SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1984
Security flaws let anyone snoop on Guardzilla smart camera video recordings
A popular smart security system maker has ignored warnings from security researchers that its flagship device has several serious vulnerabilities, including allowing anyone access to the company’s central store of customer-uploaded video recordings.
The researchers at 0DayAllDay found that Guardzilla’s top-selling indoor wireless security system contains a set of hardcoded keys that can be easily extracted, because the device’s root password was protected using a decade-old algorithm that’s nowadays easily crackable. Each device uses the same set of keys to upload video recordings to the company’s Amazon Web Services’ storage servers. Anyone can use these keys to log in and gain full access to the company’s cloud storage — and customer data uploaded from the device.
But the storage servers remain vulnerable — even at the time of publication, TechCrunch can confirm — despite the researchers privately emailing the company detailing the vulnerabilities in September.
“We’ve tried several avenues to get in touch with Guardzilla, but they have not acknowledged the report,” said Tod Beardsley, Rapid7’s research director, who helped coordinate the release of the researchers’ findings.
The team of five researchers said in their report that it took two off-the-shelf consumer graphics cards just three hours to decrypt the eight-letter password protecting the affected Guardzilla device’s firmware that ships with each device. Because the keys were buried in the code, anyone with a Guardzilla device could obtain the keys and gain unfettered access to the company’s 13 storage buckets hosted on Amazon’s servers. The researchers tested the keys but did not use them to access the buckets, they said, to prevent unintentional access to Guardzilla customer data.
TechCrunch confirmed that the keys were still active and linked to the listed buckets as of Wednesday. (We could not verify the contents of the buckets as that would be unlawful.)
[...] Guardzilla doesn’t say how many devices it’s sold or how many customers it has, but touts its hardware selling in several major U.S. retailers, including Amazon, Best Buy, Target, Walmart and Staples.
For now, you’re safest bet is to unplug your Guardzilla from the wall and stop using it.
(Score: 1, Insightful) by Anonymous Coward on Friday December 28 2018, @05:19PM (2 children)
And never use anything like it again.
Me: It's insecure
Idiot: But it's in the cloud.
Me: No, its sitting on servers operated by the company.
Idiot: It's in the cloud, so it is secure.
Me: Anyone can see your files.
Idiot: Well, I have nothing to hide so it doesn't matter.
Me: They can pull all kinds of information from your data.
Idiot: It is convenient and everybody does it that way. You are just behind the times.
Me: Don't you care about your privacy at all?
Idiot: But it's webscale!
Me: [shoots self in head]
(Score: 2) by isostatic on Friday December 28 2018, @06:28PM
Maybe blockchain AI could solve the problem?
(Score: 0) by Anonymous Coward on Sunday December 30 2018, @05:41PM
But I know how you feel. The idiots we allow to use technology today have gone from subsidizing our use of tech, to ruining our use of tech and invading our privacy.
Feels almost like a technological reboot is needed, in the hopes that we can start over with a more enlightened group of people in the future.