Security bug in Swann IoT Camera allowed to access video feeds
30.7.2018 securityaffairs IoT

Security experts have discovered a security glitch in Swann IoT camera that could be exploited by attackers to access video feeds.
Security experts from Pen Test Partners (Andrew Tierney, Chris Wade and Ken Munro) along with security researchers Alan Woodward, Scott Helme and Vangelis Stykas have discovered a security glitch in Swann IoT camera that could be exploited to access video feeds.

The experts reported the issue to the vendor that has patched the vulnerability.

The research team developed a proof-of-concept attack exploiting security flaws in the cloud service used by the IoT camera, Safe by Swann, in this way they were able to access the cameras via their mobile devices.

The experts started investigating the issue after reading a BBC article outlining how a BBC employee had accidentally seen someone else’s footage on the mobile app for their home security camera.

The affected camera model it a battery-powered HD camera that implements video streaming feature either directly over the local network or via a cloud service.

Swann IoT camera

Experts noticed that the cloud service is provided by Ozvision, when a user logs into the system through Safe by Swann, a request is made (userListAssets) to the server.

The server, in turn, provides a list containing the devices associated with the account.

The researchers analyzed the requests and attempted to manipulate the serial number parameter.

Swann IoT camera request

The experts explained that it is easy to find a serial number associated with the targeted device via the API endpoint and APK.

“After reviewing the API endpoint and APK, I quickly realised that the serial number (swnxxxxxxxxx) is the primary identifier of the camera on the platform. This is both for the Swann-specific web API and the OzVision peer-to-peer tunnel. The serial is easily found in the mobile app:” states the analysis published by the experts.

“We replace the serial number (deviceid) in the response from the server. At this point the mobile app sees the details of someone else’s camera. We are using Charles here, but Burp or MITMproxy will do it too”

The experts demonstrated that it is possible to access the camera stream for another serial number.

“In the app, one simply presses ‘play’. This made a request to deviceWakeup using the modified serial, then the Ozvision tunnel to the device was established using the modified serial. We could then watch the camera live.” continues the experts.

The experts explained that Swann quickly fixed the issue, but they speculated that the Ozvision was already aware of the issue.

“Ozvision already knew about the vulnerability, as Swann had informed them. The Swann customer camera cloud environment had quickly been fixed. Swann took swift action to fix the flaw and had a constructive dialogue with us.” continues the post.

“We suspect they knew about this issue for about nine months, and only fixed it when pressured by Swann; and we are confident the vulnerability was present in at least one other major camera brand to which they provide a cloud service. Further, they initially deflected direct questions about the issue back to Swann.”

How to discover serial numbers of existing cameras?

The serial number if composed of the string ‘swn’ plus 9 hex chars. The researcher Vangelis (@evstykas of the Tapplock API vulnerability fame) analyzed the API and discovered that it was possible to enumerate them with the following request:

1.1/osn/deviceIsOwned

1.1/osn/AccountAddDevice – this will throw an error if the camera is already paired, this means that using this trick it is possible to enumerate the entire keyspace searching for existing cameras.

“We believe the keyspace could be fully enumerated in as little as 3 days, given a distributed set of concurrent requests to the API.” concluded the researchers.

“So, one could now access arbitrary cameras.”