Severe Vulnerability in iBaby Monitor M6S Camera Leads to Remote Access to Video Storage Bucket

Baby monitors have become increasingly common in modern homes. To many parents, the ability to keep an eye on children while away is worth the risk of having video feeds or pictures leaked to unauthorized parties.

This article – part of a series developed in partnership with PCMag – aims to shed light on the security of the world’s best-sellers in the IoT space. PCMag contacted the research team at Bitdefender and asked us to look at several popular devices, including the Belkin WeMo Switch. More information is available in this article published on PCMag.

Note:

In the spirit of responsible disclosure, this whitepaper has been published despite our best efforts to contact the vendor and get in touch, in order to patch or mitigate the described issues.

Update (March 12, 2020):

We’re happy to report that the iBaby team reached out to us after this paper became public. They delivered a fix for the reported issues within 24 hours. The vulnerabilities reported in the paper have been fixed as of February 29th. We would like to thank iBaby for properly handling this issue.

Vulnerabilities at a glance

While investigating the iBaby Monitor M6S camera, Bitdefender researchers have identified vulnerabilities that can allow an attacker to access files in the AWS bucket, leak information through the MQTT service which leads to remote access of the camera (CVE-2019-12268), and leak personal information of users through an Indirect Object Reference (IDOR) vulnerability.

What’s troubling the most about the first vulnerability is that the camera uses a secret key and an access key ID to upload am alert to the cloud, these keys can be used for directory listing and downloading of any alert (video or picture) uploaded by any camera with alerts enabled (motion and/or sound).

If an attacker monitors the MQTT server when a user configures a camera, critical information will be leaked to the attacker. They could then stream video, take screenshots, record video, or play music using the obtained credentials.

If an attacker monitors the MQTT server when a user configures a camera, critical information will be leaked to the attacker. They could then stream video, take screenshots, record video, or play music using the obtained credentials.

Through the Indirect Object Reference (IDOR) vulnerability, an attacker can craft requests to obtain the email address, name, location and profile picture of the camera owner, as well as the timestamps showing when that user accessed their camera.

Impact

Determined attackers are currently able to leverage these vulnerabilities to gain access to a user’s system and/or personal information within seconds.

More information is available in the technical whitepaper below:

Download the whitepaper