This blog is the fourth post in our annual 12 Days of HaXmas series.

Seasons greetings, HaXmas readers! While most HaXmas posts this holiday season are full of fun and frivolity, this one is, admittedly, about as dry as last year’s fruitcake: a pretty routine vulnerability disclosure in a piece of IoT gear. Per Rapid7’s normal disclosure policy, we’re publishing this today, which happens to be right about 60 days after our first disclosure to the vendor of this video camera. Unfortunately, despite multiple efforts at coordination with the vendor, we haven’t heard back from them at all, so with that, we’ll just jump in with the vulnerability proper.

Executive summary

The Guardzilla IoT-enabled home video surveillance system contains a shared Amazon S3 credential used for storing saved video data. Because of this design, all users of the Guardzilla All-In-One Video Security System can access each other’s saved home video.

This issue is an instance of CWE-798: Use of Hard-coded Credentials. It has a CVSSv3 base score of 10.0, since once the password is known, any unauthenticated user can collect the data from any affected system over the internet.

Product description

The Guardzilla All-In-One Video Security System is a home security platform that provides indoor video surveillance. More information about the product can be found at the vendor’s website. Only the GZ501W model was tested. It is not known whether other models are affected.

Credit

This issue was discovered by Nick McClendon, Andrew Mirghassemi, Charles Dardaman, INIT_6, and Chris, all of 0DayAllDay. This issue is being disclosed in accordance Rapid7's vulnerability disclosure policy in conjunction with 0DayAllDay.

Exploitation

Embedded S3 credentials have unlimited access to all S3 buckets provisioned for that account. This was determined through static analysis of the firmware shipping with the device. Once the firmware was extracted and the root password “GMANCIPC” was cracked, the Amazon S3 access key was recovered:

AccessKeyIdG AKIAJQDP34RKL7GGV7OQ
secretAccessKeyG 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
hostName s3.amazonaws.com
bucket motion-detection

Once this key was recovered from the firmware, it was checked against the us-west-1 region instance of AWS S3, and it was discovered that the key did not have any specific bucket policy, meaning this key has full access against the following S3 buckets provisioned by the vendor:

  • elasticbeanstalk-us-west-2-036770821135
  • facial-detection
  • free-video-storage
  • free-video-storage-persist
  • gz-rds-backups
  • gz-test-bucket
  • motion-detection
  • premium-video-storage
  • premium-video-storage-persist
  • rekognition-video-console-demo-cmh-guardzilla-2918n05v5rvh
  • setup-videos
  • wowza-test-bucket

For more technical details of the issue, please see 0dayAllDay’s disclosure of the issue.

Impact

Given the Amazon S3 AccessKeyIdG and secretAccessKeyG values, an attacker can connect to the provisioned Amazon S3 account and access the above named buckets. Of particular interest to attackers would be the buckets “free-video-storage,” “free-video-storage-persist,” “premium-video-storage,” and “premium-video-storage-persist.” Unfortunately, as of this writing, Guardzilla has not yet responded to this advisory, so the full scope of the impact is still unknown.

Remediation

A vendor-supplied updated firmware should not rely on a common, direct connection to Amazon S3 resources; instead, individual devices should authenticate to a cloud-hosted service individually. This service would then manage proper authorization to individualized data storage.

In the absence of a patch, users should ensure that cloud-based data storage functions of the device are not enabled. Users should contact Guardzilla for guidance on how to protect their private data.

Disclosure timeline

  • Saturday, Sept. 29, 2018: Issue discovered at 0DayAllDay Research Event
  • Wednesday, Oct. 3, 2018: Issue disclosed to Rapid7 for coordinated disclosure
  • Wednesday, Oct. 24, 2018: Issue disclosed to vendor
  • Thursday, Nov. 8, 2018: Issue disclosed to CERT/CC as VRF#18-11-NPPXC
  • Friday, Dec. 14, 2018: CVE-2018-5560 reserved
  • Thursday, Dec. 27, 2018: Public disclosure with technical writeup from 0DayAllDay
  • Tue, Jan. 29, 2018: Updated CVSSv3 score from 8.6 to 10.0