IZON IP Camera: Hardcoded Passwords and Unencrypted Data Abound
With an ever increasing list of Internet and WiFi enabled devices, it shouldn't be shocking to find out that some of them have serious security flaws. With recent action by the FTC against TRENDnet, the government and public are watching more closely than ever with regard to the security of devices that form this concept of "The Internet of Everything".
The Security Ledger published an article about security research that I had performed against an IP-enabled camera called the IZON. I had installed one of these cameras in my home some time ago, and began to notice concerning traits about it's network presence that took me down a long process of assessing the issues within the camera's security profile while also attempting to open appropriate communication with the manufacturer to resolve these issues. I'll let the Security Ledger article help to explain those nuances further.
Long story short; be wary.
My hope (aside from seeing all of these issues fixed in the IZON) is that developers and security professionals will do a better job at assessing the security of these devices we are so readily plugging into our home and business networks. There's a lot at stake for consumer privacy right now and we will have to weigh the risks against the immense convenience we've been given by vendors.
Below are the slides that I recently presented at both the Triangle InfoSeCon and Rochester Security Summit in the last week. If you're keeping track at home, you'll note that CVE-2013-6236 is attached to the hard-coded password issues for this device (both the Linux and web application credentials).