IoT Bug Grants Access to Home Video Surveillance

  /     /     /  
Publicated : 23/11/2024   Category : security

IoT Bug Grants Access to Home Video Surveillance


Due to a shared Amazon S3 credential, all users of a certain model of the Guardzilla All-In-One Video Security System can view each others videos.


A vulnerability in the Guardzilla All-In-One Video Security System, an IoT-enabled home video surveillance system, lets all users view one anothers saved surveillance footage due to the design and implementation of Amazon S3 credentials inside the cameras firmware.
Security researchers found the bug (CVE-2018-5560) during an event held by 0DayAllDay and reported it to Rapid7 for coordinated disclosure. Rapid7 published the flaw today, 60 days after it first attempted to contact the vendor. Multiple coordination efforts received no response.
This vulnerability is an issue of CWE-798: Use of Hard-coded Credentials, 0DayAllDay researchers
report
. Guardzillas system uses a shared Amazon S3 credential for storing users saved videos. When they investigated the access rights given to the embedded S3 credentials, researchers found they provide unlimited access to all S3 buckets provisioned for the account.
As a result, all people who use Guardzillas system for home surveillance can view one anothers video data in the cloud. Once the password is known, any unauthenticated person can access and download stored files and videos in buckets linked to the account.
Researchers only tested Model #GZ521W of the Guardzilla Security Video System and do not know whether other models are affected by the same bug, Rapid7 reports. Without a patch, users should ensure that the devices cloud-based data storage functions are turned off.
Read more details in Rapid7s blog
here
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
IoT Bug Grants Access to Home Video Surveillance