Smartwares C935IP Camera: SSL Vunerability

Smartwares C935IP Camera: SSL Vunerability

Author: Mathis Hagen
Date: 2017-05-24 13:56:04

Content Table

Overview
Details
Solution

Overview

Affected Product: Smartwares C935IP, version 1.0.9.6
Fixed in: n/a
Fixed Version Link: n/a
Vendor Website: http://www.smartwares.eu/
Vulnerability Type: MITM
Remote Exploitable: No
Reported to vendor: 04/18/2017
Disclosed to public: 05/24/2017
Release mode: Full Disclosure due to unresponding vendor
CVE: n/a
Credits Mathis Hagen, Tim Coen of Curesec GmbH

The Smartwares C935IP is an IP surveillance camera with night vision and motion detection. It was available from the lidl online shop but is currently sold out. For configurating and communicating an app called OMGuard HD is used. All communication is either via LAN or WIFI on the camera side. The camera can be configured to send an alarm email when motion is detected. Enabling this option makes it possible for an attacker to obtain login information from the used account. This was tested on firmware version 1.0.9.6.

Details

CVSS3: Medium, 4.7 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

When enabling the alarm email feature the user needs to give the camera information regarding email account name, password and smtp server /-port. The User can also choose to activate SSL. If he does not activate it or if the email provider does not support SSL STARTTLS is used, both can be downgraded via sslsplit. This is most likely due to missing certificate checks.

Proof of Concept

For test purposes we assume that we have control over the Access Point (AP).

0. Connect Omguard application and camera, and enable email notification in the cameras settings and enter account and server information. If the email provider supports it, SSL can be activated. If SSL is not activated, STARTTLS will be used. Either can be downgraded to plaintext.

1. Fire up an access point with sslsplit.

2. Trigger the motion detection and receive the alert mail.

3. Look at the sslsplit logs:

220 smtp.gmail.com ESMTP o22sm6089025wro.13 - gsmtp EHLO mail.txt 250-smtp.gmail.com at your service, [79.205.255.208] 250-SIZE 35882577 250-8BITMIME 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 AUTH LOGIN w4TDhHVzZXJuYW1lQGdtYWlsLmNvbQo= (username@gmail.com base64 encoded) 334 UGFzc3dvcmQ6 cGFzc3dvcmQK (password base64 encoded) 235 2.7.0 Accepted MAIL FROM: 250 2.1.0 OK o22sm6089025wro.13 - gsmtp RCPT TO: 250 2.1.5 OK o22sm6089025wro.13 - gsmtp DATA 354 Go ahead o22sm6089025wro.13 - gsmtp From: username@gmail.com To: username Subject: IPCAM Detector Alarm (2017-03-23 15:35:03) AAAA-000000-AAAAA (unique camera ID) MIME-version: 1.0 Content-type: text/html; charset=utf-8 2017-03-23 15:35:03 ......Motion detector alarm
. 250 2.0.0 OK 1490279709 o22sm6089025wro.13 - gsmtp QUIT 221 2.0.0 closing connection o22sm6089025wro.13 - gsmtp

Solution

Although we contacted the vendor 3 times, we didn't recieve an answer. It is therefore unlikely that this vulnerability is getting patched.

Report Timeline

04/18/2017 Informed Vendor about Issue
05/10/2017 Reminded Vendor about Issue
05/16/2017 Reminded Vendor about Issue
n/a Vendor confirms + fixes issues
n/a Vendor relases fix
05/24/2017 Disclosed to public

Who we are & Disclaimer