Just one month after the Federal Trade Commission (FTC) settled a complaint (http://www.ftc.gov/opa/2013/09/trendnet.shtm) with the maker of SecurView, a line of poorly secured home surveillance cameras, a researcher at the firm Duo Security (http://www.duosecurity.com) has found a slew of even more serious security holes in the IZON Camera — a popular product that is sold in Apple Stores and Best Buy, among others. A review by The Security Ledger found dozens of such systems accessible via the public Internet, in some cases allowing anyone to peer into the interiors of private residences and businesses.
Mark Stanislav (@markstanislav), the Security Evangelist at the firm Duo Security conducted an audit of the IZON hardware and corresponding iOS mobile application software used to manage it. He documented a slew of troubling security lapses including an easily guessed, default user account for the Web-based GUI used to view live video streams, wide-open configuration with wide-open ports for accessing the device by Telnet and HTTP, unencrypted communications and video streaming to and from IZON devices and hard-coded, undocumented root account for the linux based devices.
Using the search engine Shodan.org, Stanislav compiled a list of scores of IP addresses of IZON cameras exposed on the Internet – some deployed behind simple DSL broadband connections. A review of that list by The Security Ledger revealed a handful of exposed Web interfaces that allow anyone with an Internet connection and knowledge of the default user name and password to take control of the camera: viewing a live video feed, making video recordings that can be automatically uploaded to YouTube or other cloud-based services, and even sounding audio alarms. In one case, the camera appeared to be deployed in a private residence in Kissimmee, Florida, where an elderly couple were seen caring for an infant. Others showed the interiors and exteriors of private residences – some occupied, others obviously vacant. (https://i1.wp.com/securityledger.com/wp-content/uploads/2013/10/IZON-Photos.jpg)
The CTO for Stem Innovation of Salt Lake City (http://steminnovation.com/), which makes the IZON cameras said that the IZON firmware, server system and iOS applications tested by Stanislav have been updated since the Summer, when Stanislav's research was conducted. He claims the research contains “inaccurate and misleading information.” Stem did not provide specific information about any inaccuracies."
Link to Original Source