Security bug in Swann IoT Camera allowed to access video feeds

Security experts have discovered a security glitch in Swann IoT camera that could be exploited by attackers to access video feeds.

Security experts from Pen Test Partners (Andrew Tierney, Chris Wade and Ken Munro) along with security researchers Alan Woodward, Scott Helme and Vangelis Stykas have discovered a security glitch in Swann IoT camera that could be exploited to access video feeds.

The experts reported the issue to the vendor that has patched the vulnerability.

The research team developed a proof-of-concept attack exploiting security flaws in the cloud service used by the IoT camera, Safe by Swann, in this way they were able to access the cameras via their mobile devices.

The experts started investigating the issue after reading a BBC article outlining how a BBC employee had accidentally seen someone else’s footage on the mobile app for their home security camera.

The affected camera model it a battery-powered HD camera that implements video streaming feature either directly over the local network or via a cloud service.

Experts noticed that the cloud service is provided by Ozvision, when a user logs into the system through Safe by Swann, a request is made (userListAssets) to the server.

The server, in turn, provides a list containing the devices associated with the account.

The researchers analyzed the requests and attempted to manipulate the serial number parameter.

The experts explained that it is easy to find a serial number associated with the targeted device via the API endpoint and APK.

“After reviewing the API endpoint and APK, I quickly realised that the serial number (swnxxxxxxxxx) is the primary identifier of the camera on the platform. This is both for the Swann-specific web API and the OzVision peer-to-peer tunnel. The serial is easily found in the mobile app:” states the analysis published by the experts.

“We replace the serial number (deviceid) in the response from the server. At this point the mobile app sees the details of someone else’s camera. We are using Charles here, but Burp or MITMproxy will do it too”

The experts demonstrated that it is possible to access the camera stream for another serial number.

“In the app, one simply presses ‘play’. This made a request to deviceWakeup using the modified serial, then the Ozvision tunnel to the device was established using the modified serial. We could then watch the camera live.” continues the experts.

The experts explained that Swann quickly fixed the issue, but they speculated that the Ozvision was already aware of the issue.

“Ozvision already knew about the vulnerability, as Swann had informed them. The Swann customer camera cloud environment had quickly been fixed. Swann took swift action to fix the flaw and had a constructive dialogue with us.” continues the post.

“We suspect they knew about this issue for about nine months, and only fixed it when pressured by Swann; and we are confident the vulnerability was present in at least one other major camera brand to which they provide a cloud service. Further, they initially deflected direct questions about the issue back to Swann.”

How to discover serial numbers of existing cameras?

The serial number if composed of the string ‘swn’ plus 9 hex chars. The researcher Vangelis (@evstykas of the Tapplock API vulnerability fame) analyzed the API and discovered that it was possible to enumerate them with the following request:

1.1/osn/deviceIsOwned

1.1/osn/AccountAddDevice – this will throw an error if the camera is already paired, this means that using this trick it is possible to enumerate the entire keyspace searching for existing cameras.

“We believe the keyspace could be fully enumerated in as little as 3 days, given a distributed set of concurrent requests to the API.” concluded the researchers.

“So, one could now access arbitrary cameras.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – IoT camera, Swann)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.