept the logs through a man-in-the-middle attack. But since the logs contain no sensitive information, it would be almost pointless.

Fine, you'll force the camera to check for a firmware update and serve a tainted firmware through a man-in-the-middle attack. Unfortunately, the firmware is signed, and the camera would discard the new firmware due to a signature mismatch.

The next move is to check for open ports, but that's also a no-go. The manufacturers took the time to implement iptables rules properly.

Maybe compromising the Bluetooth connection with the Kuna app is the way to go, but the communication is secure. It turns out that the Bluetooth connection can be established at any time to change the Wi-Fi network, but only the camera owner can initiate it.

That leaves direct hardware access as the last point of entry. You quickly notice that UART serial connection is exposed, and you can stop the boot process by shorting the TX and RX pins. The bootloader will ask for a password, which is unknown, putting a stop to your efforts.

Conclusion

This is just a small part of Bitdefender's investigation into this doorbell, in partnership with Tom's Guide, which aims to shed light on the security of the world's best-sellers in the IoT space. You can check out the full investigation to see the entire process.

We don't often encounter devices that can stand up to such scrutiny, but the investigation provides insight into what hackers would have to go through when they try to make our digital world less secure.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read