As part of our IP camera test, we examined a camera that has its approach to security and high level of protection built right into the name: the Myfox Security Camera. In our quick test, we put this claim to the test and discovered that the camera is indeed appropriate for its intended area of application, and does not reveal any critical vulnerabilities.
In the area of online communication, the camera offers a high level of protection: All connections observed with Wireshark were encrypted, thus safeguarding remote access to the camera. In observing the camera stream, however, we did notice that the transmission of the camera image is only secured with the older TLS 1.0 standard, whereas user authentication and the rest of the communication routines are protected with the newer TLS 1.2. The use of the older protocol does not deserve the rating of a vulnerability at the current point in time, yet this fact does create an inconsistent impression nonetheless.
In case of a man-in-the-middle attack, remote access to the camera also appears to be solidly secured. Although we did manage to launch the app on the test smartphone with an installed root certificate and authenticate ourselves as a user, we were not capable of monitoring the camera image in this manner. The following illustration shows an excerpt from the tool mitmproxy used for analysis: The authentication could be read, but only after installation of our own root certificate on the user phone. This would not be readily possible for an attacker under actual conditions.
We examined the Android application that comes along with the camera (tested version 1.3.0) and found no critical vulnerabilities. Only the missing code obfuscation appears to be an unnecessary risk, which the manufacturer could and should remedy with minor effort, however. As the app is available for free in the Google Play Store, a potential attacker could easily analyze the non-obfuscated source code of the application and gain access to potentially critical information on existing security mechanisms.
Unnecessary data queries
Another negative feature is the fact that a valid name and address have to be entered to register and use the camera, and the app calls for some questionable rights with regard to localization, audio recording and the network status of the user phone. Both items are unnecessary in our view and in fact not needed for the actual operation of the device. The following illustration shows an excerpt from the Android manifest of the application – the necessity of some of the permissions requested is not readily clear.
In the category of privacy, the camera offers a nice gimmick in the form of a physical cover that moves in front of the lens in case of inactivity and thus clearly indicates that currently no images can be transmitted. This feature does not offer true protection against a real attacker, however, as the camera – once activated – opens the cover automatically, regardless of whether the activation has been initiated by a legitimate user or by a potential attacker who has hijacked the camera. At least in the latter case, users can see at a glance whether they are currently being watched.
All in all, the Myfox Security Camera created a positive impression in our quick test, even if here and there some inconsistencies and minor vulnerabilities were identified. Nonetheless, as an overall assessment, it receives a 3-star rating in our quick test category.