The Half-Baked Security Of Our ‘Internet Of Things’
Both families were using an Internet-connected baby monitor made by China-based Foscam. The hacker took advantage of a weakness in the camera’s software design that U.S.-based Armenian computer engineers revealed at a security conference in Amsterdam last April. As tech behemoths Google and Apple announce plans to accelerate the development of the Internet of Things, the tale is worth telling. It reveals much about what we have to fear and what we must improve as more and more of the devices in our lives become connected to the Internet, and to the pranksters, spies, voyeurs and fraudsters who dwell there.
Sergey Shekyan, 36, and Artem Harutyunyan, 29, stand well over six feet tall, though both spend a lot of their time sitting in front of computers. Shekyan wears black glasses, talks earnestly, and strikes The Thinker‘s pose when listening to others. Harutyunyan has wide eyes underneath dark, heavy brows and seems older than 29 thanks to a sprinkling of grey in his dark hair. They both have one-year-olds, born three months apart. They have known each other since childhood; they were neighbors in Yerevan, Armenia. After a devastating earthquake in 1988, Harutyunyan’s father, a civil engineer, brought an IBM IBM +0.61% 286 home to work on new building designs. It was the first computer in the apartment building, they recall.
The young neighbors both went on to study software engineering at Armenia’s technical university. Both moved abroad after graduation, Shekyan to a series of jobs in the San Francisco area where he developed tools to automatically scan websites for vulnerabilities and to simulate Denial of Service attacks, and Harutyunyan to Switzerland to work on cloud computing at particle physics lab CERN. They reunited in the summer of 2011, when Harutyunyan traveled to the Bay Area to teach at Google GOOGL +0.65%’s Summer of Code. Shekyan heard his old neighbor was in town through the Armenian expat network and invited him to his Redwood City home for a BBQ. He wound up recruiting Harutyunyan to come work for his then-employer, security firm Qualys QLYS +5.92%. (Shekyan has since moved on to Shape Security.)
The two became neighbors again in 2012, Harutyunyan and his wife moving into the condo next door to the Shekyans. “Every evening, we go to one another’s house for a coffee or a cigarette,” says Shekyan. That December, Shekyan decided to buy a baby monitor for Christmas for his then three-month-old daughter. Many of his friends had raved about their Foscams, showing him how they could bring up the feed from the IP cameras on their iPhones and show him what was happening in their homes. He snapped one up on Amazon — where it was the first hit for “surveillance cam” — when he saw the price drop to $40. As he waited for it to be delivered, he re-read the description on the Amazon page – about the camera’s ability to send emails and text messages – and he started to become skeptical. “A camera cannot do all this for $40 and do it right,” he thought.
When it arrived, his and Harutyunyan’s nightly get-togethers turned into hackfests. Their rule, to keep it challenging, was to only hack the camera though its Web interface. “If someone has physical access to your devices, you’re pwned,” says Harutyunyan. “We wanted to see how easy they were to hack remotely.” They would put the kids to bed and then start playing with the camera’s operating system, seeing how easy it was to knock it offline by making connection requests to it and seeing whether they could force the camera to accept software updates from them.
“Normally when a manufacturer pushes a firmware update, they cryptographically sign the update, and the device checks the signature and will refuse the update if it doesn’t have the signature,” says Sergey. “You can’t force an update on an iPhone, for example. We figured out the Foscam will accept just about anything. But it’ll brick.”
The two don’t self-describe as security engineers. They did this in their spare time for fun. They were simply two new dads tinkering with a camera. Yet this became a crucial part of Foscam’s security review.
They bricked more than 10 cameras, rendering them useless, and took advantage of Amazon’s generous return policy to get new ones. They also trawled through Foscam forums and security blogs, including a very informative one from “Irish Jesus,” to see who had previously done research on Foscam. They came across a French security researcher who had discovered that anyone could sign into any Foscam with the password “admin.”
They packaged their research into a presentation and submitted it to “Hack In The Box,” a security conference in Amsterdam each April. They called it, “To Watch Or To Be Watched: Turning Your Surveillance Camera Against You.” Like most hacker conferences, it was a chance to preen and show off one’s skills, and to network with other security researchers. The conference paid for only one presenter’s expenses, but Qualys was happy to pay to have Hauryunyan go as well, as these conferences help build a firm’s reputation. They planned to do a live demo of the hack at the conference, but bricked the camera hours before they were to go on stage, so they wound up playing video of them doing the hack instead. It didn’t make a huge splash. There were a few articles about it on niche security blogs, probably because the researchers talking about the ease of hacking “IP cams” rather than the more-alarming “baby monitors.” Reporters focused instead on a presentation about hacking airplanes with an Android phone.
But a future baby-monitor hacker saw it. The presentation included information about how the problem could be fixed, but it also included the directions needed to exploit the vulnerability.
Harutyunyan found out that the hack had happened in the real world four months later as he prepared to give a talk about the vulnerability in Seattle at an embedded devices security conference. He saw a news report about a baby monitor getting hacked and recognized the distinct R2-D2 shape of a Foscam camera.
Shekyan and Harutyunyan didn’t have direct contact with Foscam, though they had put information about the vulnerability in the company’s user forums. “I’m sure the company doesn’t read those, though,” says Harutyunyan. A French researcher had disclosed the “admin” problem to the company earlier that year, but Foscam didn’t release an update that fixed the problem until June of 2013. And customers that were vulnerable would have needed to be regular readers of the company’s blog posts in order to know about it. There was no “BabyBleed” logo concocted. The Internet did not go crazy about it like they did over Heartbleed as it affected many fewer people — just tens of thousands.
Chase Rhymes, the recently-hired, Texas-based COO for Foscam’s U.S. distribution arm, says Foscam didn’t have infrastructure in place to warn customers. Based in China, its cheap IP-cams became popular fast in the U.S., Canada and Europe, used to watch homes, babies, and elderly parents. “The company made a mistake,” he says. “It had grown really fast and didn’t have a marketing arm to come up with a communication plan or talk to the media.”
Even though it was just two hacked cameras out of “over a million out there,” according to Rhymes, the hacks hurt Foscam. The negative publicity around the baby monitor cyberattacks caused a slump in sales last year. And the family of the Texan toddler has plans to sue Foscam for deceptive trade practices.
Rhymes is now doing all the talking for Foscam; there is still no easy way to reach the Chinese manufacturer. Though Rhymes wasn’t with the company when the hacks went down, he’s now responsible for explaining them. “We wanted to give our customers the freedom to keep it easy and not have to make their own password,” he says. “But it wound up being costly to us and our brand. So now we’re going to force them to customize their passwords.”
Another problem for the company in doing damage control when vulnerabilities in its products are exposed is that it doesn’t have a direct relationship with many customers, who buy their cameras from resellers like Amazon or Best Buy. “If customers bought from a third party they’re on an island and we can’t necessarily reach them,” says Rhymes. It couldn’t send customers an email to tell them to update their vulnerable systems. The company eventually did put a warning up on the Foscam Web-interface that customers would visit to set up their cameras, but people using a third-party service to watch their camera feed — there are lots of apps available in the Apple app store — would not necessarily visit that site ever again after linking it to their chosen app. “We’ve reached out to the resellers and the apps but we have no confirmation that they’ll alert users,” says Rhymes. This is why the chief security officer of the CIA’s venture firm In-Q-Tel thinks things connected to the Internet need to be programmed to die or to ask for firmware updates on a regular basis. Google-owned automated thermostat company Nest, for example, does firmware updates automatically. That, of course, comes with its own issues, when a company gets to make changes to a product in your home without your input.
Foscam has since taken steps to fix things, beefing up their marketing and security. “We thought we had a rigorous testing environment for new products, but we’re going to add some new steps. We now have 8 people in China and 2 people in Houston who are running cameras, and trying to breach and hack them,” says Rhymes. “We’ve increased the size of the team and have a game plan going forward to do more investigating and catch problems before they happen.”
Rhymes says Foscam plans to market a new product, specifically for watching kids, called “Fosbaby.” They used to release new products very quickly but now they’re delaying the roll-out, making sure this one is secure before they start selling it to parents.
Rhymes is contrite but he also says that customers need to be aware that technology evolves rapidly and that they need to be doing updates regularly to stay safe. “People need to understand in technology that firmware and software need to be updated periodically. I’m hoping the people who have these products realize that,” says Rhymes.
Rhymes still seems surprised that anyone would want to hack a baby monitor in the first place. I ask if Foscam has any idea who the hacker is; he still hasn’t been caught.
“That isn’t our main concern. We just want to keep it from happening again,” says Rhymes. “It’s still a surprise to us that someone would want to do that. I don’t know what motive they have. It doesn’t compute with me.”
One of the problems in the emerging ‘Internet of Things’ is that companies with no experience in Internet security are diving into the space rapidly by adding connectivity to their devices. “This is not a camera, it’s a computer,” says Harutyunyan. “But they’re not designing it as a computer, they’re designing a camera.”
Harutyunyan and Skekyan have not stopped hacking on Foscam. They found another vulnerability with the camera’s DNS service in February that would allow anyone to control what the camera connects to, meaning they could be enslaved by a botnet and used in DDoS attacks. The two dads didn’t know who to contact at the company, sending an email to a generic “support” address. They emailed again after a week and and were connected to engineers in China who didn’t think it was a problem because it had been fixed in new devices. After some pushing, the company released a manual update in May that would fix the issue on older devices.
When I ask Rhymes who people should contact when they find a problem, he doesn’t have a good answer though he does say he’s grateful for their feedback. I tell him about bug bounty programs which pay rewards to security researchers who find vulnerabilities in products; security researcher Bryan Krebs has argued that they should be compulsory. Rhymes has never heard about the concept. I tell him about new start-ups like BugCrowd and Synack that offer this as a service to companies. He says they sound interesting. “That’s a good idea,” he says. “We need a lot of resources to do our own security testing.”
Harutyunyan says software will always have bugs and that perfect security is impossible, but that some vendors are trying harder than others. “It boils down to money,” says Harutyunyan. “The reason why [Internet of Things] vendors are not doing security better is that it’s cheaper not to do it. It’s expensive to build security in. The shopper in Best Buy will buy the camera for $40 not the one that’s $100. She doesn’t know or care about the security. There will be more and more hacks, not just of cameras but of lots of things. Eventually it will make people care, and it will be more expensive to be insecure than secure.”
Shekyan thinks that there should be a rating system for security so an uninformed shopper can make that part of their decision-making process, and that there should be certain security standards so that a site can’t fall to a simple script kiddie. “These are marketed as security devices at Home Depot and Best Buy,” says Harutyunyan. “You don’t expect them to have security problems.”
The government hasn’t issued any solid criteria for what it expects from companies security-wise, though the Federal Trade Commission has gone after the Wyndham hotel chain and IP cam maker Trendnet for making it too easy for hackers to break into their systems. In response, companies have complained that it’s unclear what that the FTC’s expectations are for security practices.
“It’s going to be an issue with all of these connected devices,” says Foscam’s Rhymes. “Hackers breaking into them is not any different from a house being broken into even though the door was locked. I can complain to the lock manufacturer, but they’ll say the lock isn’t perfect. It doesn’t mean the company is bad or the product is bad or that people shouldn’t have door locks. People are going to keep getting these home automation products because the benefits outweigh the risks. But when the lock is picked, we need to use that as an opportunity to improve the locks moving forward.”
Harutyunyan agrees with him: “There’s no way to make an unbreakable door. It will always be possible to break software, but it’s a matter of price – is it expensive or cheap to break it?”
There are things consumers can do to make themselves safer, such as putting their connected devices behind Virtual Private Networks, or VPNs. “But that’s not a normal consumer device. You need a custom router with custom firmware and need to be a professional computer person to set it up,” says Harutyunyan. “Even I don’t have a VPN at home.”
Shekyan never did get a baby monitor for his daughter. “She just sleeps with us.”