ADT Security Camera Flaw Opened Homes, Stores to Eavesdropping

Researchers publicly disclosed security flaws found in ADT-owned LifeShield security cameras If exploited, the vulnerabilities allowed an attacker – connected to the same Wi-Fi network – to eavesdrop on victims’ conversations or tap into a live video feed.

The LifeShield brand is owned by security camera giant ADT. Specifically affected is the LifeShield DIY HD Video Doorbell (which was re-branded to ADT Blue in 2020), which connects to users’ Wi-Fi network and lets them answer the door remotely using the LifeShield mobile app. With 36 percent of market share, ADT makes up a significant chunk of the security camera market.  Researchers said that “1,500 devices” were affected by the flaw – ranging from cameras in small shops to ones in homes.

Researchers contacted ADT before publicly disclosing the flaw and ADT has deployed patches to impacted devices. However, security experts warn ADT’s glitches serve as warning and are just the latest camera maker to patch similar security issues tied to connected cameras.

“Gaps in this fragile ecosystem can have unforeseen consequences and might even turn devices that protect our privacy into tools that violate it,” said researchers with Bitdefender on Wednesday.

What are the Flaws

Researchers outlined several issues in the security cameras. Firstly, local attackers could view credentials from the cloud for each device. The camera is identified by the cloud via its MAC address, and is then authenticated. However, after the device is set up and a password is created, the server would respond to requests that contained the wrong credentials, said researchers. Moreover, it actually responded with the last-known credentials – which could have allowed an attacker to obtain the administrator password of the camera by simply knowing its MAC address. Finding a device’s MAC address is “not difficult at all,” Bogdan Botezatu, director of threat research and reporting for Bitdefender, told Threatpost. “Networked devices broadcast their MAC Address freely on the same LAN,” he said.

In order to exploit the flaw, “an attacker would only need to be connected to the same network as the wireless camera,” Botezatu told Threatpost. Attackers could then use a packet sniffer to scope out the requests between the camera and the server, Botezatu said: “Any packet sniffer would work. Wireshark and TCPdump would be the go-to tools in any hacker’s arsenal,” he said.

“This way, they would be able to intercept the camera communication that also contains the administrator password encoded in base64,” said Botezatu. “Once these credentials are obtained, the attacker can control the camera for as long as they share the same network (the camera’s web interface is only available on the same network).”

ADT-owned doorbell camera. Credit: ADT

Secondly, local attackers were able to gain unrestricted real-time streaming protocol (RTSP) access to the video feed. RTSP is a network control protocol utilized by communication systems to control streaming media servers.

After gaining credentials via the device MAC address, attackers could have easily accessed the interface. This would have given them unauthenticated access to the RTSP server – allowing them to access both video and audio of the camera’s streaming live feed.

Finally, after gaining administrative credentials and accessing the interface, there was an endpoint vulnerable to command injection which can be exploited to gain root access, said researchers. Stemming from unsanitized input, this flaw (CVE-2020-8101) allows local attackers to inject authenticated commands.

“The attacker gains control to the audio and video feed even in the absence of credentials, as vulnerable versions of firmware used to expose RSTP feeds on the network at rtsp://[ip-address]:554/img/media.sav,” Botezatu told Threatpost.

Disclosure to ADT

Researchers first contacted the vendor on Feb. 6, 2020, and did not hear back until Aug. 3, 2020. On Aug. 17, an automatic update was released to fix the issue. Fast forward to this Wednesday, researchers finally publicly disclosed the vulnerability.

“We worked with Bitdefender to identify and quickly patch the vulnerabilities its researchers privately brought to our attention,” an ADT spokesperson told Threatpost. “All the affected doorbell cameras have been patched.”

Researcher meanwhile said that ADT “was quick to address the issues once contact was established.”

“Patches were applied to the production servers and all 1500 affected devices within 2 weeks of being notified of the vulnerabilities,” they said.

Various vulnerabilities continue to plague security cameras. In March 2020, Taiwan-based LILIN warned that attackers were exploiting multiple zero-day flaws in its CCTV security cameras in order to add them to various botnets. And in October 2020, Cisco issued patches for high-severity vulnerabilities plaguing its popular video surveillance IP cameras, which could allow an unauthenticated, adjacent attacker to execute arbitrary code.

However, the level of sensitive footage and audio that these devices collect also make them prime targets for disturbing attacks that impede on customers’ privacy.

Last week, former ADT employee Telesforo Aviles pleaded guilty to accessing customers’ security camera footage in order to spy on their most private moments, according to the U.S. Attorneys’ Office.

Threatpost has reached out to ADT for further comment on this latest flaw and has not yet heard back.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!