This is indeed a scary story.
Today, I went to my favorite discount grocery Store (ALDI) for buying some items. To my surprise, they offered PTZ WiFi WebCams for less than 40EUR (about 45 bucks) so at the checkout I asked for a couple of those cameras.
Once back home, I did some quick researching and can’t believe what I found. The camera came with default credentials (guess what: admin as username and blank password) so I started using my NetworkToolbox to explore the HTTP-Head information of the Camera internal web server. The results were:
This revealed a very ‘good’ string (mcdhttpd) to search for on Morpheus or Shodan with my NetworkToolbox. Quick searches confirmed that the ALDI Camera was in fact the renamed Rollei SafetyCam. (You will agree that this Camera uses a quite misleading name after read further. ALDI must have known the issues as they call it different 😉 )
Both, Morpheus and Shodan found hundreds of such cameras even around the world. Most of them in Germany, Austria, Hungary and Switzerland where ALDI is locaded and seemed to sell this WebCam. Of course, I didn’t try but I am pretty sure that there are lots of cameras using the same default credentials.
UPDATE: Thank you for your reports, confirming that several of those entries are indeed still using the default credentials.
Until now, you might think, “Ok, so I can look into somebody else’s Garden or nursery room or listen to what the say – so what?”
But it gets worse.
The funny WebCam offers WiFi and direct DynDNS support and so it also includes configuration pages for maintaining those credentials. The good thing is, the Camera supports WPA2 PSK AES and TKIP WiFi encryption, the worse is, the PSK Key will be displayed (and likely stored) in plain text. So once you find such a camera, you know how to access the WiFi network of the owner.
Even better, almost the same applies to the DDNS settings. Here, the Password is a secured text field, but the password can easily be read out. So by this, you even know how to connect to that WebCam (and the network!) in the future.
Can this get worse. Yes, it can:
The same security issues apply to the setting for the Mail that the device can send in case of alarms. Mailserver, mail username and password are plain-text or easy to be read out. So we all can be lucky to get more spam in the future, sent from those WebCam mail accounts. Thank you!
So what is my Point?
- I complain that this camera uses default credentials. This is by all means NOT NECESSARY. There are many good alternatives. The simplest would be to request a password change along with the first login. And even if Maginon/Rollei would not be able to fix this security flaw, they should have a big warning in their manual saying “THE FIRST THING YOU SHOULD DO IS TO CHANGE THE DEFAULT PASSWORD“.
- I complain (even though this is unfortunately common to many devices) that they respond with a unique, easy to identify string on a HTTP HEAD request (mcdhttpd). This fact alone is responsible that thousands of ALDI customers that are on risk now as their devices can easily be found.
- I complain that they display the WiFi credentials in plain text and don’t encrypt other passwords (DDNS, SMTP Server, FTP, Additional users) so that they can easily be read out with a web browser. This is again simply NOT NECESSARY and INSECURE. I also bet they store them unencrypted (why to encrypt something that is displayed anyways)
Some screen shots in the Manual contains dates of the year 2012. Likely this was the year when the Camera was developed. Looks as the security standard is even older and it has never been updated.
Very likely, this piece of hardware contains more internal vulnerabilities and security issues.
This is again an example of how a single device can jeopardize your whole network security when added to your network.
Don’t trust the evil.
Have a great weekend.