Exclusive: How safe is the Maximus Answer DualCam video doorbell?
Exclusive: How safe is the Maximus Answer DualCam video doorbell?
The Maximus Reply DualCam is one of the best video doorbells, every bit its two-camera setup lets y'all see very clearly if someone left a package at your door. But while the DualCam may be good at protecting your packages, how good is information technology at protecting your data?
As part of a partnership with Tom'due south Guide, security business firm Bitdefender has analyzed the Maximus Reply DualCam video doorbell that Tom'southward Guide reviewed in 2020. Bitdefender looked at the video doorbell'due south network communications and its internal software and hardware, and its study written report institute the video doorbell'south security to be pretty skilful overall.
- I finally installed an indoor security camera — and you should, too
- The best video doorbells you can buy
- Plus: Google Maps is getting a major upgrade for cyclists
Some problems with server authentication
The just major vulnerability was a lack of server hallmark in two instances. The video doorbell did not verify the Amazon Web Services data "saucepan" to which it uploaded video feeds and logs. Nor did it verify the server from which it downloaded firmware updates.
These network communications are sent using the obviously sometime HTTPS web protocol, not the OpenVPN protocol used to handle commands to the video doorbell from the smartphone app.
That flaw could, at least in theory, atomic number 82 to a man-in-the-middle attack if an attacker who was already on the doorbell owner's home Wi-Fi network could force the doorbell to accept a bogus HTTPS document and intercept the uploads.
"As a upshot," says the Bitdefender report, "an attacker sitting between the photographic camera and the servers could intercept the uploaded logs and recordings."
And then your nasty neighbor could intercept your video feed this way. To protect yourself against such an assail, nevertheless unlikely it may be, make sure you employ a strong, unique password to access your habitation Wi-Fi network.
As for the log files, "they do not incorporate sensitive information that could be useful to an attacker," the report says. "Well-nigh of the messages pertain to the functioning of the camera."
While "the surrounding Wi-Fi networks and their MAC addresses are transmitted, as well as the name of the current network" every bit part of the log files, "the password for the electric current network is not transmitted."
Firmware updates are very well protected
Hacking the doorbell with a bogus firmware update, a common method of attacking smart-home devices, would exist very difficult to pull off on the Maximus Answer DualCam for a number of reasons.
First, the spider web accost, or URL, of the update server seems to exist difficult-coded in the Maximus Reply DualCam video doorbell's firmware, and irresolute the server address would require root access.
2d, the Bitdefender report says that "the attack requires knowledge of both the ta.central file (to cosign TLS connections), and a manner to trick the camera into connecting to the rogue server."
At to the lowest degree in theory, an attacker could perhaps "spoof" the Maximus server by setting up a rogue Wi-Fi hotspot and forcing the doorbell to connect to that. Then a poisoned DNS file on the rogue hotspot could redirect queries for the server URL to instead go to the attacker's auto as the "server."
Tertiary, setting up or changing the doorbell's Wi-Fi network connection tin can but be done via Bluetooth using the Kuna companion app on the possessor's smartphone.
The Kuna app relays the doorbell's serial number plus random data — a "nonce," in cryptography terms — to the Maximus server. The server replies with a token (consisting of a "hashed" version of the nonce plus a secret code) that authorizes the video doorbell and gives the doorbell the local Wi-Fi access credentials it got from the owner'southward Kuna smartphone app.
"The Bluetooth connection tin be established at any fourth dimension to modify the Wi-Fi network, only simply the camera owner can initiate it," the written report says.
"If an aggressor wishes to change the network, they would need either the secret to create the token, or the token provided from the server. The secret is unknown, and the server sends the token to the possessor simply."
Finally, the Maximus Answer DualCam's firmware updates are digitally signed by the vendor. A rogue firmware update delivered by a rogue server would simply not be installed.
"Whatever modifications to the binary will result in a signature mismatch," says the report. "The binary will be discarded in this example. An attacker can't forge the signature, as it requires the private certificate corresponding to the public key used to check the signature."
Locked down pretty tight
Otherwise, the Maximus Answer DualCam video doorbell has skillful security. As noted earlier, for most communications information technology uses the OpenVPN protocol to communicate with its server so that third parties on the same wireless network as the video doorbell cannot decipher the signals.
Each camera has a unique digital identifier to place itself to its servers. Attempts to access ports on the video doorbell over the local Wi-Fi network were unsuccessful, and then was an attempt to exploit the OpenVPN connectedness using a widely applicative flaw.
Commands sent by the owner to the video doorbell are routed through Maximus' servers, only each request has to be accompanied by an authorisation token.
Also, "to alter the camera's settings, the user requires its serial number. An attacker who knows the serial number cannot alter settings, as ownership is validated."
Similar authentication is required for live streaming.
Even UART connections, which involve clipping wires to specific spots on the motherboard for software or hardware debugging, crave a countersign in this case. UART connections are often a reliable backdoor into a smart-home device, merely not on the Maximus Respond DualCam video doorbell.
How Bitdefender tested the Maximus Respond DualCam
Bitdefender researchers used several tools and methods to clarify the security of the Maximus Answer DualCam.
A virtual automobile running on a PC served every bit the Wi-Fi access bespeak. The Burp Suite penetration-testing tool was used to monitor encrypted network traffic. The UBI Reader Extract Files utility was used to read the filesystem on the firmware disk epitome.
The Bluetooth Host Controller Interface logging tool built into Android (with Developer manner activated) was used to capture information packets exchanged between a smartphone and the video doorbell during the initial setup process, and the Wireshark network-packet analyzer was used to examine those packets. A custom digital certificate was used to stage a human being-in-the-eye attack in order to decrypt traffic to and from the Android app.
The Ghidra decompiler developed by the U.S. National Security Agency was used to reverse-engineer binary data, i.due east. turning data that was simply bits and bytes back into source code. The network mapper Nmap was used to determine that the Maximus Reply DualCam had no open ports.
Safe to use? Yeah, mostly
Overall, the Maximus Answer DualCam video doorbell seems condom to use, except for the remote possibility that someone already on your Wi-Fi network might be able to intercept the video feed, provided the attacker knows how to spoof a digital server certificate.
Nosotros call up that'southward non something most people would need to worry about, unless they piece of work for a defense contractor or some other organization having to practice with national security. If we were to requite devices letter grades in security, nosotros'd requite the Maximus Answer DualCam video doorbell an A-minus.
Source: https://www.tomsguide.com/news/maximus-answer-dualcam-video-doorbell-security-analysis
Posted by: petermanjoad1997.blogspot.com
0 Response to "Exclusive: How safe is the Maximus Answer DualCam video doorbell?"
Post a Comment