Privacy flaws in connected security and doorbell cameras were recently discovered by Florida Tech students that prevent the user accounts be removed, leading to potential malicious attacks. According to Florida Tech Newsroom's previous report, internet-connected doorbell and security cameras manufactured by Nest, Ring, SimpliSafe, and eight other companies were discovered to have "systemic design flaws."
Also Read: Coronavirus Tech: Artificial Intelligence Can Effectively Fight COVID-19 But May Lead To Privacy Breach
The privacy flaws were discovered by Blake Janes, a Florida Tech computer science student. The systemic design flaws allow a shared account that might have been removed to actually stay in place with continued access to the video feed.
The mechanism for removing user accounts was confirmed not working after Janes found out that active user accounts cannot be removed as intended on many camera systems. The Florida Tech student claimed that the privacy flaws will allow cyber attackers to conduct malicious acts with the help of the active user accounts that are retained on the camera system. Hackers could exploit the flaws by covertly recording video and audio in a substantial invasion of privacy, such as electronic stalking instances.
User accounts can not be removed from connected security and doorbell cameras
The "Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices" published the findings of Janes and two Florida Tech faculty members from the university's top institute for cybersecurity research, L3Harris Institute for Assured Information. Heather Crawford, assistant professor in computer engineering and sciences, and Terrence O'Connor, program chair of cybersecurity, also took part in the study.
Vendors of the doorbell cameras were informed by the work of Janes and were also offered several strategies to lessen the underlying security issues. $3,133 "bug bounty" was awarded to Janes in recognition of his work, showing how the discovery of the privacy flaws is important in the Net series of devices.
Samsung and other manufacturers are currently coordinating with Janes about the recommended actions that could fix the vulnerability. The privacy flaw allows a person to access another person's camera, although the other person's account was removed.
The Florida Tech team noticed that the scenario usually happens since the granting or removing of a user account's access is done in the cloud and not directly on the smartphones or the camera involved. However, the approach is mostly preferred by the manufacturers since owners can transmit data without connecting their cameras directly to the smartphone.