Smartwares C935IP Camera: SSL VunerabilityAuthor: Mathis Hagen
Date: 2017-05-24 13:56:04
|Affected Product:||Smartwares C935IP, version 188.8.131.52|
|Fixed Version Link:||n/a|
|Reported to vendor:||04/18/2017|
|Disclosed to public:||05/24/2017|
|Release mode:||Full Disclosure due to unresponding vendor|
|Credits||Mathis Hagen, Tim Coen of Curesec GmbH|
The Smartwares C935IP is an IP surveillance camera with night vision and motion detection. It was available from the lidl online shop but is currently sold out. For configurating and communicating an app called OMGuard HD is used. All communication is either via LAN or WIFI on the camera side. The camera can be configured to send an alarm email when motion is detected. Enabling this option makes it possible for an attacker to obtain login information from the used account. This was tested on firmware version 184.108.40.206.
CVSS3: Medium, 4.7 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
When enabling the alarm email feature the user needs to give the camera information regarding email account name, password and smtp server /-port. The User can also choose to activate SSL. If he does not activate it or if the email provider does not support SSL STARTTLS is used, both can be downgraded via sslsplit. This is most likely due to missing certificate checks.
Proof of Concept
For test purposes we assume that we have control over the Access Point (AP).
0. Connect Omguard application and camera, and enable email notification in the cameras settings and enter account and server information. If the email provider supports it, SSL can be activated. If SSL is not activated, STARTTLS will be used. Either can be downgraded to plaintext.
1. Fire up an access point with sslsplit.
2. Trigger the motion detection and receive the alert mail.
3. Look at the sslsplit logs:
220 smtp.gmail.com ESMTP o22sm6089025wro.13 - gsmtp
250-smtp.gmail.com at your service, [220.127.116.11]
250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
AUTH LOGIN w4TDhHVzZXJuYW1lQGdtYWlsLmNvbQo= (email@example.com base64 encoded)
cGFzc3dvcmQK (password base64 encoded)
235 2.7.0 Accepted
. 250 2.0.0 OK 1490279709 o22sm6089025wro.13 - gsmtp QUIT 221 2.0.0 closing connection o22sm6089025wro.13 - gsmtp
Although we contacted the vendor 3 times, we didn't recieve an answer. It is therefore unlikely that this vulnerability is getting patched.
|04/18/2017||Informed Vendor about Issue|
|05/10/2017||Reminded Vendor about Issue|
|05/16/2017||Reminded Vendor about Issue|
|n/a||Vendor confirms + fixes issues|
|n/a||Vendor relases fix|
|05/24/2017||Disclosed to public|
Who we are & Disclaimer