Putting internet-connected cameras in your home requires some blind trust—namely, that these devices are designed without any major, easily discoverable security vulnerabilities. But that’s not always the case, as researchers at Rapid7 say they found with Guardzilla’s home security cameras. Recently spotted flaws mean it wouldn’t take a super skilled attacker to access users’ stored files or videos, according to the firm.
Rapid7’s researchers noted that the vulnerability, which was found in Guardzilla’s indoor surveillance system model, is a firmware issue. They say they discovered that all of the security devices use the same hardcoded keys, and that the password was easy to hack. “Accessing these S3 storage credentials is trivial for a moderately skilled attacker,” the researchers wrote. S3—short for Amazon’s Simple Storage Service—is the cloud storage host Guardzilla uses to store its customers’ data gathered from their security cameras. Because of this apparently weak security protocol, all Guardzilla All-In-One Video Security System users could access and view any other user’s footage downloaded from their account, the researchers say.
Researchers spotted the vulnerability during the 0DAYALLDAY Research Event at the end of September and reportedly informed Guardzilla, which manufacturers the smart home security system, the following month. The researchers wrote in a post announcing the security issue on Thursday that they hadn’t yet heard back from the company.
“They could update the keys and update the firmware, but that just means they’ll be rediscovered again by the same techniques,” Tod Beardsley, Rapid7’s research director, told TechCrunch. “The only way I can think of to fix this completely is to change the keys, stand up a proxying service and update the firmware to use this proxying service with unique-per-device accounts.”
According to TechCrunch, a lawyer representing the company said Rapid7 hadn’t contacted them about the vulnerability. They reportedly insisted that the “accusations are false,” but did not provide additional information.
That a security camera is susceptible to hackers is hardly a revelation—police bodycams, Nest security cameras, and baby monitors have all been found guilty of damning and wildly dumb security flaws. And in 2012, research indicated that three of the leading surveillance camera brands were equipped with egregiously weak security measures.
What’s particularly frustrating about these types of vulnerabilities is that we have a wealth of research and tips from security experts on best practices for these devices—ones that could prevent intimate recordings of your inner life from being made available to mediocre hackers online.
We have reached out to Guardzilla to comment on the reported security vulnerability and will update with a response.