Pearl is a German vendor of electronics and accessories, including many Smart Home products. Many articles are being imported from Asia and sold under other brand names – in our case: 7links. The original camera is built by Tenvis, a Chinese manufacturer of IP Cameras. Pearl provided us with the recently released 720p wireless waterproof IP Camera: 7links IPC-720.HD. In this Quick Check, we will see, whether cheap cameras not only do their job in surveillance, but also in regards to IT security and privacy.

Initial setup

The initial setup requires the user to change the default password (“admin”) to a more secure one (min. 6 characters, two combinations of capital and small letters, numbers or special characters). Afterwards, internet access is automatically activated and can’t be deactivated via App or the camera’s web interface.

Local & Online communication

The authentication process between the iMega Cam App (provided by Tenvis) and the camera is unencrypted, as well as the rest of the communication – locally and online. At the beginning of the authentication process, parts of the camera’s serial number are being exchanged, afterwards, username and password are being transferred Base64-encoded. Some Cloud services like Tencent Bugly were contacted by App and Camera, also unencrypted – but with encrypted payload.

Local authentication
Local authentication
Online authentication
Online authentication

Firmware

The camera checks for new updates via an unencrypted connection (http://update.wificam.org/iMegaCam/goke_update.html), and also the updates themselves are downloaded via HTTP and aren’t encrypted. Because the camera only updates to version V9.1.4.1.25 (before 9.1.4.1.22), we assume that different camera models might differ in their minor firmware version.

List of available updates
List of available updates

Application

We downloaded the corresponding iMega Cam App from the Google Play Store. It is very small (5KB) and partially obfuscated. As mentioned before, App and camera communicate via unencrypted UDP connections, locally and online, including the authentication process. Access data is being saved in plaintext in a SQLite3 database in the private App storage. As mentioned in earlier posts, this storage is secure until the phone gets rooted (on purpose or by malware).

Access data stored in SQLite database
Access data stored in SQLite database

Static analysis recognized several potential security gaps, like the permission “RESTART_PACKAGES” which allows the App to close other Apps including their background services (mainly used by “task manager“ and “cleaning” Apps). This feature has no big impact in current Android versions, where Apps and services are being restarted automatically.

We also found evidence, for some functions having security flaws, using implicit intents where it shouldn’t be necessary. An intent is an abstract description of an operation to be performed. They are sent as requests broadcasted to all installed Apps and the apps able to perform the requested action can then be started, i.e. for taking a picture with the default camera app. Explicit intents have specified a component, which provides the exact class to be run, whereas implicit intents have not specified a component; instead, they must include enough information for the system to determine which of the available components is best to run for that intent. Malware can also listen to and answer or relay implicit intents and thereby may be able to get malicious components started.

Privacy

No registration process is needed to communicate with the camera. Once paired with the App, it can be accessed locally and online. The privacy policy of the App is a completely generic one, in which the company’s name only was replaced by “we”(Likely seen in our Panasonic Smart Home test). Also, some third-party services were addressed (Amazon EC2, Tencent Bugly etc.) by App and camera with unknown content and purpose.

  • Camera (Saving Screenshots)
  • Contacts (Unknown purpose)
  • Microphone (Push2Talk-feature of some cameras)
  • Telephone (Unknown purpose)
  • Storage (Saving screenshots)
  • Many other (Partially unknown purpose)

App permissions
App permissions

 

 

 

 

 

 

 

 

 

 

 

Conclusion

In 2017 and even more after noticing attacks on IoT devices by malware such as Mirai and Brickerbot, we would expect encrypted communication, at least for online, but also local traffic. Also, unencrypted authentication should be a No-Go. Some privacy concerns exist, which is why we recommend using this device only without an Internet connection if any (i.e. deactivating device’s Internet access in your router or remove the default gateway in the camera’s settings), except for manual firmware update checks.

Due to inadequate security, the camera IPC-720.HD from chinese manufacturer Tenvis, marketed by Pearl, reached none of the three possible stars in our Quick Check.