IoT Bug Grants Access to Home Video Surveillance

  /     /     /  
Publicated : 23/11/2024   Category : security


IoT Bug Grants Access to Home Video Surveillance


Due to a shared Amazon S3 credential, all users of a certain model of the Guardzilla All-In-One Video Security System can view each others videos.



A vulnerability in the Guardzilla All-In-One Video Security System, an IoT-enabled home video surveillance system, lets all users view one anothers saved surveillance footage due to the design and implementation of Amazon S3 credentials inside the cameras firmware.
Security researchers found the bug (CVE-2018-5560) during an event held by 0DayAllDay and reported it to Rapid7 for coordinated disclosure. Rapid7 published the flaw today, 60 days after it first attempted to contact the vendor. Multiple coordination efforts received no response.
This vulnerability is an issue of CWE-798: Use of Hard-coded Credentials, 0DayAllDay researchers
report
. Guardzillas system uses a shared Amazon S3 credential for storing users saved videos. When they investigated the access rights given to the embedded S3 credentials, researchers found they provide unlimited access to all S3 buckets provisioned for the account.
As a result, all people who use Guardzillas system for home surveillance can view one anothers video data in the cloud. Once the password is known, any unauthenticated person can access and download stored files and videos in buckets linked to the account.
Researchers only tested Model #GZ521W of the Guardzilla Security Video System and do not know whether other models are affected by the same bug, Rapid7 reports. Without a patch, users should ensure that the devices cloud-based data storage functions are turned off.
Read more details in Rapid7s blog
here
.

Last News

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
IoT Bug Grants Access to Home Video Surveillance