Thanks to the built-in CMOS sensor with five megapixels, this camera, designed for indoor use, provides high-resolution security videos and offers night view with a mechanical infrared filter. As an additional feature, the manufacturer Withings throws in additional sensors for analyzing interior air quality, designed to detect concentrations of volatile organic compounds and notify the user per app.
The camera has several things going for it. TLS 1.2 or DTLS 1.0 is used for most of the connections, for example. The local connections were also encrypted with DTLS, but the connection in our test was established per STUN, i.e. via the Internet. It is debatable whether it is a good design decision to enable connections only per Internet, instead of communicating with the product locally in the same network. Even during local access, the camera regularly uploads data to “prod-ireland-30-days.s3.amazonaws.com”. The TLS connections examined with Wireshark and mitmproxy are sufficiently protected against basic man-in-the-middle attacks: Whereas the camera independently terminates the connection in case of an attack, the app simply crashes. That is why it also could not be determined in the quick test what type of information the camera sends to the Amazon Cloud roughly every 30 seconds. The following illustration shows an excerpt from Wireshark. We can see the confirmation of protection with TLS 1.2 and a sufficiently secure encryption method, as well as the result of a simple man-in-the-middle attack on the authentication process: The server rejects the unknown certificate.
In addition to the encrypted connections, however, unencrypted connections were also observed. Thus, the camera initially downloads unencrypted a list of certificates. Whether attackers can intercept, manipulate, and subsequently hack encrypted connections was not examined within the scope of the quick test and therefore does not receive a negative rating. Independent of this, the camera transmits its MAC address unencrypted to the Internet and retrieves various files, e.g. several MP3s, via an unencrypted HTTP connection. The app itself also retrieves images and various data in JSON format via unencrypted connections from the Internet. We were unable to deduce any attack vectors from this behavior in the quick test, however. With an installed root certificate, as with virtually all the tested cameras, we were able to intercept the encrypted login procedure. The following illustration shows the result in mitmproxy.
As with the other cameras, we do not view this as a serious weakness, however, as it would be extremely difficult for an attacker to exploit this in practice. Yet it is positive to note here that only the password hash was transmitted and a potential attacker would not gain access to the plaintext password using this method.
Vulnerability in the firmware?
What’s more, the firmware update is downloaded unencrypted. Initial glances into the file with the analysis tool binwalk raises the assumption that this too is stored unencrypted. Whether the camera is capable of preventing an attack via a manipulated firmware upload through signatures is not the subject of the quick test performed here and accordingly does not enter into the existing rating.
Another downside is the behavior of the app concerning private recordings. Images and videos are stored unencrypted on the SD card. If a user is capable of gaining access to this data, other apps – apps manipulated by attackers, for example – can also access these private recordings.
As a side comment: A detail not explicitly relevant to security, but interesting all the same, is a header entry we discovered in the test, which the server sends back for the unencrypted connections. It has the title “X-Recruitment” and the text, “You should work for us! Find jobs at […]”. This type of employee recruitment is actually somewhat rare.
All in all, it can be said that the camera delivers a good impression regarding IT security, but in addition to unsecured storage of private data on the SD card, also offers several items for improvement in terms of security.
Do you think there is a way to get the stream in VLC?
as the stream is encrypted there is no easy way to get it working in VLC.