"Systematic design flaws" have been discovered in leading internet-connected doorbell and security cameras by a Florida Institute of Technology student.
Blake Janes unearthed vulnerabilities in devices manufactured by Ring, Nest, SimpliSafe, and eight other companies relating to the removal of active user accounts. The flaws allow a shared account to remain in place and continue accessing the video feed despite appearing to have been removed.
The flaws could allow malicious actors to covertly record audio and video from vulnerable devices indefinitely, invading the privacy of victims on their very own doorsteps. In electronic stalking cases, or cases where a cohabiting couple who shared access to a device have ceased to live together, such flaws could have serious repercussions.
The vulnerability arose from devices' being designed in such a way that decisions to grant access are completed in the cloud and not made locally on either the camera itself or the users' smartphones.
Computer science major Janes's discovery was presented in "Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices," by the student and two Florida Tech faculty members from the university’s top institute for cybersecurity research, the L3Harris Institute for Assured Information—Terrence O’Connor, program chair of cybersecurity, and Heather Crawford, assistant professor in computer engineering and sciences.
"Our analysis identified a systemic failure in device authentication and access control schemes for shared Internet of Things ecosystems," the paper concluded. "Our study suggests there is a long road ahead for vendors to implement the security and privacy of IoT produced content."
Janes informed vendors about the vulnerabilities and also suggested several fixes. For identifying a major flaw in the Nest suite of devices, Google awarded the hard-working student a bug bounty payment of $3,133.
Other vendors, including Samsung, have been communicating with Janes about recommended solutions to fix the vulnerability.
Janes and his co-authors found the flaws in the Blink Camera, Canary Camera, D-Link Camera, Geeni Mini Camera, Doorbell and Pan/Tilt Camera, Merkury Camera, Momentum Axel Camera, Nest Camera Current and Doorbell Current, NightOwl Doorbell, Ring Pro Doorbell Current and Standard Doorbell Current, SimpliSafe Camera and Doorbell, and the TP-Link Kasa Camera.