[CVE-2018-16225] Public Disclosure – QBee Camera Vulnerability

During the research for my master thesis on IoT forensics: “Internet of Things: Traces, Vulnerabilities and Forensic Challenges” (more about it in the future), I found one vulnerability in the QBee Multisensor Camera (https://qbeecam.com/).

The compatible applications, QBee Cam and Swisscom Home App, by default communicate in cleartext with the camera when on the local network (Testing was done mainly on Android).
The cleartext requests sent to the camera contain the cookies valid to authorize the requests to the camera.
One of these requests is made periodically in background to “/verify”, likely in an attempt to establish an heartbeat.

By intercepting and reusing the cookies it is possible to send custom commands to the camera; an attacker with access to the local network would therefore be able to disable the camera without the user noticing.

It is also possible to enable the privacy mode (thus disabling the camera) and disable the functionality of the physical button to toggle the privacy mode.
In this case if the user uses the Swisscom Home App, the result is a complete DoS of the camera until a factory reset; this is because that application doesn’t have the ability in the settings to reactivate the functionality of the privacy button, and the privacy mode cannot be disabled from the application.

Video

A video  describing the vulnerability is available here:  https://youtu.be/dd8vt0_DJF4

Report

CVE-2018-16225 – Report

PoC

PoC – CVE-2018-16225

Timeline

08.06.2018 – Vendor contacted (Swisscom & QBee)
11.06.2018 – Acknowledgement from Swisscom & disclosure to Swisscom CSIRT
03.07.2018 – Received response from Vestiacom (QBee) CEO, following communication problems & disclosure to Vestiacom; acknowledgement from Vestiacom that Swisscom already forwarded the problem.
30.08.2018 – CVE-ID obtained from MITRE
30.08.2018 – Vulnerability disclosure date postponed from 9th September to 16th September following Swisscom request
13.09.2018 – Vestiacom confirms the patched version of QBee Cam has been submitted to the iOS App Store (1.5.2) and to Askey for publishing on Android’s Google Play.
16.09.2018 – Public disclosure

Remarks: It was not possible to contact Askey directly as all the public email addresses were non functional, the vulnerability disclosure was handled in collaboration with Swisscom (Swiss reseller of QBee Multisensor Camera) and Vestiacom.

Summary

 

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.