Francesco Servida's Blog

During the research for my master thesis on IoT forensics: “Internet of Things: Traces, Vulnerabilities and Forensic Challenges” (more about it in the future), I found one vulnerability in the QBee Multisensor Camera (https://qbeecam.com/).

The compatible applications, QBee Cam and Swisscom Home App, by default communicate in cleartext with the camera when on the local network (Testing was done mainly on Android).
The cleartext requests sent to the camera contain the cookies valid to authorize the requests to the camera.
One of these requests is made periodically in background to “/verify”, likely in an attempt to establish an heartbeat.

By intercepting and reusing the cookies it is possible to send custom commands to the camera; an attacker with access to the local network would therefore be able to disable the camera without the user noticing.

It is also possible to enable the privacy mode (thus disabling the camera) and disable the functionality of the physical button to toggle the privacy mode.
In this case if the user uses the Swisscom Home App, the result is a complete DoS of the camera until a factory reset; this is because that application doesn’t have the ability in the settings to reactivate the functionality of the privacy button, and the privacy mode cannot be disabled from the application.

Video

A video  describing the vulnerability is available here:  https://youtu.be/dd8vt0_DJF4

Report

CVE-2018-16225 – Report

PoC

PoC – CVE-2018-16225

Timeline

08.06.2018 – Vendor contacted (Swisscom & QBee)
11.06.2018 – Acknowledgement from Swisscom & disclosure to Swisscom CSIRT
03.07.2018 – Received response from Vestiacom (QBee) CEO, following communication problems & disclosure to Vestiacom; acknowledgement from Vestiacom that Swisscom already forwarded the problem.
30.08.2018 – CVE-ID obtained from MITRE
30.08.2018 – Vulnerability disclosure date postponed from 9th September to 16th September following Swisscom request
13.09.2018 – Vestiacom confirms the patched version of QBee Cam has been submitted to the iOS App Store (1.5.2) and to Askey for publishing on Android’s Google Play.
16.09.2018 – Public disclosure

Remarks: It was not possible to contact Askey directly as all the public email addresses were non functional, the vulnerability disclosure was handled in collaboration with Swisscom (Swiss reseller of QBee Multisensor Camera) and Vestiacom.

Summary

 

One Comment

  1. Kudos to you for creating such a great website! The content is top-notch, and your post is no exception. It provided me with the exact information I was looking for. Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.