Let's make sure this smart camera is using HTTPS and keeps my WiFi password secure. Since the network was completely open, I could see all traffic on the network, including the API calls made by the mobile app to the camera. So, for the first packet dump, I joined my laptop to the setup network along with my phone. You then have to use the Android or iOS mobile app to configure the camera so it has the credentials to your real network. That’s because, in setup mode, the WiFi camera broadcasts an open WiFi network. $ ssh tcpdump -w -i igb0_vlan3000 > packet-dump.pcapĪfter setting this up, I realized that this wouldn't show traffic of the initial setup. If you have enough disk space on the router, you could also dump locally and then transfer the file after. Once I knew the network interface name using ifconfig, I then used SSH along with -w - to reroute the packet dump to my workstation. Since Wireshark will be running on our local workstation, and not our router, we need to capture the network traffic to a separate file. One of the benefits of running a “real” operating system on your router is that all of our favorite network debugging tools are available, including tcpdump. That way, I could try setting up the camera while using Wireshark on my laptop to sniff the traffic, without worrying that I was exposing my real network to anything nefarious. On that interface, I enabled DHCP, and then set up basic firewall rules to block all traffic. Then, in OPNSense, I created a new interface with the same VLAN ID. For WiFi, this means creating a separate SSID for the cameras, and assigning it a VLAN ID in the UniFi controller. Both software stacks support VLANs-a way to segregate and control traffic between devices on the same ‘physical’ network. I recently redid my home network, upgrading to an APU2 running OPNSense for routing, combined with a Unifi UAP-AC-PRO for wireless access. If I do need to use the Hubble app and cloud service, is it trustworthy enough to be sending images and sounds from my child’s bedroom?.If not, can I allow just enough internet access to the camera so it allows local access, but blocks access to the cloud services?.Can the cameras be used in a purely “local” mode, without any cloud or internet connectivity at all?.I wanted to answer these three questions about the cameras: Improving the Motorola Blink Baby Monitor/Camera.Hacking the Motorola Blink 1 Baby Monitor (Part 2).These articles were also great resources for figuring out what the cameras were capable of, and I wouldn’t have gotten as far in the time I had without them: The real question was if Motorola updated all of their cameras to fix the reported bugs, or if they just updated a single line of cameras. Given that both cameras are made by Binatone, and connect to the same remote services, it seemed likely that the MBP853 was subject to similar vulnerabilities. This article goes into great detail about the many flaws they found in a different Motorola camera aimed at outdoor use. After searching for “ motorola hubble security” (Hubble is the name of the mobile app), I came across Push To Hack: Reverse engineering an IP camera. The Researchīefore starting, I wanted to know if anyone else had done any testing with this model of camera. The Motorola MBP853CONNECT was on sale, and included both Wifi and a “regular” proprietary viewer. So, my question: is it possible to connect an “IoT” device to my home network securely, even when it has known security issues?Īn opportunity presented itself when we needed to buy a new baby monitor that supported multiple cameras. However, there can be significant utility in connecting physical devices to your local network. With malware like Mirai actively focusing on home IoT devices including cameras, we know that anything we plug in will be under constant assault. This subreddit reminds us that most “smart” devices are actually quite dumb as far as security goes. Since we’re fully distributed, each employee works day-to-day over their home internet connection. As a part of Lullabot’s security team, we’ve been keeping track of how the Internet of Things plays a role in our company security.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |