SIK-2016-045


Title:

Weak Configuration Interface Authentication on Gigaset Smarthome Camera

Report ID

SIK-2016-045

Summary:

  • Vendor: Gigaset elements GmbH
  • Product: Gigaset Smarthome Camera
  • Affected Version: Firmware 1.10 (build 20140802)
  • Severity: medium
  • Short summary: The web interface for the Gigaset Smarthome camera is reachable without authentication.

Details:

The configuration interface, reachable through a webserver has a weak authentication mechanism by default. The credentials are:

Username: admin
Password: (echo –n "LUCKOTVF<MAC-address-reverse-order>YCAMVF" | base64)

This means the password is a combination of constant strings and the MAC address of the camera in reverse order.
Gaining access to the webcam configuration interface and web streams he must be in the same network. The MAC based password can be determined very
easy by an attacker. In the same network segment a scanner like nmap delivers the MAC address. If the webcam is connected via WIFI into a network environment, the MAC address can be also extracted over the air. With access to the web interface an attacker can call different hidden features and configurations. He can:

  • Enable different remote clients like ftp, mail or webserver, which allow additional access to the system
  • Can get a backup of the camera configuration containing a private key for generating the https server certificate
  • The backup can be modified to read out additional arbitrary system files like /etc/passwd, /etc/passwd of the unpatched new camera: root:$1$Sl83jCfU$NqYSEDJJ7kL.ARJscpPq6.:0:0:root:/root:/bin/sh
  • The abused information leakage through the backup function can be used to get more detailed system and environment information for further exploiting
  • Connect the camera to another WI-FI access point

Workaround

In general, it is hard to define effective workarounds to guarantee the protection of the system. The attack is realized by an internal attacker, so a secure network infrastructure is important. The supported WIFI connection of the camera should be deactivated and replaced by cable connection. This will prevent stealing the MAC address over the air, which can be abused for authentication calculation.

Suggested Mitigation

After the first camera pairing the user should be able to change or set his own password for the authentication. It also should be possible to define a random secure password for the system by the application itself.

Timeline

  • 2016-07-27 Vulnerability Discovered
  • 2016-08-15 Vulnerability Reported
  • 2016-09-14 Vulnerability Fixed