iWatchLife IP Camera Security

Tweet

 

A few weeks ago, the press reported that TrendNet IP cameras were subject to a vulnerability that allowed anyone to access an affected TrendNet IP camera's live video stream.  In the wake of that story, many people have asked iWatchLife about the security of our IP cameras so I thought I would take a few minutes and address the security of iWatchLife IP cameras. 

Although a bit technical, the video above from This Week in Tech's Security Now show provides a more detailed overview of the story but the purpose of this post is to summarize the issue with the affected TrendNet IP cameras and how the IP cameras we support (made my Axis) have been configured from the beginning to reduce the likelihood of this type of vulnerability. 

Why some of TrendNet IP cameras were vulnerable  

In order to access a TrendNet IP camera, users would enter a URL exploit which would include the IP address of the camera and a path to an anonymous CGI script, which then enables them to view the camera's live feed without having to login.  An IP address (IP is Internet Protocal) is like a mailing address, it tells computers and devices attached to the Internet where a device or service is located so that a connection can be made.  The first issue with the affected TrendNet IP cameras was that it was exposing the IP addresses of the cameras to the Internet, so that a specialized search engine could essentially find the IP address of any TrendNet IP camera affected by the vulnerability.  

Once the hacker was able to determine the IP address of the TrendNet IP camera, they were able to use an unauthenticated path (think of this like entering a locked house through a window that was left open) to access the TrenbNet IP camera's live view.  The reason that any affected TrendNet IP camera's live view could be accessed is that TrendNet was exposing the token and using the same token across all cameras and then to make matters worse, not changing the token.  It's like having every house in a given neighborhood using the same front door key and never changing the locks.  

How iWatchLife IP camera security is different than TrendNet's

iWatchLife prevents vulnerabilities such as this by never exposing the IP address of the IP camera to the Internet.  To continue with my analogy of a mailing address, it means that your address wouldn't be listed on the phone book or in any kind of directory.  As you can imagine, this makes finding the IP address incredibly difficult.

Secondly, iWatchLife will never expose camera-sensitive authentication data to the public.  Our service will broker a connection with the IP camera, and then securely transmit video to the end user. At the same time, we use a stream verification technique that ties an iWatchLife Account Session to a Stream Authorization Key, ensuring these keys are only viable for short periods of time.   

So, once again using my analogy of a stream authorization key being like a key to a house, iWatchLife would require everyone in your family to have their own unique key to the house and the locks would be changed on a frequent basis so even if somebody had your key, it wouldn't work because it was invalidated.

If you or somebody you know has a TrendNet IP camera, you should check their website for information about affected cameras.  A critical firmware update has been released to address these issues. 

If you have any questions, please don't hesitate to contact us at support@iwatchlife.com.