Tag: manufacturer

Internet cameras have hard-coded password that can’t be changed

Enlarge (credit: F-Secure ) Security cameras manufactured by China-based Foscam are vulnerable to remote take-over hacks that allow attackers to view video feeds, download stored files, and possibly compromise other devices connected to a local network. That’s according to a 12-page report released Wednesday by security firm F-Secure. Researchers at F-Secure documented 18 vulnerabilities that the manufacturer has yet to fix despite being alerted to them several months ago. All of the flaws were confirmed in a camera marketed under the Opticam i5 HD brand. A smaller number of the vulnerabilities were also found in the Foscam C2. The report said the weaknesses are likely to exist in many other camera models Foscam manufactures and sells under other brand names. F-Secure researchers wrote: Read 5 remaining paragraphs | Comments

Original post:
Internet cameras have hard-coded password that can’t be changed

Hackers hijack a Philips Hue lights with a drone

Surprise! The Internet of Things is a security nightmare. Anyone who was online a few weeks ago can attest to that. The massive internet blackout was caused by connected devices , and new research from white-hat hackers expounds upon those types of vulnerabilities. The target? Philips Hue smart lightbulbs. While they’ve been hacked in the past , Philips was quick to point out that it happening in a real-world situation would be pretty difficult. Digital intruders would need to already be on your home network with a computer of their own — the company claimed that directly attacking the lightbulbs wasn’t exactly feasible. But this new attack doesn’t require that sort of access. In fact, all it takes is tricking the bulbs into accepting a nefarious firmware update. By exploiting a weakness in the Touchlink aspect of the ZigBee Light Link system ( again! ), the hackers were able to bypass the built-in safeguards against remote access. From there, they “extracted the global AES-CCM key” that the manufacturer uses to encrypt and authenticate new firmware, the researchers write (PDF). “The malicious firmware can disable additional downloads, and thus any effect caused by the worm, blackout, constant flickering, etc.) will be permanent.” What’s more, the attack is a worm, and can jump from connected device to connected device through the air. It could potentially knock out an entire city with just one infected bulb at the root “within minutes.” “There is no other method of reprogramming these devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as the power is applied.” The result is that the hackers were able to turn lights on and off both from a van driving by a house and a drone flying outside an office building. For the home, the team was 70 meters (229.7 feet) away and caused lights to go on and off individually. The office building houses a few security companies including Oracle, and was hacked from 350 meters (1, 148 feet; about a quarter of a mile), and once under control, the lights started signaling “S.O.S.” in Morse code. “We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates.” Not terrifying at all, right? The researchers say that they’ve contacted Philips and included all the details needed for a fix. Philips has confirmed the weaknesses and issued firmware updates to hopefully guard against this ever happening. Via: New York Times Source: Eyalro (1) , (2) (PDF)

See the article here:
Hackers hijack a Philips Hue lights with a drone