Security Flaw in Guardzilla Smart Cameras Is Exposing Users’ Recordings, Researchers Say

Illustration for article titled Security Flaw in Guardzilla Smart Cameras Is Exposing Users’ Recordings, Researchers Sayem/emem/emem/emem/emem/emem/emem/em
Photo: Guardzilla

Putting internet-connected cameras in your home requires some blind trust—namely, that these devices are designed without any major, easily discoverable security vulnerabilities. But that’s not always the case, as researchers at Rapid7 say they found with Guardzilla’s home security cameras. Recently spotted flaws mean it wouldn’t take a super skilled attacker to access users’ stored files or videos, according to the firm.

Advertisement

Rapid7's researchers noted that the vulnerability, which was found in Guardzilla’s indoor surveillance system model, is a firmware issue. They say they discovered that all of the security devices use the same hardcoded keys, and that the password was easy to hack. “Accessing these S3 storage credentials is trivial for a moderately skilled attacker,” the researchers wrote. S3—short for Amazon’s Simple Storage Service—is the cloud storage host Guardzilla uses to store its customers’ data gathered from their security cameras. Because of this apparently weak security protocol, all Guardzilla All-In-One Video Security System users could access and view any other user’s footage downloaded from their account, the researchers say.

Researchers spotted the vulnerability during the 0DAYALLDAY Research Event at the end of September and reportedly informed Guardzilla, which manufacturers the smart home security system, the following month. The researchers wrote in a post announcing the security issue on Thursday that they hadn’t yet heard back from the company.

Advertisement

“They could update the keys and update the firmware, but that just means they’ll be rediscovered again by the same techniques,” Tod Beardsley, Rapid7’s research director, told TechCrunch. “The only way I can think of to fix this completely is to change the keys, stand up a proxying service and update the firmware to use this proxying service with unique-per-device accounts.”

According to TechCrunch, a lawyer representing the company said Rapid7 hadn’t contacted them about the vulnerability. They reportedly insisted that the “accusations are false,” but did not provide additional information.

That a security camera is susceptible to hackers is hardly a revelation—police bodycams, Nest security cameras, and baby monitors have all been found guilty of damning and wildly dumb security flaws. And in 2012, research indicated that three of the leading surveillance camera brands were equipped with egregiously weak security measures.

What’s particularly frustrating about these types of vulnerabilities is that we have a wealth of research and tips from security experts on best practices for these devices—ones that could prevent intimate recordings of your inner life from being made available to mediocre hackers online.

Advertisement

We have reached out to Guardzilla to comment on the reported security vulnerability and will update with a response.

[TechCrunch]

Advertisement

Share This Story

Get our newsletter

DISCUSSION

cochese4k120fps
Cochese: 4k120fps

Insofar as cheap “security” cameras are concerned, these cameras and this company is absolute garbage. Their phone software is trash, their customer service is trash, and their cameras cannot maintain a solid connection if you directly wired them to the server, which you can’t do anyway.

The setup for them is not only needlessly complex and requiring you to speak to a rep to register them (wasn’t always the case), but their system of installing multiple into one app is appalling and needlessly complex. Requiring logging into the network, into the camera, back to the network, back to the camera, over and over.
If you had the app downloaded onto your phone and you happened to get on the network, it’s almost laughable how easy it is to hack into them.

I’ve had a few different people buy them on a recommendation, fail to hook them up, and then ask me to help. If you can get them working, they’ll be okay until you have a slight network hiccup or a power outage or the power just flickers a bit.

I’ve hooked up a few other types of these cheap camera options for people both before and after the fiasco that was “guardzilla” and they’ve all been so smooth and mostly seamless. Just log on, turn on the camera, add it to the app and done.

Above all though, if you’re worried about your video feed ever getting hijacked from any of these types of cheap cameras, get a real professional service.

/minirant